analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

VC2008.EXE

Full analysis: https://app.any.run/tasks/4c1da05c-a5de-421c-89d3-9bb6d951523e
Verdict: Malicious activity
Analysis date: August 13, 2019, 16:06:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B936F0F378B9A35489353E878154E899

SHA1:

56719288AB6514C07AC2088119D8A87056EEB94A

SHA256:

C6A7E484F4D84883BC1205BCCEA3114C0521025712922298EDE9B2A1CD632357

SSDEEP:

49152:wQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0jD:wtdnfnwp3oOLuB/3/uD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • install.exe (PID: 4092)
    • Application was dropped or rewritten from another process

      • install.exe (PID: 4092)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • VC2008.EXE (PID: 2852)
      • msiexec.exe (PID: 3888)
    • Removes files from Windows directory

      • msiexec.exe (PID: 3888)
    • Creates files in the Windows directory

      • msiexec.exe (PID: 3888)
  • INFO

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU) (82.5)
.exe | Win32 Executable MS Visual C++ (generic) (7.3)
.exe | Win64 Executable (generic) (6.5)
.dll | Win32 Dynamic Link Library (generic) (1.5)
.exe | Win32 Executable (generic) (1)

EXIF

EXE

ProductVersion: 9.0.21022.08
ProductName: Microsoft Visual C++ 2008 Redistributable
OriginalFileName: vcredist_x86.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: vcredist_x86.exe
FileVersion: 9.0.21022.08
FileDescription: Microsoft Visual C++ 2008 Redistributable Setup
CompanyName: Microsoft Corporation
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 9.0.21022.8
FileVersionNumber: 9.0.21022.8
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 5.2
OSVersion: 5.2
EntryPoint: 0x5972
UninitializedDataSize: -
InitializedDataSize: 6144
CodeSize: 31232
LinkerVersion: 7.1
PEType: PE32
TimeStamp: 2005:06:01 18:46:51+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Jun-2005 16:46:51
Detected languages:
  • English - United States
Debug artifacts:
  • db
CompanyName: -
FileDescription: sfxcab
FileVersion: 6, 1, 22, 5
InternalName: sfxcab
LegalCopyright: Copyright (C) 2006
OriginalFilename: sfxcab.exe
ProductName: sfxcab
ProductVersion: 6, 1, 22, 5

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 01-Jun-2005 16:46:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_NET_RUN_FROM_SWAP
  • IMAGE_FILE_RELOCS_STRIPPED
  • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x000078A0
0x00007A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.58359
.data
0x0000A000
0x000110D4
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.509584
.rsrc
0x0001C000
0x00001474
0x001B2600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.99914

Resources

Title
Entropy
Size
Codepage
Language
Type
1
1.5
4
Latin 1 / Western European
English - United States
UNKNOWN
100
3.0946
282
Latin 1 / Western European
English - United States
RT_DIALOG
101
2.16096
20
Latin 1 / Western European
English - United States
RT_GROUP_ICON
107
2.9591
224
Latin 1 / Western European
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
msvcrt.dll
ntdll.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start vc2008.exe no specs vc2008.exe install.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3020"C:\Users\admin\AppData\Local\Temp\VC2008.EXE" C:\Users\admin\AppData\Local\Temp\VC2008.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Exit code:
3221226540
Version:
9.0.21022.08
2852"C:\Users\admin\AppData\Local\Temp\VC2008.EXE" C:\Users\admin\AppData\Local\Temp\VC2008.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2008 Redistributable Setup
Version:
9.0.21022.08
4092c:\068db81b0192cc457d10422414c14f\.\install.exec:\068db81b0192cc457d10422414c14f\install.exeVC2008.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Version:
9.0.21022.8 built by: RTM
3888C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
448
Read events
238
Write events
0
Delete events
0

Modification events

No data
Executable files
44
Suspicious files
4
Text files
38
Unknown types
10

Dropped files

PID
Process
Filename
Type
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\eula.1033.txttext
MD5:99C22D4A31F4EAD4351B71D6F4E5F6A1
SHA256:93A3C629FECFD10C1CF614714EFD69B10E89CFCAF94C2609D688B27754E4AB41
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\eula.1036.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\eula.1028.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\eula.3082.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\eula.1040.txttext
MD5:9147A93F43D8E58218EBCB15FDA888C9
SHA256:A75019AC38E0D3570633FA282F3D95D20763657F4A2FE851FAE52A3185D1EDED
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\eula.1041.txttext
MD5:9B15A3A055CC6E67EA191A1B7885649A
SHA256:CAC11BDE0F7967389F9795DC2F2A5AA22B2C51D1A6AB0B0064DF72DC3EB192AE
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\vc_red.cabcompressed
MD5:E10F2F6E6379E9185F71AEC1421F37B4
SHA256:9681BCFD73C610EB6A9538D872C1E7844548FCA341F22FB66CCADB4D78530B4D
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\vc_red.msiexecutable
MD5:E0951D3CB1038EB2D2B2B2F336E1AB32
SHA256:507AC60E145057764F13CF1AD5366A7E15DDC0DA5CC22216F69E3482697D5E88
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\install.res.1033.dllexecutable
MD5:9EDEB8B1C5C0A4CD3A3016B85108127D
SHA256:9BF7026A47DAAB7BB2948FD23E8CF42C06DD2E19EF8CDEA0AF7367453674A8F9
2852VC2008.EXEC:\068db81b0192cc457d10422414c14f\install.res.3082.dllexecutable
MD5:41BB37A347121F3E5E88D85100638B79
SHA256:320C305177AB4EC6E00883A2CF0886019B5D36557219E4A188CF9DF3768F157F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info