File name:

Sensus_Update_MCA_Europe.exe

Full analysis: https://app.any.run/tasks/98080766-4e7b-4e8c-9017-4977a0e94099
Verdict: Suspicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 25, 2018, 10:13:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9B0BDD262805FCC22BE5FCFF7C1357BF

SHA1:

B72503FC28241DF313128A7B1EB712836C3B27E8

SHA256:

EE01906735E4DDF4E5AA28FB311F96F7AC1F5B7789A58F535FD7A020A65229F7

SSDEEP:

24576:NZGKhTxkbD1R44o9b2HOPMkdpmzCF6ibNvHUSIKOjuz7MIkTDgEmbc0KCHl+WyR8:NZTmX1ep9b2uTdf6JmLKCHl+WyR05S8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • VolvoDownloadManager.exe (PID: 2564)
      • VolvoCompressed.exe (PID: 1732)

    • Loads dropped or rewritten executable

      • VolvoCompressed.exe (PID: 1732)
      • VolvoDownloadManager.exe (PID: 2564)

    • Downloads executable files from the Internet

      • Sensus_Update_MCA_Europe.exe (PID: 1268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Sensus_Update_MCA_Europe.exe (PID: 1268)
      • VolvoCompressed.exe (PID: 1732)

  • INFO

    • Dropped object may contain URL's

      • Sensus_Update_MCA_Europe.exe (PID: 1268)
      • VolvoCompressed.exe (PID: 1732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:18 09:59:53+01:00
PEType: PE32
LinkerVersion: 11
CodeSize: 1370112
InitializedDataSize: 1094144
UninitializedDataSize: -
EntryPoint: 0x87418
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.9
ProductVersionNumber: 1.3.0.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Volvo Car Corporation
FileDescription: Volvo Map Update
FileVersion: 1.3.0.9
LegalCopyright: Copyright (C) Reloaded Technologies 2014
ProductName: Volvo Map Update
ProductVersion: 1.3.0.9

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Feb-2015 08:59:53
Detected languages:
  • English - United States
TLS Callbacks: 1 callback(s) detected.
Debug artifacts:
  • C:\Reloaded_github\snd\bin\Release\VolvoUpdater.pdb
CompanyName: Volvo Car Corporation
FileDescription: Volvo Map Update
FileVersion: 1.3.0.9
LegalCopyright: Copyright (C) Reloaded Technologies 2014
ProductName: Volvo Map Update
ProductVersion: 1.3.0.9

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 18-Feb-2015 08:59:53
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0014E6C3
0x0014E800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.61886
.rdata
0x00150000
0x0007C010
0x0007C200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.18838
.data
0x001CD000
0x00028E78
0x00024000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.89216
.tls
0x001F6000
0x00000002
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x001F7000
0x0002BEA8
0x0002C000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.40304
.reloc
0x00223000
0x00039D0A
0x00039E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.42117

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.96628
670
UNKNOWN
English - United States
RT_MANIFEST
2
6.07399
1128
UNKNOWN
English - United States
RT_ICON
3
5.92517
2440
UNKNOWN
English - United States
RT_ICON
4
5.30562
4264
UNKNOWN
English - United States
RT_ICON
5
4.7862
9640
UNKNOWN
English - United States
RT_ICON
6
4.54126
16936
UNKNOWN
English - United States
RT_ICON
7
2.97003
296
UNKNOWN
English - United States
RT_STRING
101
3.27414
488
UNKNOWN
English - United States
RT_DIALOG
111
2.93166
90
UNKNOWN
English - United States
RT_GROUP_ICON
201
5.27384
3020
UNKNOWN
English - United States
MO

Imports

ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WINMM.dll
WLDAP32.dll
WS2_32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start sensus_update_mca_europe.exe volvocompressed.exe volvodownloadmanager.exe

Process information

PID
CMD
Path
Indicators
Parent process
1268"C:\Users\admin\AppData\Local\Temp\Sensus_Update_MCA_Europe.exe" C:\Users\admin\AppData\Local\Temp\Sensus_Update_MCA_Europe.exe
explorer.exe
User:
admin
Company:
Volvo Car Corporation
Integrity Level:
MEDIUM
Description:
Volvo Map Update
Exit code:
0
Version:
1.3.0.9
Modules
Images
c:\users\admin\appdata\local\temp\sensus_update_mca_europe.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1732"C:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\VolvoCompressed.exe" /id "52d4e92eef91100e689f9d22" /package "5360bf009bafa20cf40b1589" /name "Europe" /folder "Europe" /skin "54e3d426ef911002344f2b56\Volvo.html"C:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\VolvoCompressed.exe
Sensus_Update_MCA_Europe.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\volvo\sensus update\mca\volvocompressed.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2564"C:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\VolvoDownloadManager.exe" /id "52d4e92eef91100e689f9d22" /package "5360bf009bafa20cf40b1589" /name "Europe" /folder "Europe" /skin "54e3d426ef911002344f2b56\Volvo.html"C:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\VolvoDownloadManager.exe
VolvoCompressed.exe
User:
admin
Company:
Volvo Car Corporation
Integrity Level:
MEDIUM
Description:
Volvo Map Update
Exit code:
0
Version:
1.3.2.0
Modules
Images
c:\users\admin\appdata\local\temp\volvo\sensus update\mca\volvodownloadmanager.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\volvo\sensus update\mca\libcef.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
Total events
1 448
Read events
1 307
Write events
140
Delete events
1

Modification events

(PID) Process:(1268) Sensus_Update_MCA_Europe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1268) Sensus_Update_MCA_Europe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1732) VolvoCompressed.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1732) VolvoCompressed.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2564) VolvoDownloadManager.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Operation:writeName:MRUListEx
Value:
FFFFFFFF
(PID) Process:(2564) VolvoDownloadManager.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(2564) VolvoDownloadManager.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
00000000050000000100000002000000090000000800000003000000060000000700000004000000FFFFFFFF
(PID) Process:(2564) VolvoDownloadManager.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\93\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2564) VolvoDownloadManager.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
06000000000000000500000001000000020000000900000008000000030000000700000004000000FFFFFFFF
(PID) Process:(2564) VolvoDownloadManager.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:writeName:Mode
Value:
6
Executable files
5
Suspicious files
54
Text files
75
Unknown types
49

Dropped files

PID
Process
Filename
Type
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\transfers\233b7fd1a50644e69f19a276301e823e.jsontext
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\54e3d426ef911002344f2b56\img\background.jpgimage
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\VolvoCompressed.exeexecutable
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\54e3d426ef911002344f2b56\css\ui-lightness\jquery-ui-1.10.3.custom.csstext
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\54e3d426ef911002344f2b56\img\back_btn_on.pngimage
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\54e3d426ef911002344f2b56\Volvo.htmlhtml
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\transfers\e9fbd27e33794edba95bd7b8a97fbc43.jsontext
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\54e3d426ef911002344f2b56\img\back_btn_off.pngimage
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\54e3d426ef911002344f2b56\img\download_background_13.jpgimage
MD5:
SHA256:
1268Sensus_Update_MCA_Europe.exeC:\Users\admin\AppData\Local\Temp\Volvo\Sensus Update\MCA\54e3d426ef911002344f2b56\img\download_background_17.jpgimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
85
TCP/UDP connections
54
DNS requests
11
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
Sensus_Update_MCA_Europe.exe
POST
200
34.252.64.7:80
http://events.analytics.reloadedtech.com/
IE
malicious
1268
Sensus_Update_MCA_Europe.exe
GET
200
52.85.182.34:80
http://cache.manifests.reloadedtech.com/nodes/52d4e92eef91100e689f9d22.xml
US
xml
1.10 Kb
shared
1268
Sensus_Update_MCA_Europe.exe
POST
200
34.252.64.7:80
http://events.analytics.reloadedtech.com/
IE
malicious
1268
Sensus_Update_MCA_Europe.exe
GET
200
54.77.38.7:80
http://events.analytics.reloadedtech.com/geo-location
IE
text
116 b
malicious
1268
Sensus_Update_MCA_Europe.exe
POST
200
54.77.38.7:80
http://events.analytics.reloadedtech.com/
IE
malicious
1268
Sensus_Update_MCA_Europe.exe
GET
206
92.223.124.254:80
http://node9.reloadedtech.com/packages/52d4e92eef91100e689f9d22/54e3d426ef911002344f2b56/54e3d426ef911002344f2b58/Volvo.html
DE
html
5.26 Kb
suspicious
1268
Sensus_Update_MCA_Europe.exe
POST
200
54.77.38.7:80
http://events.analytics.reloadedtech.com/
IE
malicious
1268
Sensus_Update_MCA_Europe.exe
GET
206
94.31.29.248:80
http://node6.reloadedtech.com/packages/51f95bbbef91100514870060/54e40f879bafa20b9035c675/556e0b2def91100d841a501e/VolvoCompressed.exe
GB
executable
134 Kb
whitelisted
1268
Sensus_Update_MCA_Europe.exe
POST
200
52.51.138.91:80
http://transfers.analytics.reloadedtech.com/
IE
malicious
1268
Sensus_Update_MCA_Europe.exe
GET
206
52.85.182.98:80
http://node1.reloadedtech.com/packages/52d4e92eef91100e689f9d22/54e3d426ef911002344f2b56/54e3d426ef911002344f2b58/img/background.jpg
US
image
11.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
VolvoDownloadManager.exe
34.252.64.7:80
events.analytics.reloadedtech.com
Amazon.com, Inc.
IE
unknown
1268
Sensus_Update_MCA_Europe.exe
52.85.182.34:80
cache.manifests.reloadedtech.com
Amazon.com, Inc.
US
whitelisted
1268
Sensus_Update_MCA_Europe.exe
54.77.38.7:80
events.analytics.reloadedtech.com
Amazon.com, Inc.
IE
unknown
1268
Sensus_Update_MCA_Europe.exe
34.252.64.7:80
events.analytics.reloadedtech.com
Amazon.com, Inc.
IE
unknown
1268
Sensus_Update_MCA_Europe.exe
92.223.124.254:80
node9.reloadedtech.com
G-Core Labs S.A.
DE
suspicious
1268
Sensus_Update_MCA_Europe.exe
52.51.138.91:80
transfers.analytics.reloadedtech.com
Amazon.com, Inc.
IE
unknown
1268
Sensus_Update_MCA_Europe.exe
94.31.29.248:80
node6.reloadedtech.com
netDNA
GB
suspicious
1268
Sensus_Update_MCA_Europe.exe
52.85.182.98:80
node1.reloadedtech.com
Amazon.com, Inc.
US
whitelisted
1268
Sensus_Update_MCA_Europe.exe
52.85.182.179:80
node4.reloadedtech.com
Amazon.com, Inc.
US
whitelisted
1268
Sensus_Update_MCA_Europe.exe
2.16.186.19:80
node10.reloadedtech.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
cache.manifests.reloadedtech.com
  • 52.85.182.34
  • 52.85.182.16
  • 52.85.182.113
  • 52.85.182.102
shared
events.analytics.reloadedtech.com
  • 54.77.38.7
  • 34.252.64.7
malicious
node6.reloadedtech.com
  • 94.31.29.248
whitelisted
node9.reloadedtech.com
  • 92.223.124.254
suspicious
transfers.analytics.reloadedtech.com
  • 52.51.138.91
  • 54.154.120.113
malicious
node1.reloadedtech.com
  • 52.85.182.98
  • 52.85.182.237
  • 52.85.182.116
  • 52.85.182.215
whitelisted
node4.reloadedtech.com
  • 52.85.182.179
  • 52.85.182.226
  • 52.85.182.142
  • 52.85.182.149
whitelisted
node10.reloadedtech.com
  • 2.16.186.19
  • 2.16.186.10
whitelisted

Threats

PID
Process
Class
Message
1268
Sensus_Update_MCA_Europe.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sensus_Update_MCA_Europe.exe