analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

vlc_setup.exe

Full analysis: https://app.any.run/tasks/c4e2aeb3-b131-4960-bc50-a30f293a7cd6
Verdict: Malicious activity
Analysis date: March 14, 2019, 17:59:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F218FF0B2D3D94E27EA59AFAD3AE0D28

SHA1:

8D38B43F73BF539AB794111862E9F96C0809E591

SHA256:

FDA11F6F894B1DF718B79304E9B368B6C669DC62380C5833F6B3211CEECABF49

SSDEEP:

24576:jM7YKmIr51DH4awRTPMuW5Ql3KKM5po/Y/XXngoty0IETeiGQ6k6TJAK:j6zLUj3Kp0/KngoYfXnTz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • offer0.exe (PID: 2600)
      • vlc-2.0.7-win32.exe (PID: 3196)
    • Changes settings of System certificates

      • vlc_setup.exe (PID: 2324)
    • Downloads executable files from the Internet

      • vlc_setup.exe (PID: 2324)
  • SUSPICIOUS

    • Reads Windows owner or organization settings

      • offer0.tmp (PID: 2344)
    • Executable content was dropped or overwritten

      • offer0.exe (PID: 2600)
      • vlc_setup.exe (PID: 2324)
      • offer0.tmp (PID: 2344)
    • Adds / modifies Windows certificates

      • vlc_setup.exe (PID: 2324)
    • Reads the Windows organization settings

      • offer0.tmp (PID: 2344)
    • Uses TASKKILL.EXE to kill Browsers

      • offer0.tmp (PID: 2344)
    • Creates files in the Windows directory

      • offer0.tmp (PID: 2344)
    • Creates files in the user directory

      • offer0.tmp (PID: 2344)
  • INFO

    • Creates files in the program directory

      • offer0.tmp (PID: 2344)
    • Loads dropped or rewritten executable

      • offer0.tmp (PID: 2344)
    • Application was dropped or rewritten from another process

      • offer0.tmp (PID: 2344)
    • Creates a software uninstall entry

      • offer0.tmp (PID: 2344)
    • Application launched itself

      • chrome.exe (PID: 2804)
      • chrome.exe (PID: 3128)
      • chrome.exe (PID: 2808)
    • Adds / modifies Windows certificates

      • chrome.exe (PID: 3128)
    • Changes settings of System certificates

      • chrome.exe (PID: 3128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (52.3)
.exe | Win32 Executable Delphi generic (17.8)
.scr | Windows screen saver (16.4)
.exe | Win32 Executable (generic) (5.6)
.exe | Win16/32 Executable Delphi generic (2.6)

EXIF

EXE

Comments: -
ProductVersion: 2.0.4
ProductName: VLC Media Player Installer
OriginalFileName: -
LegalTrademarks: -
LegalCopyright: © downloadster.org
InternalName: -
FileVersion: 2.0.4
FileDescription: Deploy VLC Media Player along with various offers
CompanyName: -
CharacterSet: ASCII
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.0.4.0
FileVersionNumber: 2.0.4.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1053f0
UninitializedDataSize: -
InitializedDataSize: 238592
CodeSize: 1064448
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 2013:07:20 11:12:49+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Jul-2013 09:12:49
Detected languages:
  • English - United States
CompanyName: -
FileDescription: Deploy VLC Media Player along with various offers
FileVersion: 2.0.4
InternalName: -
LegalCopyright: © downloadster.org
LegalTrademarks: -
OriginalFilename: -
ProductName: VLC Media Player Installer
ProductVersion: 2.0.4
Comments: -

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 9
Time date stamp: 20-Jul-2013 09:12:49
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00102724
0x00102800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.57055
.itext
0x00104000
0x00001460
0x00001600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.03127
.data
0x00106000
0x00009908
0x00009A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.88463
.bss
0x00110000
0x00006A58
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00117000
0x000037E0
0x00003800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.24227
.tls
0x0011B000
0x00000038
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x0011C000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.210826
.reloc
0x0011D000
0x00011450
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0
.rsrc
0x0012F000
0x0002CE44
0x0002D000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.56223

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.27952
1163
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.39297
1384
Latin 1 / Western European
English - United States
RT_ICON
3
3.30001
67624
Latin 1 / Western European
English - United States
RT_ICON
4
3.29237
9640
Latin 1 / Western European
English - United States
RT_ICON
5
3.1916
4264
Latin 1 / Western European
English - United States
RT_ICON
6
4.48898
1128
Latin 1 / Western European
English - United States
RT_ICON
7
2.91604
308
Latin 1 / Western European
English - United States
RT_CURSOR
4070
3.26853
1032
Latin 1 / Western European
UNKNOWN
RT_STRING
4071
3.25867
2808
Latin 1 / Western European
UNKNOWN
RT_STRING
4072
3.32467
1528
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

IMAGEHLP.DLL
SHFolder.dll
URLMON.DLL
advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
ole32.dll
oleaut32.dll
olepro32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
33
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start vlc_setup.exe no specs vlc_setup.exe offer0.exe offer0.tmp taskkill.exe no specs taskkill.exe no specs control.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs vlc-2.0.7-win32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3640"C:\Users\admin\AppData\Local\Temp\vlc_setup.exe" C:\Users\admin\AppData\Local\Temp\vlc_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2324"C:\Users\admin\AppData\Local\Temp\vlc_setup.exe" C:\Users\admin\AppData\Local\Temp\vlc_setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
2600"C:\Users\admin\AppData\Local\Temp\\uDwn-DHF5\offer0.exe" /verysilent orestart C:\Users\admin\AppData\Local\Temp\uDwn-DHF5\offer0.exe
vlc_setup.exe
User:
admin
Company:
Adlogica
Integrity Level:
HIGH
Description:
Savvy Setup
Exit code:
0
Version:
1.1.0.2
2344"C:\Users\admin\AppData\Local\Temp\is-0CE83.tmp\offer0.tmp" /SL5="$10138,1012310,129536,C:\Users\admin\AppData\Local\Temp\uDwn-DHF5\offer0.exe" /verysilent orestart C:\Users\admin\AppData\Local\Temp\is-0CE83.tmp\offer0.tmp
offer0.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
4064"C:\Windows\System32\taskkill.exe" /IM firefox.exe /FC:\Windows\System32\taskkill.exeoffer0.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3568"C:\Windows\System32\taskkill.exe" /IM chrome.exe /FC:\Windows\System32\taskkill.exeoffer0.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3192"C:\Windows\System32\control.exe" SYSTEMC:\Windows\System32\control.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2804"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-windowC:\Program Files\Google\Chrome\Application\chrome.exe
offer0.tmp
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3580"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6e6800b0,0x6e6800c0,0x6e6800ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2788"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1004 --on-initialized-event-handle=296 --parent-handle=300 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
1 624
Read events
1 420
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
33
Text files
270
Unknown types
10

Dropped files

PID
Process
Filename
Type
2344offer0.tmpC:\Program Files\Savvy\is-CI5JQ.tmp
MD5:
SHA256:
2344offer0.tmpC:\Program Files\Savvy\is-7UE7O.tmp
MD5:
SHA256:
2344offer0.tmpC:\Program Files\Savvy\is-P6U6K.tmp
MD5:
SHA256:
2344offer0.tmpC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions\jid1-doNUgsAIiel7oA@jetpack\defaults\preferences\prefs.js
MD5:
SHA256:
2324vlc_setup.exeC:\Users\admin\AppData\Local\Temp\uDwn-DHF5\data.zipcompressed
MD5:1640E56A564ABF6D654F438424A3DFA1
SHA256:31C00EACFF742A2B62E08309785EA354AB36B2860CBC8DA1C90D3BF7FFA30D1F
2344offer0.tmpC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions\jid1-doNUgsAIiel7oA@jetpack\install.rdfxml
MD5:438823EF949AB465F8387F3453926BAC
SHA256:54D48776168620416CFCC84D51960123E58D153E4270E959B61DDB1E7FCAB32A
2344offer0.tmpC:\Program Files\Savvy\unins000.datdat
MD5:94AC647C5EF85AD8FA10778C88B40651
SHA256:79FEE32D6575B6C8266A8C86A8D6F94DDE0AB8CEA09BC7A5D7E69CC99EA2FD9E
2324vlc_setup.exeC:\Users\admin\AppData\Local\Temp\uDwn-DHF5\config.udchtml
MD5:176E3E9DFFC7F5876606E384177EDC19
SHA256:72369D99C0CE6064970E8851AB274A852DE79DC44E7F0F5B996018F81F21D3CF
2344offer0.tmpC:\Program Files\Savvy\savvy.crxcrx
MD5:82234CDA7952B3E93CA1BECCA9AF5D1A
SHA256:43DF29C13541CAC64A713916C85FD4A8C57B93DB7D18150D22E250DEA13C0D03
2344offer0.tmpC:\Program Files\Savvy\install.rdfxml
MD5:438823EF949AB465F8387F3453926BAC
SHA256:54D48776168620416CFCC84D51960123E58D153E4270E959B61DDB1E7FCAB32A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
24
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2808
chrome.exe
GET
200
172.217.23.130:80
http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js
US
html
1.29 Kb
whitelisted
2808
chrome.exe
GET
200
204.11.56.48:80
http://www.savvy1.com/
VG
html
1.08 Kb
malicious
2324
vlc_setup.exe
POST
405
69.172.201.153:80
http://secureinstaller.com/api/install_start/index.php
US
html
8.64 Kb
malicious
2808
chrome.exe
GET
200
91.195.240.126:80
http://sedoparking.com/search/tsc.php?200=MjY1Mjc4Mjk5&21=MTU5LjE0OC4xODYuMTg1&681=MTU1MjU4NjQyNDRkNjdmMzk0ODJlYjExNjc4Y2Y3NDgyOWJmYmZmNjcy&crc=d404deeab7544787a74a7a0a4f52a5d52b1cd9bc&cv=1
DE
compressed
19.9 Kb
whitelisted
2808
chrome.exe
GET
200
91.195.240.126:80
http://sedoparking.com/search/registrar.php?domain=www.savvy1.com&rpv=2&registrar=Skenzor6&gst=3B1gkD_4eqPpiTmzwvTMCUrzhuom1WkUP5kNrX8JaT-A-_js-9UzG8nDpcFsvKgjY3KpgFqwXjqK7_kVt5Y1sTux_kqRxGlC&ref=
DE
html
19.9 Kb
whitelisted
2808
chrome.exe
GET
200
204.11.56.48:80
http://www.savvy1.com/px.js?ch=1
VG
text
346 b
malicious
2324
vlc_setup.exe
GET
200
64.50.236.52:80
http://ftp.osuosl.org/pub/videolan/vlc/2.0.7/win32/vlc-2.0.7-win32.exe
US
executable
21.8 Mb
suspicious
2808
chrome.exe
GET
200
216.58.208.35:80
http://www.gstatic.com/domainads/tracking/caf.gif?ts=1552586424483&rid=7551707
US
image
43 b
whitelisted
GET
104.28.18.66:80
http://mixmodallog.com.br/thanks.php?ts=&ts2=7400743AED04EA250B8072565053B006B4BBC741&p_id=2&type=VLC+Media+Player
US
suspicious
GET
301
104.28.6.19:80
http://downloadster.org/thanks.php?ts=&ts2=7400743AED04EA250B8072565053B006B4BBC741&p_id=2&type=VLC+Media+Player
US
html
509 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3128
chrome.exe
172.217.23.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2808
chrome.exe
172.217.23.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2808
chrome.exe
204.11.56.48:80
www.savvy1.com
Confluence Networks Inc
VG
malicious
2808
chrome.exe
172.217.18.106:443
www.googleapis.com
Google Inc.
US
whitelisted
2344
offer0.tmp
204.11.56.48:80
www.savvy1.com
Confluence Networks Inc
VG
malicious
2324
vlc_setup.exe
69.172.201.153:80
secureinstaller.com
Dosarrest Internet Security LTD
US
malicious
2324
vlc_setup.exe
64.50.236.52:80
ftp.osuosl.org
TDS TELECOM
US
suspicious
2324
vlc_setup.exe
52.216.164.253:443
s3.amazonaws.com
Amazon.com, Inc.
US
shared
2808
chrome.exe
172.217.18.13:443
accounts.google.com
Google Inc.
US
whitelisted
2808
chrome.exe
91.195.240.126:80
sedoparking.com
SEDO GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
secureinstaller.com
  • 69.172.201.153
malicious
s3.amazonaws.com
  • 52.216.164.253
shared
ftp.osuosl.org
  • 64.50.236.52
  • 140.211.166.134
  • 64.50.233.100
suspicious
www.savvy1.com
  • 204.11.56.48
malicious
clientservices.googleapis.com
  • 172.217.23.131
whitelisted
www.googleapis.com
  • 172.217.18.106
  • 172.217.21.202
  • 216.58.205.234
  • 172.217.18.170
  • 172.217.23.138
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.74
  • 172.217.22.106
  • 216.58.210.10
whitelisted
accounts.google.com
  • 172.217.18.13
shared
sedoparking.com
  • 91.195.240.126
whitelisted
pagead2.googlesyndication.com
  • 172.217.23.130
whitelisted
www.google.com
  • 216.58.210.4
whitelisted

Threats

PID
Process
Class
Message
2324
vlc_setup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info