Note: this report may be incomplete because the AI analysis reached the following limit(s): token. ## Summary The submitted sample #AID=20# is a 32-bit Windows PE executable, SHA-256 `161ee3cc94b683d301f99f64e7ec1106767b6fc3ebb0b08bef7e22e9096998f5`, size 468,992 bytes. It is UPX-packed and exposes an unpacked virtual file, `#UPX.Unpacked` #AID=21#, SHA-256 `9aa75f19e736a06e7e1fa06f3ebff4caf14012add6f0d3624056e5278b083739`. The file metadata identifies it as a VKSaver installer: - Product: `VKSaver` - Description: `VKSaver installation bundle` - Original filename: `VKSaver-Install.exe` - Company: `Audiovkontake.ru` - Version: `3.3.130726.1469` The root file #AID=20# is primarily a packed installer wrapper. The unpacked file #AID=21# contains the relevant behavior. It appears to install VKSaver components but also implements persistence, downloader execution, browser/partner software installation logic, process manipulation, and AppInit_DLLs modification. These behaviors are consistent with a malicious/PUP-adware installer rather than a clean application. Pertinent sub-files: - `#UPX.Unpacked` #AID=21#: unpacked main PE, primary analyzed payload. - Resource images in #AID=20# and #AID=21#, such as `ICO/*`, `BMP/*`, and PNG/DIB resources: appear to be installer UI resources; no evidence they are executable payloads. ## Key detections/IOCs ### Hashes - Root packed executable #AID=20#: - SHA-256: `161ee3cc94b683d301f99f64e7ec1106767b6fc3ebb0b08bef7e22e9096998f5` - Unpacked executable #AID=21#: - SHA-256: `9aa75f19e736a06e7e1fa06f3ebff4caf14012add6f0d3624056e5278b083739` ### Network indicators Observed in #AID=21#: - `audiovkontakte.ru` - `www.audiovkontakte.ru` - `http://audiovkontakte.ru` - `http://www.audiovkontakte.ru/` - `http://vk.com` - `http://legal.yandex.../software_agreement/` - `http://legal.yandex.../browser_agreement/` ### File/path indicators Observed in #AID=21#: - `VKSaver.exe` - `vksaver.exe` - `vksaver3.dll` - `\vksaver3.dll` - `config.dat` - `readme.txt` - `\downloader.exe` - `Uninstall.lnk` - `Readme.lnk` - `Launch VKSaver.lnk` - `VKSaver.lnk` ### Registry and persistence indicators Observed in #AID=21#: - `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` - `Software\Microsoft\Windows\CurrentVersion\Run` - `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows` - `AppInit_DLLs` - `LoadAppInit_DLLs` - `SOFTWARE\VKSaver` - `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VKSaver` - `Software\Microsoft\Windows\CurrentVersion\Uninstall\VKSaver` - Scheduled task names: - `VKSaver` - `VKSaverUpdate` - Mutex/window class: - `VKSaverInstallerMtx` - `VKSaverInstallWnd` ### Static detections and suspicious capabilities For #AID=21#, static detections included: - `CreateScheduledTask` - `AutorunKey` - `ElevatePrivileges` - `EnumerateProcesses` - `FingerprintSoftware` - `ProcessInjectionTargets` - `RunShell` Relevant constants/API capabilities in #AID=21#: - Task Scheduler COM interfaces: - `ITaskService` - `IBootTrigger` - `IExecAction` - `ILogonTrigger` - Privilege/process manipulation APIs: - `OpenProcessToken` - `LookupPrivilegeValueW` - `AdjustTokenPrivileges` - `OpenProcess` - `TerminateProcess` - `EnumProcesses` - `CreateToolhelp32Snapshot` - Registry modification APIs: - `RegOpenKeyExW` - `RegSetValueExW` - `RegDeleteValueW` - `RegDeleteKeyW` - Execution APIs: - `CreateProcessW` - `ShellExecuteW` - `ShellExecuteExW` ## Evidence ### UPX packing and unpacked payload The submitted file #AID=20# is UPX-packed. It has UPX sections, RWX section permissions, high entropy, and packer-related anomalies. The virtual file `#UPX.Unpacked` #AID=21# is the unpacked PE and contains the main installer logic. Packing alone is not sufficient for a malicious verdict, but it increases suspicion when combined with the behavior in #AID=21#. ### Embedded downloader execution The unpacked file #AID=21# contains logic that builds a temporary directory, appends `\downloader.exe`, decodes an embedded buffer using XOR with a rotating key, writes the decoded content to disk, and executes it with `CreateProcessW`. Relevant string: - `\downloader.exe` This indicates the installer can drop and execute an embedded downloader component. ### Bundled/Yandex offer and browser modification logic The unpacked file #AID=21# contains command-line and configuration strings for bundled partner installation: - `--partner vksaver-elements --distr /quiet /msicl "` - `YAHOMEPAGE=y` - `YAHOMEPAGE=n` - `YAQSEARCH=y` - `YAQSEARCH=n` - `YABROWSER=y` - `YABROWSER=n` - `YBSENDSTAT=y` - `YBSENDSTAT=n` - `Yandex browser` It also contains legal URLs referencing Yandex software/browser agreements. This is consistent with adware/PUP installer behavior involving bundled browser or search/homepage changes. ### AppInit_DLLs persistence / injection-like mechanism The unpacked file #AID=21# modifies: - `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows` - `AppInit_DLLs` - `LoadAppInit_DLLs` The code reads existing `AppInit_DLLs`, removes entries matching `vksaver`, appends a VKSaver DLL path, and enables `LoadAppInit_DLLs`. Relevant DLL: - `vksaver3.dll` `AppInit_DLLs` is a high-risk persistence and injection mechanism because configured DLLs are loaded into many GUI processes. This is one of the strongest indicators against the file being clean. ### Scheduled task persistence as SYSTEM The unpacked file #AID=21# uses Task Scheduler COM interfaces including `ITaskService`, `IBootTrigger`, and `IExecAction`. It creates/registers a task named: - `VKSaverUpdate` The task action runs the installed executable with: - `-autoupdate` The task is registered under: - `NT AUTHORITY\SYSTEM` This provides persistent automatic execution with elevated context. ### Privilege adjustment and process termination The unpacked file #AID=21# attempts to enable: - `SeDebugPrivilege` It enumerates processes and uses `OpenProcess` / `TerminateProcess`. One function specifically looks for module names containing: - `vksaver.exe` and terminates them. Other strings include common browser/process names: - `iexplore.exe` - `firefox.exe` - `opera.exe` - `chrome.exe` - `safari.exe` - `browser.exe` - `maxthon.exe` - `explorer.exe` Some of this may be installer/uninstaller behavior, but the use of `SeDebugPrivilege` and process termination contributes to the malicious/PUP assessment. ### Network connectivity check The unpacked file #AID=21# initializes Winsock and resolves: - `audiovkontakte.ru` If resolution fails, it displays a message and retries/cancels. This indicates dependence on the vendor/partner domain during installation or update logic. ### Kesakode verdict Kesakode for #AID=20# had no verdict. Kesakode for #AID=21# listed Conficker and Tidepool with `0/100` confidence, which is not meaningful evidence of those families. The verdict here is based on the observed static behavior rather than Kesakode family attribution. ### Counterarguments - The file #AID=20# and unpacked payload #AID=21# have coherent VKSaver installer metadata and UI resources. - Some behavior is compatible with an installer/updater: creating shortcuts, uninstall keys, update tasks, closing existing application processes, and checking connectivity. - Yandex-related strings and legal agreement links may indicate that bundled offers were displayed to the user. - UPX packing is not inherently malicious. - Kesakode did not identify a malware family with meaningful confidence. These points reduce confidence that the file is a classic stealth malware payload. However, they do not outweigh the high-risk combination of AppInit_DLLs modification, SYSTEM scheduled task persistence, embedded downloader execution, privilege adjustment, process termination, and bundled browser/search modification logic. ## Verdict **Final verdict: Malicious / PUP-adware installer** **Confidence: 85/100** The submitted sample #AID=20# is not assessed as clean. The unpacked executable #AID=21# behaves as a VKSaver installer but includes multiple high-risk behaviors: it drops/executes a downloader, modifies `AppInit_DLLs` to load `vksaver3.dll`, creates a SYSTEM scheduled task for `VKSaverUpdate`, adjusts `SeDebugPrivilege`, enumerates/terminates processes, and contains bundled Yandex/browser configuration logic. These behaviors are consistent with a potentially unwanted or malicious adware installer.