| File name: | Movere.Arc4.exe.zip |
| Full analysis: | https://app.any.run/tasks/ccc8631e-6c28-4b8b-9a28-5afcfaf12354 |
| Verdict: | Malicious activity |
| Analysis date: | July 14, 2023, 16:05:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | ECB9BBCF3D4A54023F920FC6FD853B87 |
| SHA1: | 6395D90D125F9BFB04B3FE6E4823CFC3B99D3207 |
| SHA256: | 155966EFA901AC1C13CBA16386BB917545893CC0D121F3450736831BB40291FD |
| SSDEEP: | 24576:jZPQEmPlgbpK7LTrWpl6vzC52SgvS4g9dL/8s8Z/UIX2SqBFWs7bZTL28CZdNdJc:tWPqYXPRO2Sn4gXbIXps1rCZvvkV |
MALICIOUS
Application was dropped or rewritten from another process
- Movere.Arc4.exe (PID: 4092)
Starts CMD.EXE for self-deleting
- Movere.Arc4.exe (PID: 4092)
SUSPICIOUS
Reads the Internet Settings
- Movere.Arc4.exe (PID: 4092)
Reads settings of System Certificates
- Movere.Arc4.exe (PID: 4092)
Reads security settings of Internet Explorer
- Movere.Arc4.exe (PID: 4092)
Checks Windows Trust Settings
- Movere.Arc4.exe (PID: 4092)
Starts CMD.EXE for commands execution
- Movere.Arc4.exe (PID: 4092)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 2480)
- cmd.exe (PID: 3804)
- cmd.exe (PID: 1064)
- cmd.exe (PID: 2856)
- cmd.exe (PID: 2496)
- cmd.exe (PID: 3360)
- cmd.exe (PID: 3704)
- cmd.exe (PID: 3996)
Starts SC.EXE for service management
- cmd.exe (PID: 1064)
- cmd.exe (PID: 1592)
- cmd.exe (PID: 2496)
- cmd.exe (PID: 3704)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 2856)
INFO
Manual execution by a user
- Movere.Arc4.exe (PID: 4092)
Checks supported languages
- Movere.Arc4.exe (PID: 4092)
Reads the computer name
- Movere.Arc4.exe (PID: 4092)
The process checks LSA protection
- Movere.Arc4.exe (PID: 4092)
- taskkill.exe (PID: 1912)
Reads the machine GUID from the registry
- Movere.Arc4.exe (PID: 4092)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | Movere.Arc4.exe |
|---|---|
| ZipUncompressedSize: | 2260304 |
| ZipCompressedSize: | 2185439 |
| ZipCRC: | 0xcb6dac75 |
| ZipModifyDate: | 2023:07:14 16:02:36 |
| ZipCompression: | Deflated |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 20 |
Total processes
74
Monitored processes
27
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1064 | "C:\Windows\system32\cmd.exe" /C ping 127.0.0.1 -n 10 && sc stop MovereArc4 | C:\Windows\System32\cmd.exe | — | Movere.Arc4.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1404 | sc delete MovereArc4 | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1568 | choice /C Y /N /D Y /T 10 | C:\Windows\System32\choice.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1592 | "C:\Windows\system32\cmd.exe" /C choice /C Y /N /D Y /T 10 & sc stop MovereArc4 | C:\Windows\System32\cmd.exe | — | Movere.Arc4.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1636 | PING -n 7 127.0.0.1 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1912 | taskkill /F /IM Movere.Arc4.exe | C:\Windows\System32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2052 | sc stop MovereArc4 | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2088 | ping 127.0.0.1 -n 10 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2144 | ping 127.0.0.1 -n 10 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2260 | PING -n 10 127.0.0.1 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 554
Read events
5 522
Write events
32
Delete events
0
Modification events
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3468) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (4092) Movere.Arc4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (4092) Movere.Arc4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3468 | WinRAR.exe | C:\Users\admin\Desktop\Movere.Arc4.exe | executable | |
MD5:6FBFF204C8F3E61563FE015AEAD620DB | SHA256:01088C20E09E0FF0217DBA2F704F696387510D5C85194DA817C9B4DE2F6F924D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4092 | Movere.Arc4.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
4092 | Movere.Arc4.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2640 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
crl2.ame.gbl |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
Threats
Process | Message |
|---|---|
Movere.Arc4.exe | Topshelf.HostFactory Information: 0 : |
Movere.Arc4.exe | Configuration Result:
[Success] Name MovereArc4
[Success] DisplayName Movere Arc4
[Success] Description Collects Movere Arc data
[Success] ServiceName MovereArc4
|
Movere.Arc4.exe | Topshelf.HostConfigurators.HostConfiguratorImpl Information: 0 : |
Movere.Arc4.exe | Topshelf v3.3.154.0, .NET Framework v4.0.30319.34209
|
Movere.Arc4.exe | no configuration section <common/logging> found - suppressing logging output
|
Movere.Arc4.exe | Topshelf.Quartz.ScheduleJobServiceConfiguratorExtensions Information: 0 : |
Movere.Arc4.exe | [Topshelf.Quartz] Scheduled Job: DEFAULT.56c40606-38ad-49ff-9bbe-fd4ca2da41b2
|
Movere.Arc4.exe | Topshelf.Quartz.ScheduleJobServiceConfiguratorExtensions Information: 0 : |
Movere.Arc4.exe | [Topshelf.Quartz] Job Schedule: Trigger 'DEFAULT.44959022-bfa6-49e7-8d97-886d9057bb9f': triggerClass: 'Quartz.Impl.Triggers.SimpleTriggerImpl calendar: '' misfireInstruction: 0 nextFireTime: 07/14/2023 16:06:50 +00:00 - Next Fire Time (local): 7/14/2023 5:06:50 PM +01:00
|
Movere.Arc4.exe | Topshelf.Quartz.ScheduleJobServiceConfiguratorExtensions Information: 0 : |