| File name: | pendmoves.zip |
| Full analysis: | https://app.any.run/tasks/358d3c38-09e3-4f89-949b-5febf4fbb80b |
| Verdict: | Malicious activity |
| Analysis date: | December 29, 2023, 23:36:59 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 636B24E5ECDA8118D2F713998DDAA08E |
| SHA1: | 2258D5DAE4E108CFF253D6DC3E47911329C0E2F5 |
| SHA256: | 377C0A8EFBF39A78ADD4A9FE421AE140400B1A0A1E7F7F447793C690001410A3 |
| SSDEEP: | 49152:zsZdkTYeO17hs3m57ebCEHn7hkSmLpWrwpJ3igipdpwjyMikpt770Dl46Tu8YUot:GWTaNhs3mIOAVkSaEUDSgiZ6Vikn70DO |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Internet Settings
- sipnotify.exe (PID: 1808)
Reads settings of System Certificates
- sipnotify.exe (PID: 1808)
INFO
Manual execution by a user
- control.exe (PID: 2688)
- explorer.exe (PID: 1112)
- systempropertiesadvanced.exe (PID: 2536)
- systempropertiesadvanced.exe (PID: 2964)
- cmd.exe (PID: 3132)
- IMEKLMG.EXE (PID: 364)
- IMEKLMG.EXE (PID: 1092)
- wmpnscfg.exe (PID: 2276)
- wmpnscfg.exe (PID: 2320)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 128)
Checks supported languages
- pendmoves.exe (PID: 3168)
- movefile.exe (PID: 3204)
- movefile.exe (PID: 3188)
- movefile.exe (PID: 3276)
- IMEKLMG.EXE (PID: 364)
- IMEKLMG.EXE (PID: 1092)
- wmpnscfg.exe (PID: 2320)
- wmpnscfg.exe (PID: 2276)
Reads product name
- pendmoves.exe (PID: 3168)
- movefile.exe (PID: 3188)
Reads Environment values
- pendmoves.exe (PID: 3168)
- movefile.exe (PID: 3188)
The process executes via Task Scheduler
- ctfmon.exe (PID: 1660)
- sipnotify.exe (PID: 1808)
Reads the computer name
- IMEKLMG.EXE (PID: 364)
- IMEKLMG.EXE (PID: 1092)
- wmpnscfg.exe (PID: 2276)
- wmpnscfg.exe (PID: 2320)
Process checks are UAC notifies on
- IMEKLMG.EXE (PID: 364)
- IMEKLMG.EXE (PID: 1092)
Reads security settings of Internet Explorer
- sipnotify.exe (PID: 1808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2020:09:03 10:01:10 |
| ZipCRC: | 0xb906d352 |
| ZipCompressedSize: | 150929 |
| ZipUncompressedSize: | 340360 |
| ZipFileName: | pendmoves.exe |
Total processes
110
Monitored processes
17
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pendmoves.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 364 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 1092 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 1112 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1660 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1808 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
| 2276 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2320 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2396 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2536 | "C:\Windows\system32\systempropertiesadvanced.exe" | C:\Windows\System32\systempropertiesadvanced.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Advanced System Settings Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 432
Read events
5 371
Write events
41
Delete events
20
Modification events
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
Executable files
6
Suspicious files
1
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1808 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\metadata.json | binary | |
MD5:E8A970BA6CE386EED9A5E724F26212A6 | SHA256:7E06107D585D8FC7870998F3856DCC3E35800AA97E4406AAB83BC8444B6CBDE3 | |||
| 1808 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\en-us.html | html | |
MD5:9752942B57692148B9F614CF4C119A36 | SHA256:E31B834DD53FA6815F396FC09C726636ABF98F3367F0CF1590EF5EB3801C75D1 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.2291\pendmoves.exe | executable | |
MD5:2643293808FC9586788E0D934A8A07B6 | SHA256:E6FB98119483D466C62EB3D51E557FB561595764D3BA474D13591D5C7AA940F6 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.2291\Eula.txt | text | |
MD5:8C24C4084CDC3B7E7F7A88444A012BFC | SHA256:8329BCBADC7F81539A4969CA13F0BE5B8EB7652B912324A1926FC9BFB6EC005A | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.2291\pendmoves64a.exe | executable | |
MD5:FC64C428058A7CDE09829AADCEE476FA | SHA256:4AF9EE369D72BC1F2C2C39CFD6460AC944EF7EE6D74A9E0A3445A8A03C1133E2 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.2291\movefile64a.exe | executable | |
MD5:2E3DA4579EDB55E7BE48B4026F2F6EB4 | SHA256:937BA12BCBF3E04565DBB160C3BB91C3F2201689C0EF7D921ECA4BA49E04D846 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.2291\movefile64.exe | executable | |
MD5:36249A4F073F7D3FCD6681D1CF9304D6 | SHA256:BEBA5A12B0C1A941BAA1427656FC1DA9A2674DBD6C336B0870C960E65C43A87E | |||
| 1808 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\main.jpg | image | |
MD5:B342ACE63F77961249A084C61EABC884 | SHA256:E5067BBA2095B5DA7C3171EC116E9A92337E24E471339B0860A160076EFE49B9 | |||
| 1808 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\script.js | text | |
MD5:A2682382967C351F7ED21762F9E5DE9E | SHA256:36B1D26F1EC69685648C0528C2FCE95A3C2DBECF828CDFA4A8B4239A15B644A2 | |||
| 1808 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\microsoft-logo.png | image | |
MD5:B7C73A0CFBA68CC70C35EF9C63703CE4 | SHA256:1D8B27A0266FF526CF95447F3701592A908848467D37C09A00A2516C1F29A013 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1808 | sipnotify.exe | HEAD | 200 | 23.197.138.118:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133483669122960000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1136 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1808 | sipnotify.exe | 23.197.138.118:80 | query.prod.cms.rt.microsoft.com | Akamai International B.V. | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |