File name:

c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.7z

Full analysis: https://app.any.run/tasks/533b711a-8afb-4400-8ee4-d36a5f0e032a
Verdict: Malicious activity
Analysis date: May 31, 2024, 16:25:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

718B4EF8118C7B500B5AC6232FB8525C

SHA1:

0EB9BD35F1DED8E2D10F914FB309E7F0EA16DD3F

SHA256:

37FDAB5142707E7DD27AC94AC39DB82EE10EEE59D2A2195814C4F820199D1000

SSDEEP:

49152:Jd4sC2UbI8CDGL3WG+0Q0dCxQQqGwfuA//i1XdaVstcU1zQFX/7dycjdEmiTQi8+:1UbPCDc3NOqCxSGwfR/ctcWzMLjke2iO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3964)
      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)

    • Create files in the Startup directory

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)

    • Changes the autorun value in the registry

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • ctfmon.exe (PID: 1796)
      • sipnotify.exe (PID: 1912)

    • Executable content was dropped or overwritten

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)

    • Creates file in the systems drive root

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)

    • Starts itself from another location

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)

    • Reads the Internet Settings

      • sipnotify.exe (PID: 1912)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 1912)

  • INFO

    • Manual execution by a user

      • explorer.exe (PID: 4064)
      • Init.exe (PID: 2516)
      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)
      • IMEKLMG.EXE (PID: 2072)
      • Init.exe (PID: 2088)
      • IMEKLMG.EXE (PID: 2064)
      • wmpnscfg.exe (PID: 2452)
      • wmpnscfg.exe (PID: 2684)
      • wmpnscfg.exe (PID: 2428)
      • explorer.exe (PID: 3412)

    • Reads the computer name

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)
      • Init.exe (PID: 2516)
      • Init.exe (PID: 1824)
      • IMEKLMG.EXE (PID: 2064)
      • IMEKLMG.EXE (PID: 2072)
      • Init.exe (PID: 2088)
      • wmpnscfg.exe (PID: 2452)
      • wmpnscfg.exe (PID: 2684)
      • wmpnscfg.exe (PID: 2428)

    • Reads mouse settings

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)
      • Init.exe (PID: 2516)
      • Init.exe (PID: 1824)
      • Init.exe (PID: 2088)

    • Creates files or folders in the user directory

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)

    • Reads the machine GUID from the registry

      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)
      • Init.exe (PID: 1824)
      • Init.exe (PID: 2088)

    • Checks supported languages

      • Init.exe (PID: 2516)
      • Init.exe (PID: 1824)
      • c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe (PID: 1616)
      • IMEKLMG.EXE (PID: 2072)
      • Init.exe (PID: 2088)
      • IMEKLMG.EXE (PID: 2064)
      • wmpnscfg.exe (PID: 2452)
      • wmpnscfg.exe (PID: 2684)
      • wmpnscfg.exe (PID: 2428)

    • Create files in a temporary directory

      • Init.exe (PID: 1824)
      • Init.exe (PID: 2088)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3964)

    • Process checks whether UAC notifications are on

      • IMEKLMG.EXE (PID: 2072)
      • IMEKLMG.EXE (PID: 2064)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 1912)

    • Reads the software policy settings

      • sipnotify.exe (PID: 1912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
109
Monitored processes
14
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe init.exe no specs init.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs init.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs explorer.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\Users\admin\Desktop\c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe" C:\Users\admin\Desktop\c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
3, 3, 8, 1
Modules
Images
c:\users\admin\desktop\c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1796C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1824"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Init.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Init.exec8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1073807364
Version:
3, 3, 8, 1
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\init.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1912C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2064"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
2072"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
2088"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Init.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Init.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\init.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2428"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2452"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2516"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Init.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Init.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
3, 3, 8, 1
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\init.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
7 677
Read events
7 618
Write events
46
Delete events
13

Modification events

(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.7z
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
1616c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exeC:\Users\admin\autorun.inftext
MD5:B857246B81E65E2CB81875F744B38D0B
SHA256:3E3BD49B26D1320EAB7D04C13A888F9A989DA05AF998C7DC578298E10048DD8C
1912sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\script.jstext
MD5:A2682382967C351F7ED21762F9E5DE9E
SHA256:36B1D26F1EC69685648C0528C2FCE95A3C2DBECF828CDFA4A8B4239A15B644A2
1912sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\main.jpgimage
MD5:B342ACE63F77961249A084C61EABC884
SHA256:E5067BBA2095B5DA7C3171EC116E9A92337E24E471339B0860A160076EFE49B9
1912sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\metadata.jsonbinary
MD5:E8A970BA6CE386EED9A5E724F26212A6
SHA256:7E06107D585D8FC7870998F3856DCC3E35800AA97E4406AAB83BC8444B6CBDE3
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3964.4217\c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225executable
MD5:40646CE50EEBDEF63F84C1F6E161DF58
SHA256:C8CE9C314A1118EE4B6824A3D2DB02F0FA495D0285826A97B9BDAAB05E931225
1912sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\microsoft-logo.pngimage
MD5:B7C73A0CFBA68CC70C35EF9C63703CE4
SHA256:1D8B27A0266FF526CF95447F3701592A908848467D37C09A00A2516C1F29A013
2088Init.exeC:\Users\admin\AppData\Local\Temp\aut50BF.tmpbinary
MD5:3BBEDEDD36692B1B0B5F7B410D19A860
SHA256:8255865F94CCB533E4356753BE637799BB0095B142EC7751B8A760AF60A904D5
1616c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Init.exeexecutable
MD5:40646CE50EEBDEF63F84C1F6E161DF58
SHA256:C8CE9C314A1118EE4B6824A3D2DB02F0FA495D0285826A97B9BDAAB05E931225
1912sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\en-us.htmlhtml
MD5:9752942B57692148B9F614CF4C119A36
SHA256:E31B834DD53FA6815F396FC09C726636ABF98F3367F0CF1590EF5EB3801C75D1
1824Init.exeC:\Users\admin\AppData\Local\Temp\autCB31.tmpbinary
MD5:3BBEDEDD36692B1B0B5F7B410D19A860
SHA256:8255865F94CCB533E4356753BE637799BB0095B142EC7751B8A760AF60A904D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
13
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1912
sipnotify.exe
HEAD
200
88.221.61.151:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133616500227030000
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1092
svchost.exe
224.0.0.252:5355
unknown
1444
svchost.exe
239.255.255.250:3702
unknown
1912
sipnotify.exe
88.221.61.151:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 88.221.61.151
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c8ce9c314a1118ee4b6824a3d2db02f0fa495d0285826a97b9bdaab05e931225.7z