| File name: | putty-64bit-0.81-installer.msi |
| Full analysis: | https://app.any.run/tasks/40941353-ee9a-4d1e-afb5-27a941a4666c |
| Verdict: | Malicious activity |
| Analysis date: | April 18, 2024, 06:19:29 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: PuTTY release 0.81 installer, Author: Simon Tatham, Keywords: Installer, Comments: This installer database contains the logic and data required to install PuTTY release 0.81 (64-bit)., Template: x64;1033, Revision Number: {CD423CA9-77AE-420D-911E-E30753A041AA}, Create Time/Date: Sat Apr 6 10:49:02 2024, Last Saved Time/Date: Sat Apr 6 10:49:02 2024, Number of Pages: 200, Number of Words: 2, Number of Characters: 0, Name of Creating Application: Windows Installer XML Toolset (), Security: 2 |
| MD5: | E09759AA290CF38F481F3F25384EA7AA |
| SHA1: | 92BAD6635166A6579B38D3065FB10D589A9BD98D |
| SHA256: | 6C297C89D32D7FB5C6D10B1DA2612C9557A5126715C4A78690D5D8067488F5F2 |
| SSDEEP: | 98304:rZ3iKwHRKnGsb6HFhDSVcO8aLIzXMbMspk19RziDlW1j5u/TRD4IP5KwGTkS0kv9:c4VgaA |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 1196)
SUSPICIOUS
The process executes via Task Scheduler
- ctfmon.exe (PID: 1696)
- sipnotify.exe (PID: 1820)
Reads the Internet Settings
- sipnotify.exe (PID: 1820)
INFO
Reads security settings of Internet Explorer
- msiexec.exe (PID: 1196)
Reads the software policy settings
- msiexec.exe (PID: 1196)
Manual execution by a user
- IMEKLMG.EXE (PID: 2088)
- IMEKLMG.EXE (PID: 2076)
- wmpnscfg.exe (PID: 2328)
- wmpnscfg.exe (PID: 2348)
Reads the computer name
- IMEKLMG.EXE (PID: 2076)
- IMEKLMG.EXE (PID: 2088)
- wmpnscfg.exe (PID: 2328)
- wmpnscfg.exe (PID: 2348)
Checks supported languages
- IMEKLMG.EXE (PID: 2076)
- IMEKLMG.EXE (PID: 2088)
- wmpnscfg.exe (PID: 2328)
- wmpnscfg.exe (PID: 2348)
Process checks whether UAC notifications are on
- IMEKLMG.EXE (PID: 2088)
- IMEKLMG.EXE (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | PuTTY release 0.81 installer |
| Author: | Simon Tatham |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install PuTTY release 0.81 (64-bit). |
| Template: | x64;1033 |
| RevisionNumber: | {CD423CA9-77AE-420D-911E-E30753A041AA} |
| CreateDate: | 2024:04:06 10:49:02 |
| ModifyDate: | 2024:04:06 10:49:02 |
| Pages: | 200 |
| Words: | 2 |
| Characters: | - |
| Software: | Windows Installer XML Toolset () |
| Security: | Read-only recommended |
Total processes
86
Monitored processes
7
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1196 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\putty-64bit-0.81-installer.msi | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1633 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1696 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1820 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
| 2076 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 2088 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 2328 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2348 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 315
Read events
4 298
Write events
16
Delete events
1
Modification events
| (PID) Process: | (1196) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1696) ctfmon.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | internat.exe |
Value: | |||
| (PID) Process: | (2076) IMEKLMG.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\IMEJP\14.0 |
| Operation: | write | Name: | SetPreload |
Value: 1 | |||
| (PID) Process: | (2088) IMEKLMG.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\IMEKR\14.0 |
| Operation: | write | Name: | SetPreload |
Value: 1 | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1820 | sipnotify.exe | HEAD | — | 104.69.158.29:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133578984888590000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1120 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1820 | sipnotify.exe | 104.69.158.29:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | SG | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |