| File name: | windowscoredeviceinfo.zip |
| Full analysis: | https://app.any.run/tasks/eb52099b-3aa3-4bf6-a302-ae0c68b095c4 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | July 22, 2020, 13:40:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 2467EEB0872A60183DA2B9F90E67EDD4 |
| SHA1: | B7F6861F2E561746FE8A42DF71E27EDCFC168282 |
| SHA256: | 8E7B262AD49B53B0E891B44C0A39727FD75DD9A3B69495EE0DE50B0A9A3ECE87 |
| SSDEEP: | 384:tompAKEFvR+nw7tvJF5gZ4RAelHojayvNBEtip+:dpAKaR+nw7tvJbJyjayl+tip+ |
MALICIOUS
Application was dropped or rewritten from another process
- windowscoredeviceinfo.exe (PID: 308)
- WuSetupV.exe (PID: 3744)
- windowscoredeviceinfo.exe (PID: 2652)
Loads dropped or rewritten executable
- wmiprvse.exe (PID: 2052)
- wmiprvse.exe (PID: 1972)
- wmiprvse.exe (PID: 3376)
- SearchIndexer.exe (PID: 3172)
- SearchIndexer.exe (PID: 3732)
- Explorer.EXE (PID: 2780)
- svchost.exe (PID: 960)
- consent.exe (PID: 1400)
- SearchIndexer.exe (PID: 1956)
- svchost.exe (PID: 1044)
Changes settings of System certificates
- WuSetupV.exe (PID: 3744)
- svchost.exe (PID: 960)
Loads the Task Scheduler COM API
- Explorer.EXE (PID: 2780)
Runs app for hidden code execution
- SearchIndexer.exe (PID: 1956)
- SearchIndexer.exe (PID: 3172)
Changes Security Center notification settings
- svchost.exe (PID: 1044)
SUSPICIOUS
Executed as Windows Service
- vssvc.exe (PID: 2252)
Reads Environment values
- svchost.exe (PID: 1044)
Creates files in the Windows directory
- svchost.exe (PID: 960)
- svchost.exe (PID: 1044)
- SearchIndexer.exe (PID: 3172)
- SearchIndexer.exe (PID: 1956)
- WMIADAP.EXE (PID: 3540)
Executable content was dropped or overwritten
- windowscoredeviceinfo.exe (PID: 308)
- windowscoredeviceinfo.exe (PID: 2652)
Reads internet explorer settings
- mmc.exe (PID: 2520)
- mmc.exe (PID: 3280)
Reads Internet Cache Settings
- mmc.exe (PID: 2520)
- mmc.exe (PID: 3280)
Reads the date of Windows installation
- svchost.exe (PID: 1044)
Starts CMD.EXE for commands execution
- SearchIndexer.exe (PID: 3172)
- SearchIndexer.exe (PID: 3732)
- SearchIndexer.exe (PID: 1956)
Starts CMD.EXE for self-deleting
- SearchIndexer.exe (PID: 3172)
- SearchIndexer.exe (PID: 3732)
- SearchIndexer.exe (PID: 1956)
Creates files in the user directory
- Explorer.EXE (PID: 2780)
Removes files from Windows directory
- windowscoredeviceinfo.exe (PID: 2652)
- svchost.exe (PID: 960)
- wermgr.exe (PID: 3868)
- WMIADAP.EXE (PID: 3540)
Adds / modifies Windows certificates
- svchost.exe (PID: 960)
Creates files in the program directory
- wermgr.exe (PID: 3868)
INFO
Manual execution by user
- CompMgmtLauncher.exe (PID: 2228)
- CompMgmtLauncher.exe (PID: 3000)
- windowscoredeviceinfo.exe (PID: 308)
- control.exe (PID: 1508)
- control.exe (PID: 1168)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2252)
Reads settings of System Certificates
- svchost.exe (PID: 960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2020:07:21 19:33:03 |
| ZipCRC: | 0xb990f17a |
| ZipCompressedSize: | 13485 |
| ZipUncompressedSize: | 36352 |
| ZipFileName: | windowscoredeviceinfo.exe |
Total processes
140
Monitored processes
25
Malicious processes
9
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | "C:\Windows\system32\CompMgmtLauncher.exe" | C:\Windows\system32\CompMgmtLauncher.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Computer Management Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 308 | "C:\Users\admin\Desktop\windowscoredeviceinfo.exe" | C:\Users\admin\Desktop\windowscoredeviceinfo.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1073807364 Modules
| |||||||||||||||
| 960 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1044 | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted | C:\Windows\System32\svchost.exe | — | services.exe | |||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1168 | "C:\Windows\System32\control.exe" SYSTEM | C:\Windows\System32\control.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1400 | consent.exe 960 318 02D71438 | C:\Windows\system32\consent.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Consent UI for administrative applications Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1508 | "C:\Windows\System32\control.exe" SYSTEM | C:\Windows\System32\control.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1956 | C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\system32\SearchIndexer.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Indexer Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1972 | C:\Windows\system32\wbem\wmiprvse.exe -Embedding | C:\Windows\system32\wbem\wmiprvse.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Provider Host Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2052 | C:\Windows\system32\wbem\wmiprvse.exe -Embedding | C:\Windows\system32\wbem\wmiprvse.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Provider Host Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
16 752
Read events
15 515
Write events
1 212
Delete events
25
Modification events
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\windowscoredeviceinfo.zip | |||
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3000) CompMgmtLauncher.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3000) CompMgmtLauncher.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E |
| Operation: | write | Name: | @%systemroot%\system32\mycomput.dll,-112 |
Value: Manages disks and provides access to other tools to manage local and remote computers. | |||
Executable files
8
Suspicious files
67
Text files
22
Unknown types
14
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2900.17681\windowscoredeviceinfo.exe | — | |
MD5:— | SHA256:— | |||
| 308 | windowscoredeviceinfo.exe | C:\Users\admin\AppData\Local\Temp\Xyunm\1395468.dat | — | |
MD5:— | SHA256:— | |||
| 308 | windowscoredeviceinfo.exe | C:\Users\admin\AppData\Local\Temp\Uyhzx\1397500.dat | — | |
MD5:— | SHA256:— | |||
| 308 | windowscoredeviceinfo.exe | C:\Users\admin\AppData\Local\Temp\Uwmuw\1399531.dat | — | |
MD5:— | SHA256:— | |||
| 2252 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
| 960 | svchost.exe | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | — | |
MD5:— | SHA256:— | |||
| 960 | svchost.exe | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | — | |
MD5:— | SHA256:— | |||
| 960 | svchost.exe | C:\Users\admin\AppData\Local\Temp\Jijzcbpl\94078.dat | — | |
MD5:— | SHA256:— | |||
| 2652 | windowscoredeviceinfo.exe | C:\Users\admin\AppData\Local\Temp\Nudobuyb\96703.dat | — | |
MD5:— | SHA256:— | |||
| 960 | svchost.exe | C:\Users\admin\AppData\Local\Temp\Nudobuyb\96703.dat | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
138
TCP/UDP connections
10
DNS requests
9
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/wsus3setup.cab?2007221342 | US | — | — | whitelisted |
— | — | HEAD | 200 | 67.27.235.126:80 | http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2007221343 | US | — | — | whitelisted |
960 | svchost.exe | HEAD | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?2007221346 | US | — | — | whitelisted |
— | — | HEAD | 200 | 8.253.190.237:80 | http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2007221342 | US | — | — | whitelisted |
— | — | GET | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~x86~~7.6.7600.320.cab?2007221342 | US | compressed | 116 Kb | whitelisted |
— | — | GET | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.cab?2007221342 | US | compressed | 2.21 Mb | whitelisted |
— | — | GET | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/wsus3setup.cab?2007221342 | US | compressed | 32.9 Kb | whitelisted |
— | — | HEAD | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.cab?2007221342 | US | compressed | 116 Kb | whitelisted |
— | — | HEAD | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.cab?2007221342 | US | compressed | 458 Kb | whitelisted |
960 | svchost.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | der | 781 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 13.107.4.50:80 | ds.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
— | — | 40.91.124.111:443 | www.update.microsoft.com | Microsoft Corporation | US | unknown |
960 | svchost.exe | 2.16.186.120:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
960 | svchost.exe | 2.21.38.54:80 | www.microsoft.com | GTT Communications Inc. | FR | malicious |
960 | svchost.exe | 13.107.4.50:80 | ds.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
960 | svchost.exe | 8.238.32.126:80 | download.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
960 | svchost.exe | 20.45.3.193:443 | fe2.update.microsoft.com | — | US | unknown |
— | — | 8.253.190.237:80 | download.windowsupdate.com | Global Crossing | US | unknown |
— | — | 67.27.235.126:80 | download.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
download.windowsupdate.com |
| whitelisted |
www.update.microsoft.com |
| whitelisted |
ds.download.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe2.update.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
mmc.exe | ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerExtension
|