File name:

Windows_Loader_v2.2.1.zip

Full analysis: https://app.any.run/tasks/48ef4754-84cc-490a-b1af-42b72f902969
Verdict: Malicious activity
Analysis date: June 04, 2024, 10:38:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

E4D0F51884FDAE5B3C0CCC1E114F9F00

SHA1:

F901FEEFE2DD5AB8145211305D94A7E3E5389774

SHA256:

CB2F418B6471D3FEEC8E9682E0939BA59412858B9286555BE0640E8154065CEA

SSDEEP:

49152:aiquh2LncDEkl16dvQByTfxA1VvEQJUx2JKjrSMrlVKBhZTrjASWBqhFVBFvclDt:a7Y0aHE4oWTEAUAJ9YXKnJANkhzvvS9f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3976)
      • Windows Loader.exe (PID: 864)

    • Opens a text file (SCRIPT)

      • cscript.exe (PID: 936)
      • cscript.exe (PID: 2636)

  • SUSPICIOUS

    • Reads the BIOS version

      • Windows Loader.exe (PID: 864)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3976)

    • The process executes VB scripts

      • cmd.exe (PID: 1848)
      • cmd.exe (PID: 1880)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 2188)
      • cmd.exe (PID: 1980)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 936)
      • cscript.exe (PID: 2636)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 936)
      • cscript.exe (PID: 2636)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 936)
      • cscript.exe (PID: 2636)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 664)
      • cmd.exe (PID: 2516)
      • Windows Loader.exe (PID: 864)

    • Application launched itself

      • cmd.exe (PID: 2516)
      • cmd.exe (PID: 664)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 1012)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • cscript.exe (PID: 936)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 2636)
      • cscript.exe (PID: 936)

    • Changes charset (SCRIPT)

      • cscript.exe (PID: 936)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 936)
      • cscript.exe (PID: 2636)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2636)
      • cscript.exe (PID: 936)

    • Process drops legitimate windows executable

      • Windows Loader.exe (PID: 864)

    • Reads data from a file (SCRIPT)

      • cscript.exe (PID: 936)

    • Creates file in the systems drive root

      • bootsect.exe (PID: 2564)
      • Windows Loader.exe (PID: 864)
      • cmd.exe (PID: 916)

    • The process executes via Task Scheduler

      • ctfmon.exe (PID: 284)
      • sipnotify.exe (PID: 240)

    • The system shut down or reboot

      • cmd.exe (PID: 2916)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 240)

    • Reads the Internet Settings

      • sipnotify.exe (PID: 240)

    • Executable content was dropped or overwritten

      • Windows Loader.exe (PID: 864)

  • INFO

    • Reads product name

      • Windows Loader.exe (PID: 864)

    • Reads the machine GUID from the registry

      • Windows Loader.exe (PID: 864)

    • Reads the computer name

      • Windows Loader.exe (PID: 864)
      • IMEKLMG.EXE (PID: 2224)
      • wmpnscfg.exe (PID: 2452)
      • wmpnscfg.exe (PID: 2484)
      • IMEKLMG.EXE (PID: 2216)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Reads Environment values

      • Windows Loader.exe (PID: 864)

    • Checks supported languages

      • Windows Loader.exe (PID: 1592)
      • Windows Loader.exe (PID: 1804)
      • Windows Loader.exe (PID: 864)
      • IMEKLMG.EXE (PID: 2216)
      • bootsect.exe (PID: 2564)
      • wmpnscfg.exe (PID: 2452)
      • wmpnscfg.exe (PID: 2484)
      • IMEKLMG.EXE (PID: 2224)

    • Manual execution by a user

      • Windows Loader.exe (PID: 1640)
      • Windows Loader.exe (PID: 1804)
      • IMEKLMG.EXE (PID: 2216)
      • IMEKLMG.EXE (PID: 2224)
      • wmpnscfg.exe (PID: 2484)
      • taskmgr.exe (PID: 2608)
      • taskmgr.exe (PID: 2728)
      • wmpnscfg.exe (PID: 2452)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 936)
      • cscript.exe (PID: 2636)
      • sipnotify.exe (PID: 240)

    • Reads the software policy settings

      • sipnotify.exe (PID: 240)

    • Process checks whether UAC notifications are on

      • IMEKLMG.EXE (PID: 2224)
      • IMEKLMG.EXE (PID: 2216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2013:01:29 14:33:00
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Windows Loader/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
35
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe windows loader.exe no specs windows loader.exe windows loader.exe no specs windows loader.exe windows loader.exe no specs windows loader.exe cmd.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs compact.exe no specs cmd.exe no specs bootsect.exe no specs cmd.exe no specs shutdown.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs taskmgr.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
284C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
664cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin" C:\Windows\System32\cmd.exeWindows Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
848compact /u \\?\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}\AGKHS C:\Windows\System32\compact.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
File Compress Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\compact.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
864"C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.32815\Windows Loader\Windows Loader.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.32815\Windows Loader\Windows Loader.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3976.32815\windows loader\windows loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
916cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force" C:\Windows\System32\cmd.exeWindows Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
936C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Dell.XRM-MS" C:\Windows\System32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1012cmd.exe /c takeown /f C:\ldrscan\bootwin C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1468takeown /f C:\ldrscan\bootwin C:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1592"C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.34240\Windows Loader\Windows Loader.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.34240\Windows Loader\Windows Loader.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3976.34240\windows loader\windows loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
9 494
Read events
9 433
Write events
48
Delete events
13

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Windows_Loader_v2.2.1.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
5
Suspicious files
2
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
2564bootsect.exe\Device\HarddiskVolume1
MD5:
SHA256:
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.32815\Windows Loader\Windows Loader.exeexecutable
MD5:3976BD5FCBB7CD13F0C12BB69AFC2ADC
SHA256:BF5070EF8CF03A11D25460B3E09A479183CC0FA03D0EA32E4499998F509B1A40
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.32815\Windows Loader\Read me.txttext
MD5:4D9492CE42767FBFA1E2D1452E90298A
SHA256:7D0FC1C6F856188B05A08D2454CA33E45BFA03DF055CAA5E0FA2559898203A3A
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.34240\Windows Loader\Windows Loader.exeexecutable
MD5:3976BD5FCBB7CD13F0C12BB69AFC2ADC
SHA256:BF5070EF8CF03A11D25460B3E09A479183CC0FA03D0EA32E4499998F509B1A40
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.32815\Windows Loader\Keys.initext
MD5:3BB894D0D458970E1EEA0A45E21918CB
SHA256:898A61C5527BC13D45DDD6E9DA23A14673065EC389438710AECDCFB254DF87D8
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.32815\Windows Loader\checksums.md5text
MD5:672BFA5463DF7B6EF79DAFE7FBAD4AC4
SHA256:2ADEF5BF1E6C62FC4DC9A3FA30C3C9B981F6311E2E468142B9046D43F0722B1D
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.34240\Windows Loader\checksums.md5text
MD5:672BFA5463DF7B6EF79DAFE7FBAD4AC4
SHA256:2ADEF5BF1E6C62FC4DC9A3FA30C3C9B981F6311E2E468142B9046D43F0722B1D
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.34240\Windows Loader\Keys.initext
MD5:3BB894D0D458970E1EEA0A45E21918CB
SHA256:898A61C5527BC13D45DDD6E9DA23A14673065EC389438710AECDCFB254DF87D8
240sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\styles.csstext
MD5:3383EEF350240253D7C2C2564381B3CB
SHA256:85443493D86D6D7FB0E07BC9705DFC9C858086FBA1B0E508092AB328D5F145E8
240sipnotify.exeC:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\metadata.jsonbinary
MD5:E8A970BA6CE386EED9A5E724F26212A6
SHA256:7E06107D585D8FC7870998F3856DCC3E35800AA97E4406AAB83BC8444B6CBDE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
13
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
240
sipnotify.exe
HEAD
200
104.110.23.132:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133619748449210000
NO
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1116
svchost.exe
224.0.0.252:5355
unknown
1452
svchost.exe
239.255.255.250:3702
unknown
240
sipnotify.exe
104.110.23.132:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
NO
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 104.110.23.132
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows_Loader_v2.2.1.zip