| File name: | POS Printer Test V3.2-20240607T175405Z-001.zip |
| Full analysis: | https://app.any.run/tasks/5637d593-ce48-4fe4-b3ec-108ce7bc8fae |
| Verdict: | Malicious activity |
| Analysis date: | June 10, 2024, 16:15:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 2869F34E10301EA613710D9EFAFE29FA |
| SHA1: | 736527AA543C171CD5DCB23A8865D1F4FC0BFBD4 |
| SHA256: | CD6178AB215C22B3062F6E905E56E4ACD6DE0B76DB4BF14866A0F7C032D40449 |
| SSDEEP: | 49152:phDnYXFIYeIapRVnk+lG3kBE98HOPoVmwdZvakjbzgn+QwOz9gIzPrVvvqunMCNO:phDnFT0UBE6HYoVmwdZakjb5BOz9g+PQ |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3976)
Creates a writable file in the system directory
- printfilterpipelinesvc.exe (PID: 1652)
- POS Printer Test.exe (PID: 2028)
SUSPICIOUS
Connects to unusual port
- POS Printer Test.exe (PID: 2028)
Reads the Internet Settings
- printfilterpipelinesvc.exe (PID: 1652)
Checks Windows Trust Settings
- ONENOTE.EXE (PID: 1604)
Reads security settings of Internet Explorer
- ONENOTE.EXE (PID: 1604)
Reads settings of System Certificates
- ONENOTE.EXE (PID: 1604)
INFO
Checks supported languages
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
- ONENOTEM.EXE (PID: 1596)
- wmpnscfg.exe (PID: 2300)
Reads the computer name
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
- wmpnscfg.exe (PID: 2300)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3976)
Manual execution by a user
- POS Printer Test.exe (PID: 2028)
- wmpnscfg.exe (PID: 2300)
Reads Microsoft Office registry keys
- ONENOTE.EXE (PID: 1604)
- ONENOTEM.EXE (PID: 1596)
Reads Environment values
- ONENOTE.EXE (PID: 1604)
Reads the machine GUID from the registry
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
Creates files or folders in the user directory
- printfilterpipelinesvc.exe (PID: 1652)
- ONENOTE.EXE (PID: 1604)
Create files in a temporary directory
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
Reads the software policy settings
- ONENOTE.EXE (PID: 1604)
Process checks computer location settings
- ONENOTE.EXE (PID: 1604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0808 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | 2 |
| ZipUncompressedSize: | - |
| ZipFileName: | POS Printer Test V3.2/Text_Sample/Sample.jsp |
Total processes
47
Monitored processes
6
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1596 | /tsr | C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE | — | ONENOTE.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Quick Launcher Version: 14.0.6015.1000 Modules
| |||||||||||||||
| 1604 | /insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4EF20C5A-BC7C-4CF7-A5BA-F1C8C28F2E10}.xps" 133625098699720000 | C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE | printfilterpipelinesvc.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Exit code: 0 Version: 14.0.6022.1000 Modules
| |||||||||||||||
| 1652 | C:\Windows\system32\printfilterpipelinesvc.exe -Embedding | C:\Windows\System32\printfilterpipelinesvc.exe | — | svchost.exe | |||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Print Filter Pipeline Host Exit code: 0 Version: 6.1.7601.24537 (win7sp1_ldr_escrow.191114-1547) Modules
| |||||||||||||||
| 2028 | "C:\Users\admin\Desktop\POS Printer Test V3.2\POS Printer Test.exe" | C:\Users\admin\Desktop\POS Printer Test V3.2\POS Printer Test.exe | explorer.exe | ||||||||||||
User: admin Company: Copyright (C) 2020 By Lee Integrity Level: MEDIUM Description: Printer Exit code: 255 Version: 3.2.0.1 Modules
| |||||||||||||||
| 2300 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3976 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\POS Printer Test V3.2-20240607T175405Z-001.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
10 476
Read events
10 386
Write events
84
Delete events
6
Modification events
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\POS Printer Test V3.2-20240607T175405Z-001.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
2
Suspicious files
15
Text files
23
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Logo_Sample\Rabit.bmp | image | |
MD5:E74212E0AD0F5F73D570F6C8B9B055BC | SHA256:D724D748FBD554F4DDF378C0389D621204EDC388FFE70C2B3B5F3279003CEF3F | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Printer.ini | ini | |
MD5:250CC8C4D0EB4295D7045380D5B5B367 | SHA256:965481A77348C10C22A91FE3A6BDB019AE368A409303CF1FA64C08D39F7D0A20 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\myTitle\exit_nor.bmp | image | |
MD5:E0FA8825EE58DB0A7C5A23D4D044BF66 | SHA256:A31FF83BDA3F395206F6EB7CAAA2BC1F61557408A01B65433A05ED5D0AF1E024 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Logo_Sample\POS.bmp | image | |
MD5:6736FB2784749BDD4C8B2ED42F896802 | SHA256:06F15892AD683CA03BC2B83BD0754E9D0855D053EAF9BE9DC6E83C1C0BC41743 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\myTitle\bitmap9.bmp | image | |
MD5:9560014E57F19DBBFA14C6357D6A13D3 | SHA256:7624B6F94B0258C3C93F04D8339CE61300D34DBE5856B895586DB4213F0098C3 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Text_Sample\BmpHexFile.txt | text | |
MD5:8B30B0FBFF03E2CED409735393D96CA8 | SHA256:647D9BDABA437701CAB7495931925289DB14126815B89908420FE44C0481D66B | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Bmp_Led\Red.bmp | image | |
MD5:23A2BD879D0B964384835CB27AC1E469 | SHA256:597C3AA508651E6B4F3C08B2F6571A78F15B892EA982DA159508536997732CA0 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Text_Sample\Traditional_58.jsp | binary | |
MD5:66984F6859900F71875DB3A0295FC569 | SHA256:E615451347318D053079CFDE49EF7B554FD18C509445B4B53E7BACDBD5E3A435 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Bmp_Led\Black.bmp | image | |
MD5:BB81DE7D2EFFAB0521FEB17F56442222 | SHA256:9FAE61084B60C53DE956D22E827C6573EFAC531B8F4C0C02C21445CAC45DA869 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\temp.txt | binary | |
MD5:CC2E52EE1CA78B389CB2AA7E0115183B | SHA256:5DFDFB9AF8DCDE2DD22CDC29FD91650395B95FA5777BC3190A27F4CC18A8B1A5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2028 | POS Printer Test.exe | 192.168.123.100:9100 | — | — | — | unknown |
1900 | WerFault.exe | 104.208.16.93:443 | watson.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
watson.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
ONENOTE.EXE |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
ONENOTE.EXE |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
ONENOTE.EXE |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
ONENOTE.EXE |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
ONENOTE.EXE |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
ONENOTE.EXE |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|