| File name: | POS Printer Test V3.2-20240607T175405Z-001.zip |
| Full analysis: | https://app.any.run/tasks/5637d593-ce48-4fe4-b3ec-108ce7bc8fae |
| Verdict: | Malicious activity |
| Analysis date: | June 10, 2024, 16:15:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 2869F34E10301EA613710D9EFAFE29FA |
| SHA1: | 736527AA543C171CD5DCB23A8865D1F4FC0BFBD4 |
| SHA256: | CD6178AB215C22B3062F6E905E56E4ACD6DE0B76DB4BF14866A0F7C032D40449 |
| SSDEEP: | 49152:phDnYXFIYeIapRVnk+lG3kBE98HOPoVmwdZvakjbzgn+QwOz9gIzPrVvvqunMCNO:phDnFT0UBE6HYoVmwdZakjb5BOz9g+PQ |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3976)
Creates a writable file in the system directory
- printfilterpipelinesvc.exe (PID: 1652)
- POS Printer Test.exe (PID: 2028)
SUSPICIOUS
Connects to unusual port
- POS Printer Test.exe (PID: 2028)
Reads the Internet Settings
- printfilterpipelinesvc.exe (PID: 1652)
Checks Windows Trust Settings
- ONENOTE.EXE (PID: 1604)
Reads security settings of Internet Explorer
- ONENOTE.EXE (PID: 1604)
Reads settings of System Certificates
- ONENOTE.EXE (PID: 1604)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3976)
Manual execution by a user
- POS Printer Test.exe (PID: 2028)
- wmpnscfg.exe (PID: 2300)
Checks supported languages
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
- ONENOTEM.EXE (PID: 1596)
- wmpnscfg.exe (PID: 2300)
Reads the computer name
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
- wmpnscfg.exe (PID: 2300)
Reads the machine GUID from the registry
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
Creates files or folders in the user directory
- printfilterpipelinesvc.exe (PID: 1652)
- ONENOTE.EXE (PID: 1604)
Reads Environment values
- ONENOTE.EXE (PID: 1604)
Create files in a temporary directory
- POS Printer Test.exe (PID: 2028)
- ONENOTE.EXE (PID: 1604)
Reads Microsoft Office registry keys
- ONENOTE.EXE (PID: 1604)
- ONENOTEM.EXE (PID: 1596)
Reads the software policy settings
- ONENOTE.EXE (PID: 1604)
Process checks computer location settings
- ONENOTE.EXE (PID: 1604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0808 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | 2 |
| ZipUncompressedSize: | - |
| ZipFileName: | POS Printer Test V3.2/Text_Sample/Sample.jsp |
Total processes
47
Monitored processes
6
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1596 | /tsr | C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE | — | ONENOTE.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Quick Launcher Version: 14.0.6015.1000 Modules
| |||||||||||||||
| 1604 | /insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4EF20C5A-BC7C-4CF7-A5BA-F1C8C28F2E10}.xps" 133625098699720000 | C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE | printfilterpipelinesvc.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Exit code: 0 Version: 14.0.6022.1000 Modules
| |||||||||||||||
| 1652 | C:\Windows\system32\printfilterpipelinesvc.exe -Embedding | C:\Windows\System32\printfilterpipelinesvc.exe | — | svchost.exe | |||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Print Filter Pipeline Host Exit code: 0 Version: 6.1.7601.24537 (win7sp1_ldr_escrow.191114-1547) Modules
| |||||||||||||||
| 2028 | "C:\Users\admin\Desktop\POS Printer Test V3.2\POS Printer Test.exe" | C:\Users\admin\Desktop\POS Printer Test V3.2\POS Printer Test.exe | explorer.exe | ||||||||||||
User: admin Company: Copyright (C) 2020 By Lee Integrity Level: MEDIUM Description: Printer Exit code: 255 Version: 3.2.0.1 Modules
| |||||||||||||||
| 2300 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3976 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\POS Printer Test V3.2-20240607T175405Z-001.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
10 476
Read events
10 386
Write events
84
Delete events
6
Modification events
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\POS Printer Test V3.2-20240607T175405Z-001.zip | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3976) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
2
Suspicious files
15
Text files
23
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\myTitle\exit_foc.bmp | image | |
MD5:670C98667504EFD8AD9739E45AF9A397 | SHA256:111065708A0E31F0516FE55702189C74A827BD7736BE1C0A00CAF1EFCE070F9B | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Bmp_Led\Red.bmp | image | |
MD5:23A2BD879D0B964384835CB27AC1E469 | SHA256:597C3AA508651E6B4F3C08B2F6571A78F15B892EA982DA159508536997732CA0 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\myTitle\hel_focu.bmp | image | |
MD5:84FF43DD8FDAFE62E406484DB6505A42 | SHA256:72787920E581E347660EB3F76B7C0B28F4DA88AAD551D9101493F31BEDF22965 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Text_Sample\BmpHexFile.txt | text | |
MD5:8B30B0FBFF03E2CED409735393D96CA8 | SHA256:647D9BDABA437701CAB7495931925289DB14126815B89908420FE44C0481D66B | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Text_Sample\Sample1.jsp | text | |
MD5:B099AA5F2B07D7765CF1BFD3F698CDD3 | SHA256:17F41E6A7867B95DB505379B102315E82EBD58B8FBEEE45B84D16C7E27161A84 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Text_Sample\Traditional_58.jsp | binary | |
MD5:66984F6859900F71875DB3A0295FC569 | SHA256:E615451347318D053079CFDE49EF7B554FD18C509445B4B53E7BACDBD5E3A435 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Logo_Sample\POS.bmp | image | |
MD5:6736FB2784749BDD4C8B2ED42F896802 | SHA256:06F15892AD683CA03BC2B83BD0754E9D0855D053EAF9BE9DC6E83C1C0BC41743 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Text_Sample\Traditional_76.jsp | binary | |
MD5:2912CDF3EFF188F56044972C058F3B47 | SHA256:BCCFBFC6ABB1CF9741EC67F3C42DAB5D77BAF9896C77A2A20E56918315D0A394 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\Bmp_Led\Green.bmp | image | |
MD5:9ADA34DDA96E8F063222E2D60358080B | SHA256:4407DEE00CD8855E143EB73DB8F8472A291B86CAA600C5EDB0A25A238DE8C917 | |||
| 3976 | WinRAR.exe | C:\Users\admin\Desktop\POS Printer Test V3.2\TempQr.bmp | image | |
MD5:5EE97372F4FE1552385AFF743837AFD4 | SHA256:41DED57940099DF48F88DCE06644FAC64C34C44F8206D38CB91A4D934A09287C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2028 | POS Printer Test.exe | 192.168.123.100:9100 | — | — | — | unknown |
1900 | WerFault.exe | 104.208.16.93:443 | watson.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
watson.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
ONENOTE.EXE |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
ONENOTE.EXE |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
ONENOTE.EXE |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
ONENOTE.EXE |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
ONENOTE.EXE |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
ONENOTE.EXE |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|