analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| download: | Muca-1.jpg |
| Full analysis: | https://app.any.run/tasks/2f341833-337d-4f92-a976-4b38beb3634a |
| Verdict: | Malicious activity |
| Analysis date: | September 30, 2020, 11:02:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | image/jpeg |
| File info: | JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, comment: "Created with GIMP", progressive, precision 8, 565x524, frames 3 |
| MD5: | 50EBF6EC604994236A0124A00860EBDA |
| SHA1: | FBFD0EC0A30FA714A137BDE66FDF8869B9604B64 |
| SHA256: | 16D77B9F75ABF4C19A50616E2A621AB07FFD8C089D7886464789A4F21D1A1DA4 |
| SSDEEP: | 1536:5HZOqRPxmB9r4fmEm674eD3Uunx50j06fUz4km4rCOKkzmDptjkWu0:asPxmumLKpnxK06Qm42OxzmDTAC |
MALICIOUS
Runs app for hidden code execution
- cmd.exe (PID: 2292)
SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 2292)
Application launched itself
- cmd.exe (PID: 2292)
INFO
Manual execution by user
- cmd.exe (PID: 2292)
- NOTEPAD.EXE (PID: 3292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .jpg | | | JFIF JPEG bitmap (38.1) |
|---|---|---|
| .jpg | | | JPEG bitmap (28.5) |
| .mp3 | | | MP3 audio (ID3 v1.x tag) (23.8) |
| .mp3 | | | MP3 audio (9.5) |
EXIF
Composite
| Megapixels: | 0.296 |
|---|---|
| ImageSize: | 565x524 |
ICC_Profile
| DeviceModelDesc: | sRGB |
|---|---|
| DeviceMfgDesc: | GIMP |
| ChromaticityChannel3: | 0.15001 0.06 |
| ChromaticityChannel2: | 0.3 0.60001 |
| ChromaticityChannel1: | 0.64 0.33002 |
| ChromaticityColorant: | Unknown (0) |
| ChromaticityChannels: | 3 |
| BlueTRC: | (Binary data 32 bytes, use -b option to extract) |
| GreenTRC: | (Binary data 32 bytes, use -b option to extract) |
| RedTRC: | (Binary data 32 bytes, use -b option to extract) |
| GreenMatrixColumn: | 0.38512 0.7169 0.09706 |
| BlueMatrixColumn: | 0.14305 0.06061 0.71393 |
| RedMatrixColumn: | 0.43604 0.22249 0.01392 |
| ChromaticAdaptation: | 1.04788 0.02292 -0.05022 0.02959 0.99048 -0.01707 -0.00925 0.01508 0.75168 |
| MediaWhitePoint: | 0.9642 1 0.82491 |
| ProfileCopyright: | Public Domain |
| ProfileDescription: | GIMP built-in sRGB |
| ProfileID: | - |
| ProfileCreator: | lcms |
| ConnectionSpaceIlluminant: | 0.9642 1 0.82491 |
| RenderingIntent: | Perceptual |
| DeviceAttributes: | Reflective, Glossy, Positive, Color |
| DeviceModel: | - |
| DeviceManufacturer: | - |
| CMMFlags: | Not Embedded, Independent |
| PrimaryPlatform: | Microsoft Corporation |
| ProfileFileSignature: | acsp |
| ProfileDateTime: | 2020:04:21 08:37:22 |
| ProfileConnectionSpace: | XYZ |
| ColorSpaceData: | RGB |
| ProfileClass: | Display Device Profile |
| ProfileVersion: | 4.3.0 |
| ProfileCMMType: | lcms |
JFIF
| YResolution: | 300 |
|---|---|
| XResolution: | 300 |
| ResolutionUnit: | inches |
| JFIFVersion: | 1.01 |
Total processes
711
Monitored processes
408
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2128 | "C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\AppData\Local\Temp\Muca-1.jpg | C:\Windows\System32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3292 | "C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\bla.bat | C:\Windows\System32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2292 | cmd /c ""C:\Users\admin\Desktop\bla.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3792 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 580 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 340 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 308 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 1516 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3732 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2700 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
116
Read events
110
Write events
6
Delete events
0
Modification events
| (PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: rundll32.exe | |||
| (PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer |
| Operation: | write | Name: | MainWndPos |
Value: 6000000034000000A00400008002000000000000 | |||
| (PID) Process: | (3292) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
| Operation: | write | Name: | iWindowPosX |
Value: 154 | |||
| (PID) Process: | (3292) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
| Operation: | write | Name: | iWindowPosY |
Value: 154 | |||
| (PID) Process: | (3292) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
| Operation: | write | Name: | iWindowPosDX |
Value: 960 | |||
| (PID) Process: | (3292) NOTEPAD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Notepad |
| Operation: | write | Name: | iWindowPosDY |
Value: 501 | |||
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3292 | NOTEPAD.EXE | C:\Users\admin\Desktop\bla.bat | text | |
MD5:26D6D715069E9A133713B657E22D1ECA | SHA256:9C4F32AF318FE4BAA4269B42CD45D8533C7582493304BBA902F5BD02620969C9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report