analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

pixel.jpg

Full analysis: https://app.any.run/tasks/481017fa-9e1e-44c9-9193-54fbaf4684be
Verdict: Malicious activity
Analysis date: March 21, 2019, 14:56:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: image/jpeg
File info: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2], baseline, precision 8, 232x309, frames 3
MD5:

682CD610E4135E8A3203E9994076961D

SHA1:

C3016D7F6547536B5B11EBB15FBBBC46EECD39B9

SHA256:

4A1832614F81E61521B7BC845766678B9411C6D09460EDB8310ABBB03A6D5EE2

SSDEEP:

384:2KcrBurfMKAU2HipomnJb93HP63nr/Fdos5E6B6Non4xpq3jYC+AxwEX9VcBgC6i:25BuIRU2CpomnJZvWnbF636BSonm+xwN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 292)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3028)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jpg | JFIF-EXIF JPEG Bitmap (38.4)
.jpg | JFIF JPEG bitmap (30.7)
.jpg | JPEG bitmap (23)
.mp3 | MP3 audio (7.6)

EXIF

JFIF

JFIFVersion: 1.01
ResolutionUnit: None
XResolution: 72
YResolution: 72

EXIF

Orientation: Horizontal (normal)
XResolution: 72
YResolution: 72
ResolutionUnit: inches
ColorSpace: sRGB
ExifImageWidth: 232
ExifImageHeight: 309

Photoshop

IPTCDigest: d41d8cd98f00b204e9800998ecf8427e

Composite

ImageSize: 232x309
Megapixels: 0.072
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
464"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\pixel.jpgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
292"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3028powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2500"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
274
Read events
205
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3028powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DI6GG1PGAS3ZXR9PXMHT.temp
MD5:
SHA256:
3028powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
3028powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1081c4.TMPbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3028
powershell.exe
GET
37.61.239.108:80
http://www.timucinmuratalan.com/Rem4.exe
GB
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3028
powershell.exe
37.61.239.108:80
www.timucinmuratalan.com
Namecheap, Inc.
GB
suspicious

DNS requests

Domain
IP
Reputation
www.timucinmuratalan.com
  • 37.61.239.108
suspicious

Threats

PID
Process
Class
Message
3028
powershell.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
No debug info