analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Contract#4115.iso

Full analysis: https://app.any.run/tasks/e282ab8f-8c89-4c63-9a96-b5ebce4549f4
Verdict: Malicious activity
Analysis date: October 04, 2022, 21:13:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'CD_ROM'
MD5:

255E8EB50654B3413D3025AB46C112C7

SHA1:

BBAFF6350C529B92BD6030B010D5F9698A0F6E7B

SHA256:

5140F0D1ED4BF989558F4DB7E1F385AE4DE5E9082E7203F36505E3F6BE4FD728

SSDEEP:

24576:X2j1do5WFEJ4B38MPwFOHrwcwjHmvwiK7Jb0y/cT5SL8uj3HH:X5lJI3BwFOHrwcwjHmvwiKb1/cT5S53n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3132)
      • RdrCEF.exe (PID: 3656)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3132)
      • AdobeARM.exe (PID: 288)
      • WScript.exe (PID: 2656)
      • WScript.exe (PID: 1736)
    • Checks supported languages

      • WinRAR.exe (PID: 3132)
      • AdobeARM.exe (PID: 288)
      • WScript.exe (PID: 2656)
      • Reader_sl.exe (PID: 3084)
      • cmd.exe (PID: 1752)
      • WScript.exe (PID: 1736)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3132)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3132)
      • RdrCEF.exe (PID: 3656)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 288)
  • INFO

    • Checks supported languages

      • AcroRd32.exe (PID: 3124)
      • AcroRd32.exe (PID: 3544)
      • RdrCEF.exe (PID: 3656)
      • RdrCEF.exe (PID: 1364)
      • RdrCEF.exe (PID: 2192)
      • RdrCEF.exe (PID: 2448)
      • RdrCEF.exe (PID: 856)
      • RdrCEF.exe (PID: 2796)
      • RdrCEF.exe (PID: 3164)
    • Reads the computer name

      • AcroRd32.exe (PID: 3124)
      • AcroRd32.exe (PID: 3544)
      • RdrCEF.exe (PID: 3656)
    • Searches for installed software

      • AcroRd32.exe (PID: 3124)
      • AcroRd32.exe (PID: 3544)
    • Application launched itself

      • AcroRd32.exe (PID: 3124)
      • RdrCEF.exe (PID: 3656)
    • Manual execution by user

      • AcroRd32.exe (PID: 3124)
      • WScript.exe (PID: 2656)
      • cmd.exe (PID: 1752)
      • WScript.exe (PID: 1736)
    • Reads CPU info

      • AcroRd32.exe (PID: 3544)
    • Reads the hosts file

      • RdrCEF.exe (PID: 3656)
    • Reads settings of System Certificates

      • AcroRd32.exe (PID: 3124)
      • RdrCEF.exe (PID: 3656)
      • AdobeARM.exe (PID: 288)
    • Checks Windows Trust Settings

      • AcroRd32.exe (PID: 3124)
      • WScript.exe (PID: 2656)
      • WScript.exe (PID: 1736)
      • AdobeARM.exe (PID: 288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
15
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe acrord32.exe acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs wscript.exe no specs adobearm.exe reader_sl.exe no specs cmd.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3132"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Contract#4115.iso"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3124"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Explorer.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
3544"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=rendererC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
3656"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
2448"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1176,2972562935618874862,685022941370675598,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17198432636141027446 --renderer-client-id=2 --mojo-platform-channel-handle=1184 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
1364"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1176,2972562935618874862,685022941370675598,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=9855116617188762727 --mojo-platform-channel-handle=1212 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
3164"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1176,2972562935618874862,685022941370675598,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=12257650329633509447 --mojo-platform-channel-handle=1392 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
856"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1176,2972562935618874862,685022941370675598,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=16761609303368944567 --mojo-platform-channel-handle=1256 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
2192"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1176,2972562935618874862,685022941370675598,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=30751743633381301 --renderer-client-id=6 --mojo-platform-channel-handle=1212 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
2796"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1176,2972562935618874862,685022941370675598,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9074559688831606429 --renderer-client-id=7 --mojo-platform-channel-handle=1552 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Total events
13 161
Read events
13 054
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
115
Text files
10
Unknown types
3

Dropped files

PID
Process
Filename
Type
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\purge.jpgimage
MD5:0B9167D578DDD702BB820640ED0F1A95
SHA256:A11B700BABDC7B22BDAA833790716B432E82C9E196AAAAB344BD6D4EFEB7E94C
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\depredating.txttext
MD5:EF9B0C9024A61D59A0C5BBD34D298416
SHA256:BDFB4CDB6191E3CF7214C077DEE595B42372A6D1D36001D1427DED9E38B86973
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\millivoltAuthentic.vbstext
MD5:9F87D3709936AC2566304FEE09CC5BF5
SHA256:F3ADF5363951C623CD8A456F06C1EBCAEBB0E344383C45D4CB434C7D38F77D1F
3656RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0binary
MD5:19E124D4FBEC0815B158D87DF770332F
SHA256:2A5B45284B7AE733E927647FAA7B254E6ADD170F0B816228A54EDAB8BB53248D
3656RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0binary
MD5:B1EE840E95231067A66C36867AC94AB3
SHA256:64A4261F37338AE1F3D46D75B740D6A777E8E6546C531DD59DB4ED33881339A1
3656RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0binary
MD5:825107E3A821CA1EF86DCFDC0B75C500
SHA256:F12C75B5BED7BD130F323FB9CCD2D972569199EB72A9F38C7F117192AA34D66C
3656RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0binary
MD5:E9128D3DF1072D98E1DD79025E624A6B
SHA256:5698F87EB339E21BA082847B37D4F17B68F7C62D722DA549D959D46AA655F38F
3656RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0binary
MD5:8561EE25CC8545BB39659607C850950D
SHA256:8CDBB2118B9EA47A728B04921A469BF1B22E15A40CC2292BAF16245383EDDEDA
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\publish\grandparents.txttext
MD5:045925086490CB719CECC322E1B05603
SHA256:9FE812C674791B472E17F062C9F94200D558FC6FC85F851CCE0E06B4EECF3EEF
3132WinRAR.exeC:\Users\admin\Desktop\Contract#4115\Contract.lnklnk
MD5:8D89AD1A6E4A5BDC87EA50243C52A285
SHA256:CCCE762623F3769E4587168540E7C734D4A3F2703FAE0A3671A7D0ACAEC4CDB9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
24
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3124
AcroRd32.exe
GET
404
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?09cb85bd599be21e
US
xml
341 b
whitelisted
3124
AcroRd32.exe
GET
404
23.48.23.34:80
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_13_20064.zip
US
xml
341 b
whitelisted
444
svchost.exe
GET
404
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9fb93d2205d0bb6e
US
xml
341 b
whitelisted
3124
AcroRd32.exe
GET
404
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?17b3299800b568a7
US
xml
341 b
whitelisted
288
AdobeARM.exe
GET
404
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32869bf9f8d1089a
US
xml
341 b
whitelisted
3124
AcroRd32.exe
GET
404
23.48.23.34:80
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_13_20064.zip
US
xml
341 b
whitelisted
3124
AcroRd32.exe
GET
404
23.48.23.34:80
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_13_20064.zip
US
xml
341 b
whitelisted
3124
AcroRd32.exe
GET
404
23.48.23.34:80
http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/279_20_13_20064.zip
US
xml
341 b
whitelisted
444
svchost.exe
GET
404
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e037bb012301c2a6
US
xml
341 b
whitelisted
288
AdobeARM.exe
GET
404
23.35.228.137:80
http://armmf.adobe.com/arm-manifests/win/ReaderDCManifest3.msi
US
xml
341 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
444
svchost.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
3124
AcroRd32.exe
23.48.23.34:443
acroipm2.adobe.com
Akamai International B.V.
DE
suspicious
880
svchost.exe
23.35.228.137:443
armmf.adobe.com
AKAMAI-AS
DE
suspicious
3124
AcroRd32.exe
23.216.77.69:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
3656
RdrCEF.exe
52.5.13.197:443
p13n.adobe.io
AMAZON-AES
US
suspicious
3124
AcroRd32.exe
23.48.23.34:80
acroipm2.adobe.com
Akamai International B.V.
DE
suspicious
3656
RdrCEF.exe
23.210.252.251:443
geo2.adobe.com
AKAMAI-AS
DE
whitelisted
288
AdobeARM.exe
23.35.228.137:80
armmf.adobe.com
AKAMAI-AS
DE
suspicious
288
AdobeARM.exe
23.35.228.137:443
armmf.adobe.com
AKAMAI-AS
DE
suspicious
288
AdobeARM.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted

DNS requests

Domain
IP
Reputation
geo2.adobe.com
  • 23.210.252.251
whitelisted
p13n.adobe.io
  • 52.5.13.197
  • 54.227.187.23
  • 23.22.254.206
  • 52.202.204.11
whitelisted
armmf.adobe.com
  • 23.210.252.251
  • 23.35.228.137
whitelisted
acroipm2.adobe.com
  • 23.48.23.34
  • 23.48.23.54
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
  • 209.197.3.8
  • 13.107.4.50
whitelisted

Threats

PID
Process
Class
Message
880
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
880
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
5 ETPRO signatures available at the full report
No debug info