File name: | PI-10677.iso |
Full analysis: | https://app.any.run/tasks/e73561bf-a5b2-47d4-b1d9-da5d5a5ce182 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 06:17:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'PI-10677' |
MD5: | DEA8626B7C844E1F68C673795D412056 |
SHA1: | 241158BCD021913C7A187D2164E58163C821F340 |
SHA256: | 5B27A0377622A48D395BDCC4A9325B670C17008E19BD552726756C962240B53A |
SSDEEP: | 24576:UAHnh+eWsN3skA4RV1Hom2KXMmHaERAQJQB7Lkowfs7g1josHcW5:jh+ZkldoPK8YaERjcPkowVjoI |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 1482 kB |
---|
VolumeModifyDate: | 2019:07:16 11:11:27.00+01:00 |
---|---|
VolumeCreateDate: | 2019:07:16 11:11:27.00+01:00 |
Software: | PowerISO |
RootDirectoryCreateDate: | 2019:07:16 11:11:27+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 741 |
VolumeName: | PI-10677 |
System: | Win32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\PI-10677.iso | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3664 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PI-10677.iso" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1824 | "C:\Users\admin\Desktop\PI-10677.exe" | C:\Users\admin\Desktop\PI-10677.exe | explorer.exe | |
User: admin Company: SystemPropertiesAdvanced Integrity Level: MEDIUM Description: atl110 Exit code: 0 Version: 730.93.52.907 | ||||
3340 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | PI-10677.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2608 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1824 | PI-10677.exe | C:\Users\Public\UeCQTfoqPv.vbs | text | |
MD5:E6E8FE0A62DDC9CEEAF7306BD5B1A537 | SHA256:79E433C8E9722E922EADA78E5FD9D18B3A1DF2134BA00C85C225ADF8F4CF76FD | |||
3340 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\636989447667330000_bfd93599-2691-43f7-a95d-4028dba76d56.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3664 | WinRAR.exe | C:\Users\admin\Desktop\PI-10677.exe | executable | |
MD5:9B0F63F09B7320BB6D7196F3D3947F90 | SHA256:ED18477D1FAACFF3DC742305261BDF9997FE239E3E53F75122CB9E244D6A2AB4 | |||
1824 | PI-10677.exe | C:\Users\admin\AppData\Local\Temp\PkgMgr\dasHost.bat | executable | |
MD5:C2E44713107465BF84A3806FD37A89DF | SHA256:28B7B19ADBC0EBC577C532383E540AA2D4BE1537DD43373E394F57D9A2944B30 | |||
3340 | RegAsm.exe | C:\Users\admin\AppData\Roaming\MyApp\MyApp.exe | executable | |
MD5:278EDBD499374BF73621F8C1F969D894 | SHA256:C6999B9F79932C3B4F1C461A69D9DC8DC301D6A155ABC33EFE1B6E9E4A038391 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3340 | RegAsm.exe | GET | 200 | 34.197.157.64:80 | http://checkip.amazonaws.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3340 | RegAsm.exe | 208.91.199.224:587 | smtp.ugcsa-com.com | PDR | US | shared |
3340 | RegAsm.exe | 34.197.157.64:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
checkip.amazonaws.com |
| shared |
smtp.ugcsa-com.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3340 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |