analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.img

Full analysis: https://app.any.run/tasks/0c533e2c-0775-463c-b3b7-907b50afd221
Verdict: Malicious activity
Analysis date: October 20, 2020, 11:51:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-iso9660-image
File info: UDF filesystem data (version 1.5) 'DESKTOP'
MD5:

1FA7F9C02BA6D4DCFBF08AF29234D624

SHA1:

9156EFFF7FB1B3367FA8F1235964356C1C2AF344

SHA256:

74EA8659642E199A592E032E8C10632D6947B4CBED9DBA153B8EA87F1A0D5FAB

SSDEEP:

24576:0SI7wi7c6PWOJ6mZsX4beoujj2hmbwlrjJl:3I7lPWa6Kc4bev2ygJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3332)
      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3708)
      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 1756)
      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3148)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3624)
    • Uses Task Scheduler to run other applications

      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3148)
  • SUSPICIOUS

    • Application launched itself

      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3148)
    • Creates files in the user directory

      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3148)
    • Executable content was dropped or overwritten

      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3148)
  • INFO

    • Manual execution by user

      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3148)
      • explorer.exe (PID: 532)
      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 3332)
      • WinRAR.exe (PID: 2456)
      • notepad++.exe (PID: 2384)
      • Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe (PID: 1756)
      • rundll32.exe (PID: 2152)
    • Application launched itself

      • AcroRd32.exe (PID: 2860)
      • RdrCEF.exe (PID: 2900)
    • Changes IE settings (feature browser emulation)

      • AcroRd32.exe (PID: 2860)
    • Reads the hosts file

      • RdrCEF.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 1400 kB

ISO

VolumeModifyDate: 2020:10:18 17:10:55.00-07:00
VolumeCreateDate: 2020:10:18 17:10:55.00-07:00
Software: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
VolumeSetName: UNDEFINED
RootDirectoryCreateDate: 2020:10:18 17:10:55-07:00
VolumeBlockSize: 2048
VolumeBlockCount: 700
VolumeName: DESKTOP
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
16
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start rundll32.exe no specs isoburn.exe no specs explorer.exe no specs rundll32.exe no specs acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs notepad++.exe gup.exe winrar.exe no specs urgent inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe urgent inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe no specs urgent inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe schtasks.exe no specs urgent inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2560"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.imgC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
116"C:\Windows\System32\isoburn.exe" "C:\Users\admin\AppData\Local\Temp\Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.img"C:\Windows\System32\isoburn.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Disc Image Burning Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
532"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2152"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.imgC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2860"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.img"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exerundll32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3212"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.img"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2900"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3221225547
Version:
15.23.20053.211670
3496"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2900.0.522037562\1313796743" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
2384"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.img"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3828"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
1 352
Read events
1 107
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
3212AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3212AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3212
MD5:
SHA256:
3212AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3212
MD5:
SHA256:
2456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2456.23433\Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exe
MD5:
SHA256:
3148Urgent Inquiry_073262835_19-10-2020_scanned from a xerox multifunctional device001.exeC:\Users\admin\AppData\Local\Temp\tmp65A1.tmp
MD5:
SHA256:
3212AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagessqlite
MD5:942DB0172D96E165921026BDEB334BF5
SHA256:665E082A43651E6F94833B60AA4A9D06E04643133CD351B92153587AD7A773F2
2384notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:466E5991D0FB264A83F075B12A530B7F
SHA256:F96D5CEAFE025FA61F375BDD7B933CBE57131455D6F7EBAE234B4374D5992422
2860AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lstps
MD5:3A9453CC2C495F23ECDB3E5D39795FE8
SHA256:ECFDAA4E922FF49CAC2A8A970DBFEAFA59382297680ED167B436186810BFC82A
2384notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:EBF087AC1CC677F3BA53F22C406FA43B
SHA256:DF73F889E7A6135DD06025390A2E59B080D06D0BAA0ACEB0FB65769C296B2E1C
2860AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lstps
MD5:76C993D6E29FBE12DA4525151364653B
SHA256:F1CBECC2D9952366CE231E4B651EC8354C17288AEB1908B4A01B6E5A29F6270E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3828
gup.exe
172.67.218.84:443
notepad-plus-plus.org
US
malicious

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 172.67.218.84
  • 104.31.88.28
  • 104.31.89.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disablŒ
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093