analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

25301PMISTR.z

Full analysis: https://app.any.run/tasks/07e10951-c3ed-4161-9768-707aa1200b56
Verdict: Malicious activity
Analysis date: March 14, 2019, 13:19:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data '25301PMISTR'
MD5:

1AE9308F9AA6E3E374BD7FDD37A2B320

SHA1:

7E01B4A8D673D6E372B0525DD735F28D51DB0027

SHA256:

8E25FC4C9D8F3FAD6B793E728CB1D96542B42D04F0BDBBAE6AB4E43D2611B428

SSDEEP:

24576:v3EYw7Ql9J6b5LFR3yZP68x+qlyukc8cM2GUmH4hs8Fm1Kh9:c8c8xdXGsFCM9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rewjavaef.exe (PID: 3384)
      • TASK.exe (PID: 2284)
      • TASK.exe (PID: 2460)
      • TASK.exe (PID: 792)
      • TASK.exe (PID: 1104)
      • TASK.exe (PID: 2560)
      • TASK.exe (PID: 3604)
      • TASK.exe (PID: 2464)
    • Writes to a start menu file

      • TASK.exe (PID: 2284)
  • SUSPICIOUS

    • Starts itself from another location

      • rewjavaef.exe (PID: 3384)
    • Creates executable files which already exist in Windows

      • rewjavaef.exe (PID: 3384)
      • TASK.exe (PID: 2284)
    • Creates files in the user directory

      • rewjavaef.exe (PID: 3384)
      • TASK.exe (PID: 2284)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2592)
      • rewjavaef.exe (PID: 3384)
    • Application launched itself

      • TASK.exe (PID: 2284)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 920 kB

ISO

VolumeModifyDate: 2019:03:12 02:01:55.00+03:00
VolumeCreateDate: 2019:03:12 02:01:55.00+03:00
Software: PowerISO
RootDirectoryCreateDate: 2019:03:12 02:01:55+03:00
VolumeBlockSize: 2048
VolumeBlockCount: 460
VolumeName: 25301PMISTR
System: Win32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs wscript.exe wscript.exe no specs rewjavaef.exe explorer.exe no specs task.exe task.exe no specs task.exe no specs cmd.exe no specs task.exe no specs task.exe no specs task.exe no specs task.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3064"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\25301PMISTR.z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2592"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\25301PMISTR.jse" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3608"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\25301PMISTR.jse" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3384"C:\Users\admin\AppData\Local\Temp\rewjavaef.exe" C:\Users\admin\AppData\Local\Temp\rewjavaef.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3932"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2284"C:\Users\admin\AppData\Roaming\svchost.exe\TASK.exe"C:\Users\admin\AppData\Roaming\svchost.exe\TASK.exe
rewjavaef.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
792"C:\Users\admin\AppData\Roaming\svchost.exe\TASK.exe"C:\Users\admin\AppData\Roaming\svchost.exe\TASK.exeTASK.exe
User:
admin
Integrity Level:
MEDIUM
2460"C:\Users\admin\AppData\Roaming\svchost.exe\TASK.exe" 2 792 2265125C:\Users\admin\AppData\Roaming\svchost.exe\TASK.exeTASK.exe
User:
admin
Integrity Level:
MEDIUM
3460"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1104C:\Users\admin\AppData\Roaming\svchost.exe\TASK.exeC:\Users\admin\AppData\Roaming\svchost.exe\TASK.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Total events
756
Read events
731
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3064WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3064.12795\25301PMISTR.jse
MD5:
SHA256:
3384rewjavaef.exeC:\Users\admin\AppData\Roaming\svchost.exe\TASK.exe:ZoneIdentifier
MD5:
SHA256:
2284TASK.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.vbstext
MD5:44E984D9B3FD569C48AB70332DC7CCA6
SHA256:14A3545870537948435A6A065597E2DDED2B8D41AF35BE176A52A3EA52792B4C
2592WScript.exeC:\Users\admin\AppData\Local\Temp\rewjavaef.exeexecutable
MD5:79F73819F3DA9968918B5FA257A40744
SHA256:966BF2F4E72E7DD86E3951D8E78ED3950B83F0A5053E8A2E62016512042C9F35
3384rewjavaef.exeC:\Users\admin\AppData\Roaming\svchost.exe\TASK.exeexecutable
MD5:79F73819F3DA9968918B5FA257A40744
SHA256:966BF2F4E72E7DD86E3951D8E78ED3950B83F0A5053E8A2E62016512042C9F35
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info