File name: | PO.29477399274_pdf.iso |
Full analysis: | https://app.any.run/tasks/22ba649c-7532-42c7-99c2-93c207e37e0f |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 07:26:01 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'PO.29477399274_pdf' |
MD5: | EEC17BBAF8BB72FE3AA03AAB524B7779 |
SHA1: | F672A5C2ED7138CE829FAF458F92AEBE084FAA3C |
SHA256: | B459B6246CC86A109676BE895C40D83F794449F6274FAFEDE4AB658C0485A8D3 |
SSDEEP: | 12288:18eA4ccTaFNjiHPp5pLmyZZGEuZVPZfVhDbcLKh7pQx:9rVa3Ox5oynuZ5hVJbcg7pQx |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 792 kB |
---|
VolumeModifyDate: | 2019:07:04 16:26:10.00-07:00 |
---|---|
VolumeCreateDate: | 2019:07:04 16:26:10.00-07:00 |
Software: | PowerISO |
RootDirectoryCreateDate: | 2019:07:04 16:26:10-07:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 396 |
VolumeName: | PO.29477399274_pdf |
System: | Win32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1092 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PO.29477399274_pdf.iso" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
556 | "D:\PO.29477399274_pdf.exe" | D:\PO.29477399274_pdf.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1284 | "D:\PO.29477399274_pdf.exe" | D:\PO.29477399274_pdf.exe | — | PO.29477399274_pdf.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
5860 | "D:\PO.29477399274_pdf.exe" 2 1284 1751187 | D:\PO.29477399274_pdf.exe | — | PO.29477399274_pdf.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2760 | D:\PO.29477399274_pdf.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe | PO.29477399274_pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
2916 | "D:\PO.29477399274_pdf.exe" | D:\PO.29477399274_pdf.exe | — | PO.29477399274_pdf.exe |
User: admin Integrity Level: MEDIUM |
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | — | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\22\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\PO.29477399274_pdf.iso | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF68000000680000002804000051020000 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop |
PID | Process | Filename | Type | |
---|---|---|---|---|
1284 | PO.29477399274_pdf.exe | C:\Users\admin\AppData\Local\Temp\~DF301D40E65DBAB007.TMP | — | |
MD5:— | SHA256:— | |||
2760 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\admin.bmp | image | |
MD5:DC2C42110B7D84F144C6D905A3DDA74E | SHA256:4E07A1A6FBB5F29252A7C7AD7C3C80B32B4CC8BAEB832DBE40C38BBF85D984E7 | |||
2760 | iexplore.exe | C:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\ut | image | |
MD5:9A0951D6E69265802A0154A5C6521C72 | SHA256:28C19C4CC0594141C2752FA2E3CDB93AE2BBE128DB13734C5DBB9C5C7555F567 | |||
2760 | iexplore.exe | C:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe | executable | |
MD5:22F8E759C431DFDD5C62F9A584329BDF | SHA256:5D37EDCB9700DF18346541C40AAAFFA93BC450D00F75B89BD0A9F54526C50FA2 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2760 | iexplore.exe | 185.244.31.145:1989 | csimich.duckdns.org | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
csimich.duckdns.org |
| malicious |
nexusrules.officeapps.live.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |