File name:

doc20240715-00034.img

Full analysis: https://app.any.run/tasks/8ae4d481-9ccc-47a7-bea5-48273642b08d
Verdict: Malicious activity
Analysis date: July 15, 2024, 09:51:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-iso9660-image
File info: UDF filesystem data (version 1.5) 'DOC20240715_00034'
MD5:

04485F14C468C9A61C3AABD55BDAB899

SHA1:

BEEC65E7FA05E5D5233CEB39B5F4B0B12EED498C

SHA256:

B8EAE0991F6147C8B5755D19A6093627363FD459B8BBEC352A14EF7AB463EA9A

SSDEEP:

24576:CO5PTZxTzNs6C9XQ+fYCVsE8GOrLjg/5OJ:CO5PTZxT26C9A+fYCVsE87rLjg/5s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • DOC20240715_00034.bat (PID: 3532)
      • DOC20240715_00034.bat (PID: 3492)

  • SUSPICIOUS

    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 3380)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3380)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 3380)

    • Executable content was dropped or overwritten

      • DOC20240715_00034.bat (PID: 3532)
      • DOC20240715_00034.bat (PID: 3492)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DOC20240715_00034.bat (PID: 3532)
      • DOC20240715_00034.bat (PID: 3492)

    • The process creates files with name similar to system file names

      • DOC20240715_00034.bat (PID: 3532)
      • DOC20240715_00034.bat (PID: 3492)

  • INFO

    • Reads the computer name

      • DOC20240715_00034.bat (PID: 3532)
      • DOC20240715_00034.bat (PID: 3492)

    • Checks supported languages

      • DOC20240715_00034.bat (PID: 3532)
      • DOC20240715_00034.bat (PID: 3492)

    • Creates files or folders in the user directory

      • DOC20240715_00034.bat (PID: 3532)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3380)

    • Create files in a temporary directory

      • DOC20240715_00034.bat (PID: 3532)
      • DOC20240715_00034.bat (PID: 3492)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

ISO

VolumeName: DOC20240715_00034
VolumeBlockCount: 599
VolumeBlockSize: 2048
RootDirectoryCreateDate: 2024:07:15 09:27:19+03:00
VolumeSetName: UNDEFINED
Software: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
VolumeCreateDate: 2024:07:15 09:27:19.00+03:00
VolumeModifyDate: 2024:07:15 09:27:19.00+03:00

Composite

VolumeSize: 1198 KiB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe doc20240715_00034.bat doc20240715_00034.bat

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\doc20240715-00034.img.isoC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3492"C:\Users\admin\AppData\Local\Temp\Rar$DIa3380.43645\DOC20240715_00034.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3380.43645\DOC20240715_00034.bat
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia3380.43645\doc20240715_00034.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3532"C:\Users\admin\AppData\Local\Temp\Rar$DIa3380.39802\DOC20240715_00034.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3380.39802\DOC20240715_00034.bat
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia3380.39802\doc20240715_00034.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
25 558
Read events
24 874
Write events
684
Delete events
0

Modification events

(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3380) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\doc20240715-00034.img.iso
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3380) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
9
Suspicious files
7
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
3380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3380.39802\DOC20240715_00034.batexecutable
MD5:4D80294B3E66E7C45202FAB188CDF894
SHA256:62D92A3B2C0EE7F125F15A606659B4675A85E4053C5D82221CAED28A49635B2E
3532DOC20240715_00034.batC:\Users\admin\AppData\Roaming\Shampoerne\arkolog\frikadellens\Zygotomere\Poacher.lejbinary
MD5:9A0B3392835DDDE124C75008E2DE0EB0
SHA256:121E81F02D26CFD5420DB6F231672A58D17ED2665A045B1400D9934D0A497B75
3532DOC20240715_00034.batC:\Users\admin\AppData\Local\Temp\nsc7B9.tmp\BgImage.dllexecutable
MD5:744F9C42403E9AABDE8FC65D40BCCD3E
SHA256:8EB85584031B2E1D74DAF372E60A72F767E8861DB9D4CA2DC1981511F620E51E
3532DOC20240715_00034.batC:\Users\admin\AppData\Roaming\Shampoerne\arkolog\frikadellens\Zygotomere\Cadetcy.binbinary
MD5:45F1F0B16A621607F077EA293EFF2AEA
SHA256:CC4F4BDBE998B696EC6AF8DD9D5D51ABCD67674648AE24F1C59C40C431BC6E5D
3532DOC20240715_00034.batC:\Users\admin\AppData\Roaming\Shampoerne\arkolog\frikadellens\Zygotomere\Faglrtes161.trubinary
MD5:BAC1BAE5E7C710632073FE5E30D7EA95
SHA256:4B3CDC417B8E908C6DABEF03FA9BDC0AB0B25E88A01254395378CB0797892F4E
3532DOC20240715_00034.batC:\Users\admin\AppData\Local\Temp\Setup.initext
MD5:B73A171C8DE922AFE4E446EC817FF4B3
SHA256:F8BAA811A75E4E24939FB0D51A61DD0B6F4FE00DBA0171982D2F8FAE26F5A28C
3532DOC20240715_00034.batC:\Users\admin\AppData\Roaming\Shampoerne\arkolog\frikadellens\Zygotomere\images.jpgimage
MD5:189C585D59D1B5A7FC2FA0CC04777C14
SHA256:86FA8569A16F13965B41467FCE92F0C405121758E44D38057CCDFF02CC902619
3532DOC20240715_00034.batC:\Users\admin\Desktop\uredosorus.lnklnk
MD5:8709BAB962ABEF2DA0AB316D8B155D0A
SHA256:28E5CB33409C9471CBE521536CC9299E839951002BC4E00D5F5EFD154808B797
3532DOC20240715_00034.batC:\Users\admin\AppData\Roaming\Shampoerne\arkolog\frikadellens\Zygotomere\shammashim.varbinary
MD5:BE45431798A2467546899124E4850BF5
SHA256:C21232ECCACA0633B46F19DDF9A0FD88F769755855CEF47987E011B372E0DF0D
3532DOC20240715_00034.batC:\Users\admin\AppData\Local\Temp\nsc7B9.tmp\System.dllexecutable
MD5:A4DD044BCD94E9B3370CCF095B31F896
SHA256:2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
US
whitelisted
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
US
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
1372
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
13.71.55.58:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
settings-win.data.microsoft.com
  • 13.71.55.58
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.51
  • 2.16.164.18
  • 2.16.164.43
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
doc20240715-00034.img