File name: | IMG-110921901110-1190223456789001.IMG |
Full analysis: | https://app.any.run/tasks/43632daf-3b60-4030-b0cc-e073db1530ba |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 13:36:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | UDF filesystem data (version 1.5) 'DESKTOP' |
MD5: | C30611BE1B725DD148CF0533C4FD5A81 |
SHA1: | 43CCD94B4519C026488F0909E08E41A36903045C |
SHA256: | CB3DD9C6DBD5FA08AF6A6D305C7573CBB654CF6058C6DA88794D70387256909F |
SSDEEP: | 24576:mAHnh+eWsN3skA4RV1Hom2KXSmdaZzv/XcpjmHg+4Zyw5:Bh+ZkldoPKi2a1vAjm09 |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 1888 kB |
---|
VolumeModifyDate: | 2019:05:20 10:12:09.00+01:00 |
---|---|
VolumeCreateDate: | 2019:05:20 10:12:09.00+01:00 |
Software: | IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER! |
VolumeSetName: | UNDEFINED |
RootDirectoryCreateDate: | 2019:05:20 10:12:09+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 944 |
VolumeName: | DESKTOP |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1520 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\IMG-110921901110-1190223456789001.IMG.iso | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1464 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\IMG-110921901110-1190223456789001.IMG.iso" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2828 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1464.44337\IMG-110921901110-1190223456789001.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1464.44337\IMG-110921901110-1190223456789001.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM | ||||
3828 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | IMG-110921901110-1190223456789001.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.6.1055.0 built by: NETFXREL2 | ||||
3980 | "C:\Users\admin\Desktop\IMG-110921901110-1190223456789001.exe" | C:\Users\admin\Desktop\IMG-110921901110-1190223456789001.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
1524 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | IMG-110921901110-1190223456789001.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
1356 | "C:\Users\admin\Desktop\IMG-110921901110-1190223456789001.exe" | C:\Users\admin\Desktop\IMG-110921901110-1190223456789001.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
3348 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | IMG-110921901110-1190223456789001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
2960 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | IMG-110921901110-1190223456789001.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
2688 | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Windows\system32\wbem\WmiApSrv.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Performance Reverse Adapter Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1356 | IMG-110921901110-1190223456789001.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iotstartup.vbs | text | |
MD5:AE60E2C959A719A9C81D163B84892EE8 | SHA256:9D871C3E8CBF8D23AEC0CF6DD05C8B37FB77DC7BE5B02FF71589501B61412766 | |||
1464 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1464.45107\IMG-110921901110-1190223456789001.exe | executable | |
MD5:ED0432CCB59961130A45572CAE91BBF2 | SHA256:7B687D8EC8B468B1ED649C0915F0AD984283965F20EB40A003585942696B8C73 | |||
2828 | IMG-110921901110-1190223456789001.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iotstartup.vbs | text | |
MD5:AE60E2C959A719A9C81D163B84892EE8 | SHA256:9D871C3E8CBF8D23AEC0CF6DD05C8B37FB77DC7BE5B02FF71589501B61412766 | |||
3980 | IMG-110921901110-1190223456789001.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iotstartup.vbs | text | |
MD5:AE60E2C959A719A9C81D163B84892EE8 | SHA256:9D871C3E8CBF8D23AEC0CF6DD05C8B37FB77DC7BE5B02FF71589501B61412766 | |||
1464 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1464.44337\IMG-110921901110-1190223456789001.exe | executable | |
MD5:ED0432CCB59961130A45572CAE91BBF2 | SHA256:7B687D8EC8B468B1ED649C0915F0AD984283965F20EB40A003585942696B8C73 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3828 | RegAsm.exe | 184.75.210.203:1101 | moran101.duckdns.org | Amanah Tech Inc. | CA | malicious |
Domain | IP | Reputation |
---|---|---|
moran101.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |