analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

photo_2019-04-24_15-33-56.jpg

Full analysis: https://app.any.run/tasks/94dd90e2-3492-4441-bd40-fd5da033e198
Verdict: Malicious activity
Analysis date: April 25, 2019, 16:18:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: image/jpeg
File info: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 728x1079, frames 3
MD5:

FF2A824DBAD350EDCEE0658B419CC834

SHA1:

DD2FDC003AA21E75EA3A05CDD1E64706CAFB8CF9

SHA256:

D61FF4249FE2203B785AA4ACEA204F0F28CB1F027FEA90017D360E73B6797B20

SSDEEP:

3072:OH07rhPcRd3pVVvGzZPBZaucAvvHluFdcmZxJTZcmwynvpxk0NI0uDkhUQqZpl:OU+6zJDa9Aocmjh5IWU/Zpl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 904)
  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 2628)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2628)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jpg | JFIF JPEG bitmap (50)
.jpg | JPEG bitmap (37.4)
.mp3 | MP3 audio (12.4)

EXIF

JFIF

JFIFVersion: 1.01
ResolutionUnit: inches
XResolution: 96
YResolution: 96

Composite

ImageSize: 728x1079
Megapixels: 0.786
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs cmd.exe no specs cmd.exe

Process information

PID
CMD
Path
Indicators
Parent process
1208"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\photo_2019-04-24_15-33-56.jpgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2628"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
904cmd /c "echo off&erase /F/Q/S *.* >NUL"C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
78
Read events
77
Write events
1
Delete events
0

Modification events

(PID) Process:(1208) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
rundll32.exe
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info