File name: | DOC_1109091_01909_1090192_12009.IMG |
Full analysis: | https://app.any.run/tasks/62cfb5ec-6e3b-43f3-bb4c-c3ffdc4ac13c |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | June 12, 2019, 10:31:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | UDF filesystem data (version 1.5) 'DESKTOP' |
MD5: | 1F7F826D3A2BBAA219BCB267E9C61761 |
SHA1: | EF9542A3C04398381F58ABB1E3CBDE55C9A8F1B0 |
SHA256: | EFB0C4B4D5A571DBF47A7850F6009B97F0B4D83AD712206F1E6216F857F857B5 |
SSDEEP: | 6144:7E2AYl6JBWAetbxNnzXoSvFRGb1WXjikr:7lMKRVnzDoxWXWkr |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 1198 kB |
---|
VolumeModifyDate: | 2019:06:12 07:18:15.00+08:00 |
---|---|
VolumeCreateDate: | 2019:06:12 07:18:15.00+08:00 |
Software: | IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER! |
VolumeSetName: | UNDEFINED |
RootDirectoryCreateDate: | 2019:06:12 07:18:15+08:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 599 |
VolumeName: | DESKTOP |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\DOC_1109091_01909_1090192_12009.IMG.iso | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3624 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DOC_1109091_01909_1090192_12009.IMG.iso" | C:\Program Files\WinRAR\WinRAR.exe | — | rundll32.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3800 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DOC_1109091_01909_1090192_12009.IMG.iso" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3644 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1891\DOC_1109091_01909_1090192_1209.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1891\DOC_1109091_01909_1090192_1209.exe | — | WinRAR.exe |
User: admin Company: Maxthon International ltd. Integrity Level: MEDIUM Description: Maxthon Installer Exit code: 3221226540 Version: 5.2.7.3000 | ||||
4016 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1929\DOC_1109091_01909_1090192_1209.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1929\DOC_1109091_01909_1090192_1209.exe | — | WinRAR.exe |
User: admin Company: Maxthon International ltd. Integrity Level: MEDIUM Description: Maxthon Installer Exit code: 3221226540 Version: 5.2.7.3000 | ||||
1492 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1891\DOC_1109091_01909_1090192_1209.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1891\DOC_1109091_01909_1090192_1209.exe | WinRAR.exe | |
User: admin Company: Maxthon International ltd. Integrity Level: HIGH Description: Maxthon Installer Exit code: 1 Version: 5.2.7.3000 | ||||
2628 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1929\DOC_1109091_01909_1090192_1209.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1929\DOC_1109091_01909_1090192_1209.exe | WinRAR.exe | |
User: admin Company: Maxthon International ltd. Integrity Level: HIGH Description: Maxthon Installer Version: 5.2.7.3000 | ||||
1632 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | DOC_1109091_01909_1090192_1209.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
1744 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | DOC_1109091_01909_1090192_1209.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Version: 4.6.1055.0 built by: NETFXREL2 | ||||
2944 | "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1929\DOC_1109091_01909_1090192_1209.exe" | C:\Windows\System32\cmd.exe | — | DOC_1109091_01909_1090192_1209.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3800 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1891\DOC_1109091_01909_1090192_1209.exe | executable | |
MD5:AEB14382039D723FA5F0D90E43ECB9EA | SHA256:C7E967E29D8346F28E345C91AF495E761E062AE3EB8141A84F9BF056D17EA391 | |||
3800 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.1929\DOC_1109091_01909_1090192_1209.exe | executable | |
MD5:AEB14382039D723FA5F0D90E43ECB9EA | SHA256:C7E967E29D8346F28E345C91AF495E761E062AE3EB8141A84F9BF056D17EA391 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1744 | RegAsm.exe | 213.208.129.205:5500 | 1934.duckdns.org | Next Layer Telekommunikationsdienstleistungs- und Beratungs GmbH | AT | malicious |
Domain | IP | Reputation |
---|---|---|
1934.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |