analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice_9423_october_PDF.iso

Full analysis: https://app.any.run/tasks/9d963639-ca19-43f4-88e3-b8f6afcb47f1
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:06:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'CD_ROM'
MD5:

EFE9993A2A2DFD5EEC3BD85B00D4DE04

SHA1:

298CB362A183B5F5FF09363F4C28B506550DF15F

SHA256:

F8D50BF8BC2EA7DCDF56978A0DC0F91D8FF061E7693B2980E6D3B4C7399BAF86

SSDEEP:

49152:BUV3vUtzpSLc/QpR1FZTcuGk0mzMF7rtV8HpDmVLoIFy64mZLywzrd0RvxHtCpxA:btlSLc/QB3TcuGkQr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3280)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3280)
      • WScript.exe (PID: 1560)
    • Checks supported languages

      • WinRAR.exe (PID: 3280)
      • cmd.exe (PID: 2584)
      • cmd.exe (PID: 772)
      • WScript.exe (PID: 1560)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3280)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3280)
    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 3280)
    • Starts Internet Explorer

      • rundll32.exe (PID: 3224)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2072)
    • Executes scripts

      • WinRAR.exe (PID: 3280)
    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3280)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 2072)
      • rundll32.exe (PID: 3224)
    • Checks supported languages

      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 2072)
      • rundll32.exe (PID: 3224)
    • Application launched itself

      • iexplore.exe (PID: 3112)
    • Changes internet zones settings

      • iexplore.exe (PID: 3112)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 2072)
    • Creates files in the user directory

      • iexplore.exe (PID: 2072)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 3112)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2072)
      • WScript.exe (PID: 1560)
      • iexplore.exe (PID: 3112)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs iexplore.exe iexplore.exe wscript.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice_9423_october_PDF.iso"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3224"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.19868\punishing.datC:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
3221225547
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3112"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=datC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2072"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3112 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1560"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.21519\puffinPromenaded.vbs" C:\Windows\System32\WScript.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
772C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.22279\sensiblyButtressing.cmd" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2584C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.23247\sensiblyButtressing.cmd" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
10 993
Read events
10 884
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
10
Text files
105
Unknown types
6

Dropped files

PID
Process
Filename
Type
2072iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7VYQ0YH0.txttext
MD5:9F0B2CCA95F8D468526078E7B1FF29E0
SHA256:3BC12A99858CE7ED1F3C8B92DD1A631C009FEFB805DD92376AC7B4C4851652CE
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3280.19868\punishing.datexecutable
MD5:F2D5C0591B3BFF4EFA9E3656ED9FAAF3
SHA256:2C5E5AB1A645D86159A4F050D524962A8CA3B82C6576E11EE9052073867F2FFF
2072iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:B8BDA0B382A7D056A4241B388338B778
SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2
2072iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:A8EA0CD1D77C193D50D4DB517D289B08
SHA256:0DB9D29C5C76D43EECF09B5B756363376C734E0C399A4109995886BA28A53001
2072iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GSN8TV7R.txttext
MD5:4E3D92A6F42DC9569BC67C10CF36A9E6
SHA256:56F8F124955A7E8C203610E9B63D567AB8940FFFDD474011D5982BEA47A1FF7D
2072iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\B6OTHA1J.txttext
MD5:98A342F098A8D7CA76304E0BEE5773FB
SHA256:3DA73CE3C44C23D8CB67CD24AAB1AF10BDC805110622E1D1AF4C95DA30F6B102
2072iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\CO1KWVL8.txttext
MD5:8BD8CD6C16CAEBB4CA019D58B6698329
SHA256:D6AFDA16121F5D5096094DECF81877904E2301684AEBAE0F07C47A6F38D6DF02
2072iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\N93FY030.txttext
MD5:074908E00C537D30760D2FBCCFEEC0F5
SHA256:4F3196C7690C98CD76710EB79FAD477B9CF805713186A21C86DCEFD498DBC345
2072iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7G8H99E3.txttext
MD5:C010C77B72259F69955A9067A689F577
SHA256:1B7C3D64D3DE83407945BBFD1C8CC6EF283230A0B891DBEC37AA9501465FC1D9
2072iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:9B2DC2B5C3E143D164C1987203828165
SHA256:CB79555581A0417EC24C6D1A23DE27C116C1275D5B3277D69A0A5FC4A9CB3CD7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2072
iexplore.exe
GET
301
23.6.113.41:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=dat
NL
whitelisted
2072
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2072
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2072
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2072
iexplore.exe
GET
200
67.26.83.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?95f90844f8280476
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2072
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3112
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2072
iexplore.exe
104.87.130.101:443
go.microsoft.com
AKAMAI-AS
AT
suspicious
2072
iexplore.exe
20.190.160.13:443
login.microsoftonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
suspicious
2072
iexplore.exe
23.6.113.41:80
shell.windows.com
Akamai International B.V.
AT
unknown
2072
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2072
iexplore.exe
20.190.159.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
suspicious
2072
iexplore.exe
67.26.83.254:80
ctldl.windowsupdate.com
LEVEL3
US
malicious
3112
iexplore.exe
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.87.130.101
whitelisted
ctldl.windowsupdate.com
  • 67.26.83.254
  • 67.27.159.126
  • 8.241.123.126
  • 8.238.36.254
  • 8.238.29.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
shell.windows.com
  • 23.6.113.41
  • 23.6.112.112
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.youtube.com
  • 142.250.180.206
  • 142.251.39.14
  • 142.251.39.46
  • 172.217.20.14
  • 142.250.180.238
  • 172.217.19.110
  • 142.251.39.78
  • 142.250.201.206
whitelisted
login.microsoftonline.com
  • 20.190.160.13
  • 40.126.32.137
  • 40.126.32.139
  • 20.190.160.12
  • 20.190.160.23
  • 40.126.32.73
  • 40.126.32.135
  • 20.190.160.15
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
login.live.com
  • 20.190.159.3
  • 20.190.159.69
  • 40.126.31.70
  • 20.190.159.70
  • 20.190.159.1
  • 20.190.159.74
  • 20.190.159.22
  • 40.126.31.72
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info