File name: | Invoice_9423_october_PDF.iso |
Full analysis: | https://app.any.run/tasks/9d963639-ca19-43f4-88e3-b8f6afcb47f1 |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 20:06:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data 'CD_ROM' |
MD5: | EFE9993A2A2DFD5EEC3BD85B00D4DE04 |
SHA1: | 298CB362A183B5F5FF09363F4C28B506550DF15F |
SHA256: | F8D50BF8BC2EA7DCDF56978A0DC0F91D8FF061E7693B2980E6D3B4C7399BAF86 |
SSDEEP: | 49152:BUV3vUtzpSLc/QpR1FZTcuGk0mzMF7rtV8HpDmVLoIFy64mZLywzrd0RvxHtCpxA:btlSLc/QB3TcuGkQr |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3280 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice_9423_october_PDF.iso" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
3224 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.19868\punishing.dat | C:\Windows\system32\rundll32.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 3221225547 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3112 | "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=dat | C:\Program Files\Internet Explorer\iexplore.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2072 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3112 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1560 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.21519\puffinPromenaded.vbs" | C:\Windows\System32\WScript.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
772 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.22279\sensiblyButtressing.cmd" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9009 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2584 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.23247\sensiblyButtressing.cmd" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9009 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2072 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7VYQ0YH0.txt | text | |
MD5:9F0B2CCA95F8D468526078E7B1FF29E0 | SHA256:3BC12A99858CE7ED1F3C8B92DD1A631C009FEFB805DD92376AC7B4C4851652CE | |||
3280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3280.19868\punishing.dat | executable | |
MD5:F2D5C0591B3BFF4EFA9E3656ED9FAAF3 | SHA256:2C5E5AB1A645D86159A4F050D524962A8CA3B82C6576E11EE9052073867F2FFF | |||
2072 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:B8BDA0B382A7D056A4241B388338B778 | SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2 | |||
2072 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:A8EA0CD1D77C193D50D4DB517D289B08 | SHA256:0DB9D29C5C76D43EECF09B5B756363376C734E0C399A4109995886BA28A53001 | |||
2072 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GSN8TV7R.txt | text | |
MD5:4E3D92A6F42DC9569BC67C10CF36A9E6 | SHA256:56F8F124955A7E8C203610E9B63D567AB8940FFFDD474011D5982BEA47A1FF7D | |||
2072 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\B6OTHA1J.txt | text | |
MD5:98A342F098A8D7CA76304E0BEE5773FB | SHA256:3DA73CE3C44C23D8CB67CD24AAB1AF10BDC805110622E1D1AF4C95DA30F6B102 | |||
2072 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\CO1KWVL8.txt | text | |
MD5:8BD8CD6C16CAEBB4CA019D58B6698329 | SHA256:D6AFDA16121F5D5096094DECF81877904E2301684AEBAE0F07C47A6F38D6DF02 | |||
2072 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\N93FY030.txt | text | |
MD5:074908E00C537D30760D2FBCCFEEC0F5 | SHA256:4F3196C7690C98CD76710EB79FAD477B9CF805713186A21C86DCEFD498DBC345 | |||
2072 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7G8H99E3.txt | text | |
MD5:C010C77B72259F69955A9067A689F577 | SHA256:1B7C3D64D3DE83407945BBFD1C8CC6EF283230A0B891DBEC37AA9501465FC1D9 | |||
2072 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:9B2DC2B5C3E143D164C1987203828165 | SHA256:CB79555581A0417EC24C6D1A23DE27C116C1275D5B3277D69A0A5FC4A9CB3CD7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2072 | iexplore.exe | GET | 301 | 23.6.113.41:80 | http://shell.windows.com/fileassoc/fileassoc.asp?Ext=dat | NL | — | — | whitelisted |
2072 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
2072 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
2072 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
2072 | iexplore.exe | GET | 200 | 67.26.83.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?95f90844f8280476 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2072 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3112 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2072 | iexplore.exe | 104.87.130.101:443 | go.microsoft.com | AKAMAI-AS | AT | suspicious |
2072 | iexplore.exe | 20.190.160.13:443 | login.microsoftonline.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | suspicious |
2072 | iexplore.exe | 23.6.113.41:80 | shell.windows.com | Akamai International B.V. | AT | unknown |
2072 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2072 | iexplore.exe | 20.190.159.3:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | suspicious |
2072 | iexplore.exe | 67.26.83.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | malicious |
3112 | iexplore.exe | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
go.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
shell.windows.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.youtube.com |
| whitelisted |
login.microsoftonline.com |
| whitelisted |
api.bing.com |
| whitelisted |
login.live.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |