URL:

http://cdn.superantispyware.com/SUPERAntiSpyware.exe

Full analysis: https://app.any.run/tasks/b40547f1-070f-459c-838b-d7eb5650614b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 01, 2019, 13:26:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

CEBC0558BFA25E331E56CB86BF7A6286

SHA1:

9326EBDD598E1A6D873D6A06BC8993D53224F1DE

SHA256:

21F2A7C9DD326DE2AF5426F2E4750938A74E3B8A92576763E596DA325CDA35AE

SSDEEP:

3:N1KdBLzVXLqWVjEednqSNVcSEXALN:CXzVbqKEe4SDEXuN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SUPERAntiSpyware[1].exe (PID: 2236)
      • REGSVR32.EXE (PID: 2832)
      • SASCORE.EXE (PID: 2292)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3388)
    • Application was dropped or rewritten from another process

      • SASCORE.EXE (PID: 3268)
      • SSUPDATE.EXE (PID: 2960)
      • SASCORE.EXE (PID: 2292)
      • SUPERAntiSpyware.exe (PID: 3768)
      • sas_enum_cookies.exe (PID: 1888)
    • Registers / Runs the DLL via REGSVR32.EXE

      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Loads the Task Scheduler COM API

      • SUPERAntiSpyware.exe (PID: 3768)
    • Loads the Task Scheduler DLL interface

      • SUPERAntiSpyware.exe (PID: 3768)
    • Changes the autorun value in the registry

      • SASCORE.EXE (PID: 2292)
  • SUSPICIOUS

    • Application launched itself

      • SUPERAntiSpyware[1].exe (PID: 1820)
    • Creates files in the program directory

      • SUPERAntiSpyware[1].exe (PID: 1820)
      • SUPERAntiSpyware[1].exe (PID: 2236)
      • SASCORE.EXE (PID: 2292)
      • SUPERAntiSpyware.exe (PID: 3768)
    • Creates a software uninstall entry

      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Executable content was dropped or overwritten

      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Creates or modifies windows services

      • SASCORE.EXE (PID: 3268)
      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Creates COM task schedule object

      • REGSVR32.EXE (PID: 2832)
    • Creates files in the user directory

      • SUPERAntiSpyware[1].exe (PID: 2236)
      • SUPERAntiSpyware.exe (PID: 3768)
    • Reads the cookies of Google Chrome

      • SUPERAntiSpyware.exe (PID: 3768)
    • Reads the cookies of Mozilla Firefox

      • SUPERAntiSpyware.exe (PID: 3768)
    • Reads Internet Cache Settings

      • sas_enum_cookies.exe (PID: 1888)
    • Creates files in the Windows directory

      • SUPERAntiSpyware.exe (PID: 3768)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2836)
    • Changes internet zones settings

      • iexplore.exe (PID: 2836)
    • Dropped object may contain Bitcoin addresses

      • SUPERAntiSpyware[1].exe (PID: 2236)
      • SUPERAntiSpyware.exe (PID: 3768)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
12
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe superantispyware[1].exe no specs superantispyware[1].exe sascore.exe no specs sascore.exe regsvr32.exe no specs superantispyware.exe ssupdate.exe no specs cacls.exe no specs sas_enum_cookies.exe no specs cacls.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\Internet Explorer\iexplore.exe" http://cdn.superantispyware.com/SUPERAntiSpyware.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3388"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1820"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exeiexplore.exe
User:
admin
Company:
SUPERAntiSpyware
Integrity Level:
MEDIUM
Description:
SUPERAntiSpyware Free Edition Setup
Exit code:
0
Version:
8, 0, 0, 1026
2236"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe" /runasadmin C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe
SUPERAntiSpyware[1].exe
User:
admin
Company:
SUPERAntiSpyware
Integrity Level:
HIGH
Description:
SUPERAntiSpyware Free Edition Setup
Exit code:
0
Version:
8, 0, 0, 1026
3268"C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" -install -name:!SASCORE -display:"SAS Core Service" -description:"SUPERAntiSpyware Core Service" -pipe:sascoreservicepipeC:\Program Files\SUPERAntiSpyware\SASCORE.EXESUPERAntiSpyware[1].exe
User:
admin
Company:
SUPERAntiSpyware.com
Integrity Level:
HIGH
Description:
Core Service
Exit code:
0
Version:
6, 0, 0, 1082
2292"C:\Program Files\SUPERAntiSpyware\SASCORE.EXE"C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
services.exe
User:
SYSTEM
Company:
SUPERAntiSpyware.com
Integrity Level:
SYSTEM
Description:
Core Service
Version:
6, 0, 0, 1082
2832"C:\Windows\system32\REGSVR32.EXE" /s "C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL"C:\Windows\system32\REGSVR32.EXESUPERAntiSpyware[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3768"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SUPERAntiSpyware[1].exe
User:
admin
Company:
SUPERAntiSpyware
Integrity Level:
MEDIUM
Description:
SUPERAntiSpyware Application
Version:
8, 0, 0, 1026
2960"C:\Program Files\SUPERAntiSpyware\SSUPDATE.EXE" *8.0.1026!{06CD588E-4BD7-4ab9-9938-0949231C9484}C:\Program Files\SUPERAntiSpyware\SSUPDATE.EXESUPERAntiSpyware.exe
User:
admin
Company:
SUPERAntiSpyware.com
Integrity Level:
MEDIUM
Description:
SUPERAntiSpyware Update Application
Exit code:
4294967295
Version:
1, 0, 0, 1080
3508"C:\Windows\System32\cacls.exe" "C:\System Volume Information" /E /G everyone:FC:\Windows\System32\cacls.exeSUPERAntiSpyware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Control ACLs Program
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 973
Read events
1 784
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
25
Text files
24
Unknown types
36

Dropped files

PID
Process
Filename
Type
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF751E650D3C9D4EB0.TMP
MD5:
SHA256:
3388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\SUPERAntiSpyware[1].exe
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe
MD5:
SHA256:
1820SUPERAntiSpyware[1].exeC:\ProgramData\SUPERSetup\setupvars-journal
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD234161EF84DA469.TMP
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E88CEE65-0DC8-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
3388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019010120190102\index.datdat
MD5:81D543B866EFE748DF789F6A60848D88
SHA256:29260D1837119780A3D0231C071CA0DE14741F11C3B55A81606FE4176195DC5D
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{E88CEE66-0DC8-11E9-BAD8-5254004A04AF}.datbinary
MD5:3AE616D67EE5D21D0515DA4A21A7A00D
SHA256:2659B018FF24758E7CE3B6AC2B619995A8C171B5E3D748782E2FF00F93E4E41D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3768
SUPERAntiSpyware.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/appdata/sas/public/new.15243.SAS
US
binary
29.4 Mb
whitelisted
3388
iexplore.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/SUPERAntiSpyware.exe
US
executable
35.4 Mb
whitelisted
3768
SUPERAntiSpyware.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/appdata/sas/public/20000002.XML
US
text
188 b
whitelisted
3768
SUPERAntiSpyware.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/sascomponents/%7B06CD588E-4BD7-4AB9-9938-0949231C9484%7D.sas
US
binary
2.49 Kb
whitelisted
2236
SUPERAntiSpyware[1].exe
GET
200
74.201.114.183:80
http://events.webflowmetrics.com/metrics.asmx/RecordEvent?sEventName=SASRPI_Install&sEventData=tag:SUPERAntiSpywareChrome.exe_Chrome_V5_NotShown:2|zo-sasref
US
xml
80 b
suspicious
3768
SUPERAntiSpyware.exe
GET
200
74.201.114.183:80
http://events.webflowmetrics.com/metrics.asmx/RecordEvent?sEventName=SASRPI_TrialOffer&sEventData=tag:SUPERAntiSpyware.exe_V6_Accepted%7Czo-sasref
US
xml
80 b
suspicious
3768
SUPERAntiSpyware.exe
POST
200
74.201.114.185:80
http://www.superantispyware.com/application.php
US
text
16 b
suspicious
3768
SUPERAntiSpyware.exe
POST
200
74.201.114.185:80
http://www.superantispyware.com/application.php
US
text
125 b
suspicious
2836
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3768
SUPERAntiSpyware.exe
POST
200
74.201.114.185:80
http://www.superantispyware.com/application.php
US
text
4 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3388
iexplore.exe
93.184.221.133:80
cdn.superantispyware.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2836
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3768
SUPERAntiSpyware.exe
93.184.221.133:80
cdn.superantispyware.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3768
SUPERAntiSpyware.exe
74.201.114.185:80
www.superantispyware.com
Internap Network Services Corporation
US
unknown
3768
SUPERAntiSpyware.exe
74.201.114.183:80
events.webflowmetrics.com
Internap Network Services Corporation
US
unknown
2236
SUPERAntiSpyware[1].exe
74.201.114.183:80
events.webflowmetrics.com
Internap Network Services Corporation
US
unknown

DNS requests

Domain
IP
Reputation
cdn.superantispyware.com
  • 93.184.221.133
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
events.webflowmetrics.com
  • 74.201.114.183
suspicious
www.superantispyware.com
  • 74.201.114.185
suspicious

Threats

PID
Process
Class
Message
3388
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
SUPERAntiSpyware.exe
start menu folder
SUPERAntiSpyware.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\
SUPERAntiSpyware.exe
BANNER HAS NOT CHANGED