URL:

http://cdn.superantispyware.com/SUPERAntiSpyware.exe

Full analysis: https://app.any.run/tasks/b40547f1-070f-459c-838b-d7eb5650614b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 01, 2019, 13:26:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

CEBC0558BFA25E331E56CB86BF7A6286

SHA1:

9326EBDD598E1A6D873D6A06BC8993D53224F1DE

SHA256:

21F2A7C9DD326DE2AF5426F2E4750938A74E3B8A92576763E596DA325CDA35AE

SSDEEP:

3:N1KdBLzVXLqWVjEednqSNVcSEXALN:CXzVbqKEe4SDEXuN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SUPERAntiSpyware[1].exe (PID: 2236)
      • REGSVR32.EXE (PID: 2832)
      • SASCORE.EXE (PID: 2292)
    • Application was dropped or rewritten from another process

      • SASCORE.EXE (PID: 3268)
      • SASCORE.EXE (PID: 2292)
      • SUPERAntiSpyware.exe (PID: 3768)
      • SSUPDATE.EXE (PID: 2960)
      • sas_enum_cookies.exe (PID: 1888)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3388)
    • Registers / Runs the DLL via REGSVR32.EXE

      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Loads the Task Scheduler COM API

      • SUPERAntiSpyware.exe (PID: 3768)
    • Changes the autorun value in the registry

      • SASCORE.EXE (PID: 2292)
    • Loads the Task Scheduler DLL interface

      • SUPERAntiSpyware.exe (PID: 3768)
  • SUSPICIOUS

    • Creates or modifies windows services

      • SASCORE.EXE (PID: 3268)
      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Creates files in the program directory

      • SUPERAntiSpyware[1].exe (PID: 1820)
      • SUPERAntiSpyware[1].exe (PID: 2236)
      • SASCORE.EXE (PID: 2292)
      • SUPERAntiSpyware.exe (PID: 3768)
    • Application launched itself

      • SUPERAntiSpyware[1].exe (PID: 1820)
    • Creates a software uninstall entry

      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Creates COM task schedule object

      • REGSVR32.EXE (PID: 2832)
    • Executable content was dropped or overwritten

      • SUPERAntiSpyware[1].exe (PID: 2236)
    • Creates files in the user directory

      • SUPERAntiSpyware[1].exe (PID: 2236)
      • SUPERAntiSpyware.exe (PID: 3768)
    • Reads Internet Cache Settings

      • sas_enum_cookies.exe (PID: 1888)
    • Reads the cookies of Google Chrome

      • SUPERAntiSpyware.exe (PID: 3768)
    • Creates files in the Windows directory

      • SUPERAntiSpyware.exe (PID: 3768)
    • Reads the cookies of Mozilla Firefox

      • SUPERAntiSpyware.exe (PID: 3768)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2836)
    • Dropped object may contain Bitcoin addresses

      • SUPERAntiSpyware[1].exe (PID: 2236)
      • SUPERAntiSpyware.exe (PID: 3768)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3388)
    • Changes internet zones settings

      • iexplore.exe (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
12
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe superantispyware[1].exe no specs superantispyware[1].exe sascore.exe no specs sascore.exe regsvr32.exe no specs superantispyware.exe ssupdate.exe no specs cacls.exe no specs sas_enum_cookies.exe no specs cacls.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\Internet Explorer\iexplore.exe" http://cdn.superantispyware.com/SUPERAntiSpyware.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3388"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1820"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exeiexplore.exe
User:
admin
Company:
SUPERAntiSpyware
Integrity Level:
MEDIUM
Description:
SUPERAntiSpyware Free Edition Setup
Exit code:
0
Version:
8, 0, 0, 1026
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\r9zewh8d\superantispyware[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2236"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe" /runasadmin C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe
SUPERAntiSpyware[1].exe
User:
admin
Company:
SUPERAntiSpyware
Integrity Level:
HIGH
Description:
SUPERAntiSpyware Free Edition Setup
Exit code:
0
Version:
8, 0, 0, 1026
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\r9zewh8d\superantispyware[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3268"C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" -install -name:!SASCORE -display:"SAS Core Service" -description:"SUPERAntiSpyware Core Service" -pipe:sascoreservicepipeC:\Program Files\SUPERAntiSpyware\SASCORE.EXESUPERAntiSpyware[1].exe
User:
admin
Company:
SUPERAntiSpyware.com
Integrity Level:
HIGH
Description:
Core Service
Exit code:
0
Version:
6, 0, 0, 1082
Modules
Images
c:\program files\superantispyware\sascore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2292"C:\Program Files\SUPERAntiSpyware\SASCORE.EXE"C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
services.exe
User:
SYSTEM
Company:
SUPERAntiSpyware.com
Integrity Level:
SYSTEM
Description:
Core Service
Version:
6, 0, 0, 1082
Modules
Images
c:\program files\superantispyware\sascore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2832"C:\Windows\system32\REGSVR32.EXE" /s "C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL"C:\Windows\system32\REGSVR32.EXESUPERAntiSpyware[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3768"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SUPERAntiSpyware[1].exe
User:
admin
Company:
SUPERAntiSpyware
Integrity Level:
MEDIUM
Description:
SUPERAntiSpyware Application
Version:
8, 0, 0, 1026
Modules
Images
c:\program files\superantispyware\superantispyware.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2960"C:\Program Files\SUPERAntiSpyware\SSUPDATE.EXE" *8.0.1026!{06CD588E-4BD7-4ab9-9938-0949231C9484}C:\Program Files\SUPERAntiSpyware\SSUPDATE.EXESUPERAntiSpyware.exe
User:
admin
Company:
SUPERAntiSpyware.com
Integrity Level:
MEDIUM
Description:
SUPERAntiSpyware Update Application
Exit code:
4294967295
Version:
1, 0, 0, 1080
Modules
Images
c:\program files\superantispyware\ssupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3508"C:\Windows\System32\cacls.exe" "C:\System Volume Information" /E /G everyone:FC:\Windows\System32\cacls.exeSUPERAntiSpyware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Control ACLs Program
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
1 973
Read events
1 784
Write events
181
Delete events
8

Modification events

(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{E88CEE65-0DC8-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070100020001000D001A0039007F00
Executable files
21
Suspicious files
25
Text files
24
Unknown types
36

Dropped files

PID
Process
Filename
Type
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF751E650D3C9D4EB0.TMP
MD5:
SHA256:
3388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\SUPERAntiSpyware[1].exe
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\SUPERAntiSpyware[1].exe
MD5:
SHA256:
1820SUPERAntiSpyware[1].exeC:\ProgramData\SUPERSetup\setupvars-journal
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD234161EF84DA469.TMP
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E88CEE65-0DC8-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
3388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019010120190102\index.datdat
MD5:81D543B866EFE748DF789F6A60848D88
SHA256:29260D1837119780A3D0231C071CA0DE14741F11C3B55A81606FE4176195DC5D
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{E88CEE66-0DC8-11E9-BAD8-5254004A04AF}.datbinary
MD5:3AE616D67EE5D21D0515DA4A21A7A00D
SHA256:2659B018FF24758E7CE3B6AC2B619995A8C171B5E3D748782E2FF00F93E4E41D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
8
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3768
SUPERAntiSpyware.exe
GET
200
74.201.114.183:80
http://events.webflowmetrics.com/metrics.asmx/RecordEvent?sEventName=SASRPI_TrialOffer&sEventData=tag:SUPERAntiSpyware.exe_V6_Accepted%7Czo-sasref
US
xml
80 b
suspicious
3768
SUPERAntiSpyware.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/sascomponents/%7B06CD588E-4BD7-4AB9-9938-0949231C9484%7D.sas
US
binary
2.49 Kb
whitelisted
2236
SUPERAntiSpyware[1].exe
GET
200
74.201.114.183:80
http://events.webflowmetrics.com/metrics.asmx/RecordEvent?sEventName=SASRPI_Install&sEventData=tag:SUPERAntiSpywareChrome.exe_Chrome_V5_NotShown:2|zo-sasref
US
xml
80 b
suspicious
3768
SUPERAntiSpyware.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/appdata/sas/public/new.15243.SAS
US
binary
29.4 Mb
whitelisted
3768
SUPERAntiSpyware.exe
POST
200
74.201.114.185:80
http://www.superantispyware.com/application.php
US
text
125 b
suspicious
3768
SUPERAntiSpyware.exe
POST
200
74.201.114.185:80
http://www.superantispyware.com/application.php
US
text
16 b
suspicious
3768
SUPERAntiSpyware.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/appdata/sas/public/20000002.XML
US
text
188 b
whitelisted
3388
iexplore.exe
GET
200
93.184.221.133:80
http://cdn.superantispyware.com/SUPERAntiSpyware.exe
US
executable
35.4 Mb
whitelisted
3768
SUPERAntiSpyware.exe
POST
200
74.201.114.185:80
http://www.superantispyware.com/application.php
US
text
4 b
suspicious
3768
SUPERAntiSpyware.exe
POST
200
74.201.114.185:80
http://www.superantispyware.com/application.php
US
text
4 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2836
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3388
iexplore.exe
93.184.221.133:80
cdn.superantispyware.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2236
SUPERAntiSpyware[1].exe
74.201.114.183:80
events.webflowmetrics.com
Internap Network Services Corporation
US
unknown
3768
SUPERAntiSpyware.exe
74.201.114.183:80
events.webflowmetrics.com
Internap Network Services Corporation
US
unknown
3768
SUPERAntiSpyware.exe
74.201.114.185:80
www.superantispyware.com
Internap Network Services Corporation
US
unknown
3768
SUPERAntiSpyware.exe
93.184.221.133:80
cdn.superantispyware.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
cdn.superantispyware.com
  • 93.184.221.133
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
events.webflowmetrics.com
  • 74.201.114.183
suspicious
www.superantispyware.com
  • 74.201.114.185
suspicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
SUPERAntiSpyware.exe
start menu folder
SUPERAntiSpyware.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\
SUPERAntiSpyware.exe
BANNER HAS NOT CHANGED