File name:

SuperCopier22beta.exe

Full analysis: https://app.any.run/tasks/70b5631e-1f2e-41f8-aad6-194cd030ff23
Verdict: Malicious activity
Analysis date: July 26, 2024, 08:47:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

AB0787C780AAA099CE2046242EDB6CD2

SHA1:

6DC4DF23B891FA8558B0A56BC9F18A31C68A1324

SHA256:

2BBF0D4BC3848B1489FB2314E210F5E308113725D929E356BFB29E41774E2927

SSDEEP:

24576:yo4wiMk6cgd/MX9vQ7NAKAWipfv3glBY/a7YJZvcGcqO:yo4NMk6cgd/u9vQ7NAKAWipfv3glBY/G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SuperCopier22beta.exe (PID: 1180)

    • Registers / Runs the DLL via REGSVR32.EXE

      • SuperCopier22beta.exe (PID: 1180)

    • Changes the autorun value in the registry

      • SuperCopier22beta.exe (PID: 1180)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SuperCopier22beta.exe (PID: 1180)

    • Creates a software uninstall entry

      • SuperCopier22beta.exe (PID: 1180)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SuperCopier22beta.exe (PID: 1180)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6440)
      • SuperCopier22beta.exe (PID: 1180)

    • The process creates files with name similar to system file names

      • SuperCopier22beta.exe (PID: 1180)

    • Reads security settings of Internet Explorer

      • SuperCopier22beta.exe (PID: 1180)

    • Reads the date of Windows installation

      • SuperCopier22beta.exe (PID: 1180)

    • Start notepad (likely ransomware note)

      • SuperCopier22beta.exe (PID: 1180)

    • There is functionality for taking screenshot (YARA)

      • SuperCopier2.exe (PID: 2432)

  • INFO

    • Checks supported languages

      • SuperCopier22beta.exe (PID: 1180)
      • SuperCopier2.exe (PID: 2432)

    • Creates files in the program directory

      • SuperCopier22beta.exe (PID: 1180)

    • Reads the computer name

      • SuperCopier22beta.exe (PID: 1180)
      • SuperCopier2.exe (PID: 2432)

    • Creates files or folders in the user directory

      • SuperCopier22beta.exe (PID: 1180)

    • Create files in a temporary directory

      • SuperCopier22beta.exe (PID: 1180)

    • Process checks computer location settings

      • SuperCopier22beta.exe (PID: 1180)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:02:21 19:46:34+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x323c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start supercopier22beta.exe slui.exe no specs regsvr32.exe no specs THREAT supercopier2.exe no specs notepad.exe no specs slui.exe no specs supercopier22beta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1180"C:\Users\admin\AppData\Local\Temp\SuperCopier22beta.exe" C:\Users\admin\AppData\Local\Temp\SuperCopier22beta.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\supercopier22beta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1328"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Program Files (x86)\SuperCopier2\ReadMe.txtC:\Windows\SysWOW64\notepad.exeSuperCopier22beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
2432"C:\Program Files (x86)\SuperCopier2\SuperCopier2.exe"C:\Program Files (x86)\SuperCopier2\SuperCopier2.exe
SuperCopier22beta.exe
User:
admin
Company:
SFX TEAM
Integrity Level:
HIGH
Description:
SuperCopier 2 (explorer file copy replacement)
Version:
2.2.0.650
Modules
Images
c:\program files (x86)\supercopier2\supercopier2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5196"C:\Users\admin\AppData\Local\Temp\SuperCopier22beta.exe" C:\Users\admin\AppData\Local\Temp\SuperCopier22beta.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\supercopier22beta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6440"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\SuperCopier2\SC2ShellExt64.dll"C:\Windows\System32\regsvr32.exeSuperCopier22beta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7108C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 699
Read events
8 635
Write events
61
Delete events
3

Modification events

(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SuperCopier2
Operation:writeName:DisplayName
Value:
SuperCopier2
(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SuperCopier2
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\SuperCopier2\SC2Uninst.exe"
(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SuperCopier2
Operation:writeName:NoModify
Value:
1
(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SuperCopier2
Operation:writeName:NoRepair
Value:
1
(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}
Value:
SC2ShellExt
(PID) Process:(6440) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68FF37C4-51BC-4c2a-A992-7E39BC0E706F}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(6440) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{68FF37C4-51BC-4c2a-A992-7E39BC0E706F}
Value:
SC2ShellExt64
(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
12
(PID) Process:(1180) SuperCopier22beta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SuperCopier2.exe
Value:
C:\Program Files (x86)\SuperCopier2\SuperCopier2.exe
Executable files
7
Suspicious files
1
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\SC2ShellExt.dllexecutable
MD5:19F660F424D5BCE99928886F86EBEE34
SHA256:E3F17CEF1914D142DCB93EA57AB5F6C3731E8EF9352D986BF10F09F15D12A607
1180SuperCopier22beta.exeC:\Users\admin\AppData\Local\Temp\nscAF6.tmp\LangDLL.dllexecutable
MD5:1775E8FE7832F0351D4024BA3478C58D
SHA256:A2A159540C738C7BC4D6CE8DD203BF859078409C0021A2A60F4B0FAA5352D375
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\SC2Config.exeexecutable
MD5:7ABED2B3EC1B782F13F908A48A3C3DFA
SHA256:5798A868CE9810598B96B9E26D2CEF4B0FF71C48DA74C427F828AE7B5989F715
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\Languages\Français.lngtext
MD5:274951CA8417896DBC07C3D8546AAFC0
SHA256:41EF87600E8BF5369A6B412646BA1F4BD4C01291DF026E15FDFB7B7943625900
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\SC2ShellExt64.dllexecutable
MD5:44838089C7BC1FB1F9A3B8F5F645B0E0
SHA256:2B8601DF6655F2DD0A4E4E0D51E7AE109D41912D2A6AC934EADC05B4DCA9D4CE
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\SC2Uninst.exeexecutable
MD5:C7C387C89D0CA4BEEC414BA554B1EA05
SHA256:7153A230C51789F5B963458F291333DAA877B1BD80FFCF711C99B6916F9C3BE5
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\SuperCopier2.exeexecutable
MD5:F6987FF6C6D683F79FDCE707B071A997
SHA256:0F775F059C06596116AD4AA29207348A6216F7E785BFAF451825FA278F76EECF
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\ReadMe.txttext
MD5:691157B7221D9492F716247425F918D7
SHA256:52269B101F4C8CEAC9B0D51AF041CD99312773627B1BB8452F040AFFFEA97D5B
1180SuperCopier22beta.exeC:\Program Files (x86)\SuperCopier2\LisezMoi.txttext
MD5:F17FD7456C5A78B684DA93D62B7D792D
SHA256:1D127B1D69F61FEFC16CF7516226BA7E878D970146BEE212E685FEAFD0F2664B
1180SuperCopier22beta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SuperCopier2\Menu access.lnklnk
MD5:457EEA0A4838AFC2CFA6E13D01CC3318
SHA256:7948032565CA85BA9DDE215EDE56197BC1F498AC77060D80FDC9ADDC175C5678
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
52
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5804
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5368
SearchApp.exe
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5368
SearchApp.exe
184.86.251.15:443
www.bing.com
Akamai International B.V.
DE
unknown
484
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4340
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4248
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5368
SearchApp.exe
13.107.246.60:443
fp-afd-nocache-ccp.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 184.86.251.15
  • 184.86.251.19
  • 184.86.251.21
  • 184.86.251.20
  • 184.86.251.22
  • 184.86.251.23
  • 184.86.251.24
  • 184.86.251.17
  • 184.86.251.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.60
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.138
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SuperCopier22beta.exe