analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PDFSuperHero.zip

Full analysis: https://app.any.run/tasks/7ca03f49-aece-4a83-b9ef-9da9f5ecf152
Verdict: Malicious activity
Analysis date: December 15, 2023, 09:56:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

775AD667D0EF4026341487CE154FB4CB

SHA1:

FEA5DC3994BA2C46CC97ED01FBE144C7AF9E0DFC

SHA256:

7B7468AD33CFCFD4B0F56E6E01D97503D1F2773E64C71A390D2D144B5BC475A1

SSDEEP:

98304:TFMAlrYI5m4AThyKeY2JzyPV1bd74hRRdidd/lG06nK7D8l3E2FkGKfMII57ZWcj:rP7YRS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads settings of System Certificates

      • PDFSuperHero.exe (PID: 2424)

    • Reads the Internet Settings

      • PDFSuperHero.exe (PID: 2424)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 280)

    • Manual execution by a user

      • PDFSuperHero.exe (PID: 2424)
      • wmpnscfg.exe (PID: 3140)

    • Reads Environment values

      • PDFSuperHero.exe (PID: 2424)

    • Reads the machine GUID from the registry

      • PDFSuperHero.exe (PID: 2424)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3140)
      • PDFSuperHero.exe (PID: 2424)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3140)
      • PDFSuperHero.exe (PID: 2424)

    • Creates files or folders in the user directory

      • PDFSuperHero.exe (PID: 2424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: PDFSuperHero.exe
ZipUncompressedSize: 5320400
ZipCompressedSize: 4079589
ZipCRC: 0xfacfe194
ZipModifyDate: 2023:12:11 08:27:18
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs pdfsuperhero.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PDFSuperHero.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2424"C:\Users\admin\Desktop\PDFSuperHero.exe" C:\Users\admin\Desktop\PDFSuperHero.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PDF SuperHero
Exit code:
0
Version:
1.3.6
Modules
Images
c:\users\admin\desktop\pdfsuperhero.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3140"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
3 826
Read events
3 806
Write events
20
Delete events
0

Modification events

(PID) Process:(280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2424) PDFSuperHero.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb280.21585\PDFSuperHero.exeexecutable
MD5:A8FB8E325895C81FC2DE5AC4394D758A
SHA256:712EF57C825C7147D00B8343213E2C22FF300C315D5818BC2F7902016AC923AC
2424PDFSuperHero.exeC:\Users\admin\AppData\Local\PDFSuperHero\icon.icoimage
MD5:C3114F9E45CB27EEBAA704F03EF4B52B
SHA256:6198AB4F4B32A1B77D98817C872E133FAC63421C355112B33751EC9BF96E5BAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2424
PDFSuperHero.exe
13.107.246.45:443
stats.pdfsuperhero.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
stats.pdfsuperhero.com
  • 13.107.246.45
  • 13.107.213.45
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFSuperHero.zip