File name:

Hermetic PDF Exploit.exe

Full analysis: https://app.any.run/tasks/d471fdc5-7c37-4625-909e-41cd7aabce02
Verdict: Malicious activity
Analysis date: November 28, 2024, 07:43:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 12 sections
MD5:

13C974B3BFD0C27F2A0F348B92DB5C53

SHA1:

3598277632874855CFC117C78F5844C35A1263D2

SHA256:

8CEDBE5BF720A1594EB4C27E0D2E0E34DA980F9EF7CDE12A9DB98625BF3DDFF2

SSDEEP:

6144:m17QQ0fba/ve0WXWfbI31fn/VE+Gd/vdabX666yKKqqF0jS:m17QHfbaXe1WfbgtPGdXdabF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • Hermetic PDF Exploit.exe (PID: 2380)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the computer name

      • Hermetic PDF Exploit.exe (PID: 2380)

    • Checks supported languages

      • Hermetic PDF Exploit.exe (PID: 2380)

    • Reads the machine GUID from the registry

      • Hermetic PDF Exploit.exe (PID: 2380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:21 08:18:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.36
CodeSize: 122368
InitializedDataSize: 301568
UninitializedDataSize: 4096
EntryPoint: 0x10f6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL hermetic pdf exploit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2380"C:\Users\admin\AppData\Local\Temp\Hermetic PDF Exploit.exe" C:\Users\admin\AppData\Local\Temp\Hermetic PDF Exploit.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\hermetic pdf exploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
4 348
Read events
4 272
Write events
73
Delete events
3

Modification events

(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
040000000E0000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4
Operation:writeName:MRUListEx
Value:
040000000000000005000000020000000100000003000000FFFFFFFF
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\Shell
Operation:writeName:SniffedFolderType
Value:
Documents
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
105
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
491F486700000000
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0E000000040000000300000000000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:writeName:Mode
Value:
4
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(2380) Hermetic PDF Exploit.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}
Operation:writeName:FFlags
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
30
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6236
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7032
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7032
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.20.245.138:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
23.32.186.57:443
go.microsoft.com
AKAMAI-AS
BR
whitelisted
1176
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.20.245.138
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.177
  • 104.126.37.185
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.171
  • 104.126.37.130
  • 104.126.37.184
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.74
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.140
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Hermetic PDF Exploit.exe