File name:

DFIR.pdf

Full analysis: https://app.any.run/tasks/89fca8b0-79ac-46b8-a818-dae10cc6219a
Verdict: Malicious activity
Analysis date: May 04, 2024, 15:08:56
OS: Ubuntu 22.04.2
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5:

FD8D4E6FC696F111119FD0BDB615005E

SHA1:

2CEE425A78C2C30DB1DB92ECAB39A91AFE1E0321

SHA256:

9CE775734B47D214E97B659997419B6F08ED83988D3F6E853B8EE2F0306A0A4C

SSDEEP:

98304:t5i+bn565ESeSgza8U1S9UpjXOfEQ502MSQeVlIonoOvv7NpF8KN:t5/bnA5neSgzXU8+E50moOvv7Nr8KN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 9286)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 7393792
InitializedDataSize: 2916864
UninitializedDataSize: -
EntryPoint: 0x553c0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
238
Monitored processes
15
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs nautilus no specs locale-check no specs systemd-hostnamed no specs bwrap no specs bwrap no specs evince-thumbnailer no specs bwrap no specs bwrap no specs evince-thumbnailer no specs nautilus no specs evince no specs dbus-daemon no specs evinced no specs

Process information

PID
CMD
Path
Indicators
Parent process
9265/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus /tmp/DFIR\.pdf "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
9266sudo -iu user nautilus /tmp/DFIR.pdf/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
9267nautilus /tmp/DFIR.pdf/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
9268/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9286/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
Exit code:
496
9295bwrap --ro-bind /usr /usr --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --setenv GST_REGISTRY_1_0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0/gstreamer-1.0.registry --bind /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-WMGFN2 /tmp --ro-bind /tmp/DFIR.pdf /tmp/DFIR.pdf --seccomp 24 evince-thumbnailer -s 256 file:///tmp/DFIR.pdf /tmp/gnome-desktop-thumbnailer.png/usr/bin/bwrapnautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9296bwrap --ro-bind /usr /usr --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --setenv GST_REGISTRY_1_0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0/gstreamer-1.0.registry --bind /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-WMGFN2 /tmp --ro-bind /tmp/DFIR.pdf /tmp/DFIR.pdf --seccomp 24 evince-thumbnailer -s 256 file:///tmp/DFIR.pdf /tmp/gnome-desktop-thumbnailer.png/usr/bin/bwrapbwrap
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9297evince-thumbnailer -s 256 file:///tmp/DFIR.pdf /tmp/gnome-desktop-thumbnailer.png/usr/bin/evince-thumbnailerbwrap
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9305bwrap --ro-bind /usr /usr --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --setenv GST_REGISTRY_1_0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0/gstreamer-1.0.registry --bind /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-7SECN2 /tmp --ro-bind /tmp/tracker-extract-3-files.1000/DFIR.pdf /tmp/DFIR.pdf --seccomp 12 evince-thumbnailer -s 256 file:///tmp/DFIR.pdf /tmp/gnome-desktop-thumbnailer.png/usr/bin/bwrapnautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9306bwrap --ro-bind /usr /usr --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --symlink /usr//bin /bin --symlink /usr//lib64 /lib64 --symlink /usr//lib /lib --symlink /usr//sbin /sbin --ro-bind-try /var/cache/fontconfig /var/cache/fontconfig --setenv GST_REGISTRY_1_0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0/gstreamer-1.0.registry --bind /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 /home/user/.cache/gnome-desktop-thumbnailer/gstreamer-1.0 --ro-bind-try /etc/alternatives /etc/alternatives --proc /proc --dev /dev --chdir / --setenv GIO_USE_VFS local --unshare-all --die-with-parent --bind /tmp/gnome-desktop-thumbnailer-7SECN2 /tmp --ro-bind /tmp/tracker-extract-3-files.1000/DFIR.pdf /tmp/DFIR.pdf --seccomp 12 evince-thumbnailer -s 256 file:///tmp/DFIR.pdf /tmp/gnome-desktop-thumbnailer.png/usr/bin/bwrapbwrap
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9267nautilus/home/user/.local/share/nautilus/tags/meta.db-wal
MD5:
SHA256:
9267nautilus/home/user/.local/share/nautilus/tags/meta.db-shm
MD5:
SHA256:
9267nautilus/home/user/.local/share/nautilus/tags/.meta.isrunning
MD5:
SHA256:
9267nautilus/tmp/flatpak-seccomp-98FFN2
MD5:
SHA256:
9296bwrap/newroot/etc/ld.so.cache
MD5:
SHA256:
9296bwrap/null
MD5:
SHA256:
9296bwrap/zero
MD5:
SHA256:
9296bwrap/full
MD5:
SHA256:
9296bwrap/random
MD5:
SHA256:
9296bwrap/urandom
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.96:80
Canonical Group Limited
GB
unknown
91.189.91.48:80
Canonical Group Limited
US
unknown
195.181.175.15:443
Datacamp Limited
DE
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
224.0.0.251:5353
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
212.102.56.178:443
Datacamp Limited
DE
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown

DNS requests

Domain
IP
Reputation
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.58
unknown
127.100.168.192.in-addr.arpa
unknown
connectivity-check.ubuntu.com
  • 2001:67c:1562::24
  • 2001:67c:1562::23
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::197
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2b
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DFIR.pdf