Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pdfprosuite.exe.zip

Overview

General Information

Sample name:pdfprosuite.exe.zip
Analysis ID:1540378
MD5:8311446f4d49f353a699b04243a06d66
SHA1:34d3b4930ea2b34587e9ded7057a48f5999fb7f9
SHA256:1c6db95c0ace1d561fd0088c5f3a59846a90e711cae948c9ae57be9b0ef01f0e

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 5464 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • pdfprosuite.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exe" MD5: 0C92689FC9800E1106197BD990871B7D)
    • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engineClassification label: clean0.winZIP@3/0@0/0
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeFile created: C:\Users\user\.node_repl_history
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exe "C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exe"
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: dbghelp.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: winmm.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: powrprof.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: umpdc.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: mswsock.dll
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeSection loaded: kernel.appcore.dll
Source: pdfprosuite.exe.zipStatic file information: File size 26479845 > 1048576
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\pdfprosuite.exe\pdfprosuite.exeQueries volume information: C:\Users\user\.node_repl_history VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping11
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1540378
Start date and time:2024-10-23 17:53:03 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:19
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:pdfprosuite.exe.zip
Detection:CLEAN
Classification:clean0.winZIP@3/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .zip

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: pdfprosuite.exe.zip

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):7.995454979383814
TrID:
  • ZIP compressed archive (8000/1) 100.00%
File name:pdfprosuite.exe.zip
File size:26'479'845 bytes
MD5:8311446f4d49f353a699b04243a06d66
SHA1:34d3b4930ea2b34587e9ded7057a48f5999fb7f9
SHA256:1c6db95c0ace1d561fd0088c5f3a59846a90e711cae948c9ae57be9b0ef01f0e
SHA512:ea31f817df4532110a25d56686e9facbe36c8cc6975831d767a73bbe7a64817c0c447d88412aea70aa78a8a5f2e8bfac8c2c742fc7d41203623403f3df3a557d
SSDEEP:786432:H59Kp0Yug/7DG4KqEmzXtVjuypJj/x/esO+:HzKxuqXG4G6tpd/xm+
TLSH:564733CDC92449CFA83ED439CAB4AC23E69B859746E35B3D469CA31780E7776B31850C
File Content Preview:PK........k~WY.w`F......>.....pdfprosuite.exe.}.\S......h.b.-mC.k.jI.....&5..b.[...[......U.......=.j..n.W..g7....... .T....(j..3s.f........s..e..9g......A.....@ ....M .-..r...........W.}....BmN...e.b}|...........%......../..+'O./.[.dx.>.$\..Gl_....2v<<z.

File Icon

Icon Hash:1c1c1e4e4ececedc