Windows Analysis Report
PDFProSuite.zip

Overview

General Information

Sample name: PDFProSuite.zip
Analysis ID: 1540390
MD5: 33c7fc9ac949dccdf3ceb9e7c0fe8e01
SHA1: 859183f20036eb0c57aadde80c1db3988eaaf824
SHA256: 958afe8419c237e522cc54206c424c7923d0554fec37252932e44e8599b29d14
Infos:

Detection

Coinhive, Xmrig
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Coinhive miner
Yara detected Xmrig cryptocurrency miner
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Bitcoin Miner

barindex
Source: Yara match File source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\PDFProSuite.userdata\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.55\Part-FR, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\PDFProSuite.userdata\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.55\Part-FR, type: DROPPED
Source: classification engine Classification label: mal56.mine.winZIP@4/220@0/0
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\PDFProSuite
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\PDFProSuite\" -spe -an -ai#7zMap13170:78:7zEvent26253
Source: unknown Process created: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe "C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe"
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: dbghelp.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: userenv.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PDFProSuite.zip Static file information: File size 37197404 > 1048576
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\PDFProSuite.userdata\EBWebView\Speech Recognition\1.15.0.1\Microsoft.CognitiveServices.Speech.core.dll Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\node_modules\libwebview-nodejs\build\Release\libwebview.node Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\node_modules\libwebview-nodejs\build\Release\libwebview.node Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\7zG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\PDFProSuite.userdata\EBWebView\Speech Recognition\1.15.0.1\Microsoft.CognitiveServices.Speech.core.dll Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\node_modules\libwebview-nodejs\build\Release\libwebview.node Jump to dropped file
Source: C:\Users\user\Desktop\PDFProSuite\PDFProSuite\pdfprosuite.exe Queries volume information: C:\Users\user\.node_repl_history VolumeInformation
⊘No contacted IP infos