File name:

01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe

Full analysis: https://app.any.run/tasks/e3eb808f-de82-4478-a611-d638bf70eccb
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:34:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

76BBD116531F273ED0552D5CC95E9159

SHA1:

86F83AFF714DA00D9C191F609B875E2562DEFD4B

SHA256:

01822E83550CB3D27978798932FEA577916C40AB156153138D2D46C1A24C5F9B

SSDEEP:

24576:zfuj5ufuj5NuFRSfWJUq5kUekfuj5ufuj5NuFRSfWJUq5kUeJ:zfuj5ufuj5UFRSfWJ9kUekfuj5ufuj57

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • The process creates files with name similar to system file names

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • Executable content was dropped or overwritten

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
  • INFO

    • Creates files or folders in the user directory

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • UPX packer has been detected

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • Checks supported languages

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe

Process information

PID
CMD
Path
Indicators
Parent process
3724"C:\Users\admin\Desktop\01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe" C:\Users\admin\Desktop\01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 114
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe
MD5:
SHA256:
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:675FBCC106D29ECD745EAFA9175BBEC3
SHA256:4D9828F4D38A4A26D96BDEAFC1695E6D83079C52AF10BC4D1D209E8713E8C29F
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:37727A552010640C62BC4F53AE1526F7
SHA256:33AE22B1D822954F9BFB376C2A472E45ACF1ECD9F09FC2DC538A0E42C4477FD1
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:5BBFB0A10AF8EACB8BA395461E4EB731
SHA256:141A48A5A8D0DA5FFC11EEC5B9AE7D963507E0BD42269792885B0913E3DD30C7
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:5318BF20968DFAB47A01522E784700C5
SHA256:B2F475A0C2DEA879D7B59D8109BBC62EFB5465A6B44E1769535CB41F724C54C7
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:37727A552010640C62BC4F53AE1526F7
SHA256:33AE22B1D822954F9BFB376C2A472E45ACF1ECD9F09FC2DC538A0E42C4477FD1
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:74F3AFE7855FF1BCC99C8F3C6753C1D3
SHA256:FEEF0C6B54D9BC8F999917AD01CE0AA021F487C786423E5135B32DBCAA04C39C
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:A2A286D27CD13228ED3BB691752E4A4B
SHA256:7596CA62C334DEC607D7F8483628EBA28B5362F1FCFFED3752621AA9BBA2BC32
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:87BD75358428C0B41EE710095270E506
SHA256:18D020B17DF965DFE09C2CBC2F3AA1E9FD1F0B2019820B0139E5AD92164D5ECD
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:F06CEA8A7D9EF17B4147684299528C8E
SHA256:E83CF37E2B13263E1841CC6E005CD687B7FD389F1DA7FDDCF2642FEAC439F192
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2736
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2736
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2220
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2220
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2736
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
2220
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2736
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2220
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2736
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info