File name:

01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe

Full analysis: https://app.any.run/tasks/e3eb808f-de82-4478-a611-d638bf70eccb
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:34:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

76BBD116531F273ED0552D5CC95E9159

SHA1:

86F83AFF714DA00D9C191F609B875E2562DEFD4B

SHA256:

01822E83550CB3D27978798932FEA577916C40AB156153138D2D46C1A24C5F9B

SSDEEP:

24576:zfuj5ufuj5NuFRSfWJUq5kUekfuj5ufuj5NuFRSfWJUq5kUeJ:zfuj5ufuj5UFRSfWJ9kUekfuj5ufuj57

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • Executable content was dropped or overwritten

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • The process creates files with name similar to system file names

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
  • INFO

    • UPX packer has been detected

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • Creates files or folders in the user directory

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
    • Checks supported languages

      • 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe

Process information

PID
CMD
Path
Indicators
Parent process
3724"C:\Users\admin\Desktop\01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe" C:\Users\admin\Desktop\01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\01822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 088
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exe
MD5:
SHA256:
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:690F0CFF7E71157D5B42CAC1E5E5D08E
SHA256:F065768BFBE8EF1BEFD892D517E815D9C0F62D5D92D939DD6E3B1893DACC129C
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:F06CEA8A7D9EF17B4147684299528C8E
SHA256:E83CF37E2B13263E1841CC6E005CD687B7FD389F1DA7FDDCF2642FEAC439F192
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:DC11C97D70AA93CD12F3C868B87CC116
SHA256:9BFD1A8A500E4A348BA9B45655E93ADAF1E864A1023B556785DC033C688D6A64
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:37727A552010640C62BC4F53AE1526F7
SHA256:33AE22B1D822954F9BFB376C2A472E45ACF1ECD9F09FC2DC538A0E42C4477FD1
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:8DFFC22B419F2D96759BD8406A32ADDE
SHA256:42289961A1146BFCB030DD25E2BC2F7B808C5158F1ACA8942AE828CC47AECDC2
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:E47E421FB0E014224C2143B1FAA04E62
SHA256:60329BB0A87B957E06D0C2D49A82C389D79AA94345799F1F434DD04759CD53CD
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:74F3AFE7855FF1BCC99C8F3C6753C1D3
SHA256:FEEF0C6B54D9BC8F999917AD01CE0AA021F487C786423E5135B32DBCAA04C39C
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:37727A552010640C62BC4F53AE1526F7
SHA256:33AE22B1D822954F9BFB376C2A472E45ACF1ECD9F09FC2DC538A0E42C4477FD1
372401822e83550cb3d27978798932fea577916c40ab156153138d2d46c1a24c5f9b.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:87BD75358428C0B41EE710095270E506
SHA256:18D020B17DF965DFE09C2CBC2F3AA1E9FD1F0B2019820B0139E5AD92164D5ECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2220
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2736
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2220
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2736
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
2220
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2736
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2220
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2736
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info