File name:

05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c

Full analysis: https://app.any.run/tasks/cb5a9161-ac75-44b4-9357-122a91bb898c
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:19:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

A8ECECDAD8A44347E8AF2408B0DDC9C6

SHA1:

0F1FC08E0FE14933A7259D9F7EDD6507A82D0122

SHA256:

05F15239DEC7FD810585B4B2D0992FD35ACF56132D4F21A93C25DF3C1524C30C

SSDEEP:

3072:oSvVVVVVVVVwgWsgW2uFN1u8h55q8I+r8xLhWJEd2aNB415kUe7/wF:oSvVVVVVVVVguFTDhfqfWJUNo5kUe7/e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • Executable content was dropped or overwritten

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • Creates file in the systems drive root

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

  • INFO

    • Creates files or folders in the user directory

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • UPX packer has been detected

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • Checks supported languages

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe

Process information

PID
CMD
Path
Indicators
Parent process
4628"C:\Users\admin\Desktop\05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe" C:\Users\admin\Desktop\05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 423
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe
MD5:
SHA256:
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:605321030E25969C7948F39A20D04E3C
SHA256:D2D1F6BA68A0545164DA384BB818767122BE00E249BCA99EB915C46D1804C87E
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:DE6C6B9F4AD8D4BCDF99001D57B7C733
SHA256:7097644C17B3BD64A57F5F17835379EA156306FC3A7E5EED862BA1B9F9F7D275
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:31D0F84F79C4C2ACCE67FD3853CA1F26
SHA256:E67B6C9742F715248283B3FE23D042982875C506BB1AECD7252ECCF66782FDFA
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:99BD39BA25480083CAD18B089DD7881C
SHA256:8108A7328BE767A51FE9914E09575186AE2B760D29B36FC2179EF929BC433B3C
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:7CDAA05DFFA93ACD08C74B684C3E4551
SHA256:73E9372DBF8A950D5A7D0AB7B1020B404E0616693D9196D5DEF1DBB95663497B
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:99BD39BA25480083CAD18B089DD7881C
SHA256:8108A7328BE767A51FE9914E09575186AE2B760D29B36FC2179EF929BC433B3C
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:CD1205A255AB271E5442C4EB34086283
SHA256:49EC5B1AFCCAB7C4FC712A931E52241CD945343CDDC9400D0065695F6E825C34
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:FF2262B5B2803EFFA834AAABF00509E7
SHA256:13359A01640B75A8ACC8D4FD53BD2A8FA9B9F2CF935578FE0F9332F963F77CED
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:674E2D64E47A9A3BEFDFB2ECA6606DB3
SHA256:8B0ADCA7C1EA039C9B1842BE4E7BACE3543E286DEB5BAD5BD8E3298931BB5E44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.37.202.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
488
svchost.exe
GET
200
23.37.202.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
488
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
488
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.21.110.146:443
www.bing.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
488
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.202.100:80
www.microsoft.com
Linknet-Fastnet ASN
ID
whitelisted
488
svchost.exe
23.37.202.100:80
www.microsoft.com
Linknet-Fastnet ASN
ID
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.21.110.146
  • 2.21.110.139
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.37.202.100
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c