File name:

0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229

Full analysis: https://app.any.run/tasks/e33c7e01-400c-4325-831b-5c75ce3d8aa9
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:41:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

21E38433947121CB8D4DD51D7CDCFCCD

SHA1:

A999C8A5BF54565240BF1940BB640C1C7B740958

SHA256:

0875E1BCD98CF7FD42FA702EFA058B5DFA3CB6A002ABBA63CA0A749547CA3229

SSDEEP:

12288:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5kUe7ZvVVVVVVVVrfuj5q4uFTDhSfWJUNoh:zfuj5DuFRSfWJUq5kUe9fuj5DuFRSfWH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe (PID: 1904)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe (PID: 1904)
    • Executable content was dropped or overwritten

      • 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe (PID: 1904)
    • The process creates files with name similar to system file names

      • 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe (PID: 1904)
  • INFO

    • Creates files or folders in the user directory

      • 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe (PID: 1904)
    • Checks supported languages

      • 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe (PID: 1904)
    • UPX packer has been detected

      • 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe (PID: 1904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe

Process information

PID
CMD
Path
Indicators
Parent process
1904"C:\Users\admin\Desktop\0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe" C:\Users\admin\Desktop\0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\0875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 255
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exe
MD5:
SHA256:
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:78B9260E0EAC4212EA0AD14D49E3DC11
SHA256:005ADB57801008E21DE87D37CBFC20FFCFC39179A77CCFF6C4DF397D887148C2
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:5246FCEAFB95871B10CFCDBC1ED014B9
SHA256:301E2406530471A2674D16DF72828B588836821DB5AC7C547857D36F51277BFF
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:B22E8EE0E7301D18B36951DB0AF5A5AB
SHA256:203B8574A4F9D2ED7EBC93FC7256687ABB72369F92D021E47ED18C7F73FB0CA7
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:2FD519B450557F5FF501EE11D33F8A26
SHA256:AE76B5815EF389AC6D1E3CA346899FFB81A785F7EBE8F06D89C7BF6DD5A3F6BB
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:554F487A0987FA3D4E0B76F7924A5737
SHA256:3958A600CF7AF84622586E052DE08F2A92EBBC4EF4B43FA2460BED1C7B46202D
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:2A2099092D61E9B414BE10EC2BE6B951
SHA256:8A11D09152FDECDA2D2A328E1E4366E541E7ED6070B52C6A6372A619C3E84054
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:B1F7D3041841933F8321059B019F9E5A
SHA256:C9BD659B6F0546BC08B9B0CB8F307B47209D355C3BCF20F618B212D7712C5640
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:2D4F8F70263A6FA0F6442E966EC1F1E2
SHA256:04BE019F03BCCD190CEF7542C646CDD28616038E22B431FC0A95E3274F0CA639
19040875e1bcd98cf7fd42fa702efa058b5dfa3cb6a002abba63ca0a749547ca3229.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:2E018543CE8AFBDF49C8F728611A25B2
SHA256:355A450AC9F7EDF09199A1330E00C5DF82B0DB8696F27757C7ABDFD11438AF48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
RUXIMICS.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
440
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2624
svchost.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2624
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
440
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
440
RUXIMICS.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.145
  • 104.126.37.152
  • 104.126.37.154
  • 104.126.37.153
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.137
  • 104.126.37.146
  • 104.126.37.131
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.183
  • 23.48.23.140
  • 23.48.23.139
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.193
  • 23.48.23.138
  • 23.48.23.176
  • 23.48.23.137
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 40.79.189.58
whitelisted

Threats

No threats detected
No debug info