File name:

0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe

Full analysis: https://app.any.run/tasks/bdb8066a-1ed8-4c2b-9ab0-7680b75b5b9a
Verdict: Malicious activity
Analysis date: January 10, 2025, 23:06:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

4AE4B14E3B65B197D3ACFC66BBCE5053

SHA1:

13BBE87DC07D88524B4214D0F8B2536FBBAC23C1

SHA256:

0E64579F96EA13352BE8BC49A97B561E78C372AA1C1F04EE2EF962A9211EF21F

SSDEEP:

12288:DvVVVVVVVVTfuj5q4uFTDhSfWJUNo5kUe7evVVVVVVVVTfuj5q4uFTDhSfWJUNoh:Hfuj5DuFRSfWJUq5kUe+fuj5DuFRSfWj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
    • Executable content was dropped or overwritten

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
    • The process creates files with name similar to system file names

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
  • INFO

    • Creates files or folders in the user directory

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
    • UPX packer has been detected

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
    • Checks supported languages

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x7f80
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe

Process information

PID
CMD
Path
Indicators
Parent process
3772"C:\Users\admin\Desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe" C:\Users\admin\Desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 289
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe
MD5:
SHA256:
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:BA569D6462BE67A7CB8D13C7DE9B7E7D
SHA256:846D229444383CBF11D7B5E3F4AEC1B96199675773A8AEF928CA5D78F5C55893
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:80C5F7F5C9CE7967855A827B3B95F8BD
SHA256:90364BA7AC567E0ABBFC027F050725243A97BC04D56A8A524A713BAB119B7559
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:9CDF914F5A0BA3CA6659CE181F82B9CD
SHA256:A459EBB2FFAE8CCCCCCB569EE777E98601215B8057F981D145165AFF983C5D0D
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:A5DF8BB5F07627C5831B649609F8CF92
SHA256:A367BDB69DE43BBF69F41C2DC2BE42C4D9A045B3F649E286DDF1BDB52931656F
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:787E1EF846432A1547C5A731B1019ED2
SHA256:D38F0D5B1A415C26F7DE94A3B0A3B677A4DCC7B2B7CADEA17DA724CC53978580
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:8EAA02770D7832BBCF3FA8CDAE16E0F0
SHA256:84F769E244F7511D0420A9A680F5D826BE0F18141D6BDCCE33F90683EB4ADD62
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:8EAA02770D7832BBCF3FA8CDAE16E0F0
SHA256:84F769E244F7511D0420A9A680F5D826BE0F18141D6BDCCE33F90683EB4ADD62
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:D07E8594DE6612631FDBC384B3CF181A
SHA256:E489A8FC70D1794AAE27E068213260F6B47DF60DD1C6F341184C7AE5B5B4CC34
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:505502F04FE20FE618CFC979913539A7
SHA256:3342A499C57EE582A4FFB4372C9D3BF36EA93368D249CD42B3036874A16A374F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5892
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5892
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5892
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.139:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5892
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5892
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.155
  • 104.126.37.145
  • 104.126.37.137
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.163
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 13.69.116.107
whitelisted

Threats

No threats detected
No debug info