File name:

144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9

Full analysis: https://app.any.run/tasks/710a3941-9a79-4a4a-9563-43c69cda770b
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:47:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

CEFD29D8B29E7B68FCD6AE6B93E6CCD4

SHA1:

25BB69205392A4D5CEC07137A637274869C90E0F

SHA256:

144DB6A34E9CAA6DC1575313B48C26234D484089A1FEB7BA7E9C34440D1A7DF9

SSDEEP:

768:Eh1IqQMy6cJgKAUo9AvVVVVVVVVgSjSs5ZEPzf:EhPpyASvVVVVVVVVWs5ZE7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • Creates file in the systems drive root

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • Executable content was dropped or overwritten

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

  • INFO

    • Checks supported languages

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • Creates files or folders in the user directory

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • UPX packer has been detected

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe

Process information

PID
CMD
Path
Indicators
Parent process
6096"C:\Users\admin\Desktop\144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe" C:\Users\admin\Desktop\144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 751
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe
MD5:
SHA256:
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:F1578A39AD8900AC31A4ACD6F37EFAF8
SHA256:11B4461377246152179530DCE581E4852B0C93F454AEF44FDB45E7C2CCC67091
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:A9459157D4D0E84C20976A5FA3553E73
SHA256:70F1588CAD0D6FBD8E48152B27EB3F5DBF3E4F4B0AD95FFC605876F282B8589B
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:1238E2FA7187D8C8287E14E69F113A1A
SHA256:71E041357DFBAA7212E1916404DF342628F18948070861C890E4758108AF0643
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:B74938B598C72D3B0183D8D950C527E6
SHA256:45A1422D05C2B4D0D63F7E74F68147B269A3BE0EAC76CE5B7C28D9897A3BF05E
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:847895C910278A4273EB9E68568EE2AF
SHA256:D4B1876EAFC8CCE7DA235BD41AA0EACDFDE43BBB1649E816D64FD082417CECE6
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:6A89861DB638E0416B9A79CCDC33C5A6
SHA256:90589CA0EED7B9BD0F7CAF64E1BD336779CD525D100A24843AC27CFA38450933
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:3EEF2410323B7CCF1FDFF05BBAEFC265
SHA256:E9F00D6E79565AD026C7057747531F7C7FC6A3B7129C68E5DCFB90F63CB55617
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:B528BAD719A5799FEFE7413E2B78D2DD
SHA256:5E1C3BC30BC3D31C1E085789FB1BEA96255596B473F39F0AE8CD6D665E5B866D
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:58574E5C33FE09FB2C15E1A18FE3FA10
SHA256:6D2B2361C9AB2CD92EC2F41C1F11B8235821A71466D20B8381A71F9F19D1C454
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1140
RUXIMICS.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1140
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1140
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4536
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.129:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4536
svchost.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1140
RUXIMICS.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4536
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.129
  • 104.126.37.139
  • 104.126.37.137
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.178
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.136
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.176
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.168.117.170
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9