File name:

21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d

Full analysis: https://app.any.run/tasks/0858ee5a-7548-4e91-a53f-d1ca9aeea7f1
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:25:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

D45B1582136D31D094E490DF3BB6E241

SHA1:

A4EF42581FE8E3F34D1330A031E303ACCA372206

SHA256:

21BE6E51B21A8E7BB605AA42047F885E97D60AF4EDF734D8A13CEDB7A3E0F98D

SSDEEP:

3072:cpDSvVVVVVVVV/OuO+pDSvVVVVVVVV/OuOO:cdSvVVVVVVVVrdSvVVVVVVVVT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
    • Executable content was dropped or overwritten

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
  • INFO

    • Creates files or folders in the user directory

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
    • Checks supported languages

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
    • UPX packer has been detected

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe

Process information

PID
CMD
Path
Indicators
Parent process
5604"C:\Users\admin\Desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe" C:\Users\admin\Desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 564
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe
MD5:
SHA256:
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:1BA9BB2CC49031D83909AA5716EC1F09
SHA256:B99EFD06AC3FF12DD030903797982BBA3139B1391819C22EB444CFE60B76763E
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:4C040FD71DF3FE5A36566512253475A3
SHA256:7F714309F6486F32704FD1BFBFA144F4A580825BFE32AAB5C0E501FCB88A4EA8
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:39A177A78E8C2458C5DE686EA726133F
SHA256:343509336A2ABC9471CA11FE4E7291C89DD8BC8154DC14F2DD6291E998DCE453
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:84C90A1978C76E0EE0A469558D31DB44
SHA256:158F5AE0C08E15893490EF148CF8A1F498BAF8E05749CD82620B5828D5901AC9
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:0550D74BE827921CD65F4896046E7166
SHA256:66A4D12FD79D2B39F0FCD575758BFB35FDD1880F344FB69F06345F74AF8D7821
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:3B5D6DC13B2FF6C89D12D9975A94A0B2
SHA256:F1A8200D6600C1AA7BEC33D6133520A46DBA89403DD2BE2186FBB7CD3A791DBA
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:3A2316C1C0418B5F337ECACBC4444FC6
SHA256:8AD75257B2E58ADE3926764D54F5CA91C620CC199721B952985CB466D360F2EF
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:AF8D5EA445736669C16F183709706C73
SHA256:3364C673E4217EAA32CB55180EF399A612FAE5EDCBAA18D6A59964371FD2D6F8
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:EBAF0CA961775C3CBF979B4F6AB7B8ED
SHA256:D6E3A0D5D7098CB012F65F741B91C8D65A8A4F67527EA95F2E9A60E1B9C11D3B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5160
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5448
svchost.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5160
RUXIMICS.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5448
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5160
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5448
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5448
svchost.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5160
RUXIMICS.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.137
  • 104.126.37.123
  • 104.126.37.131
  • 104.126.37.129
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.177
  • 104.126.37.186
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.156
  • 23.48.23.150
  • 23.48.23.137
  • 23.48.23.167
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 104.46.162.225
whitelisted

Threats

No threats detected
No debug info