File name:

21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d

Full analysis: https://app.any.run/tasks/0858ee5a-7548-4e91-a53f-d1ca9aeea7f1
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:25:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

D45B1582136D31D094E490DF3BB6E241

SHA1:

A4EF42581FE8E3F34D1330A031E303ACCA372206

SHA256:

21BE6E51B21A8E7BB605AA42047F885E97D60AF4EDF734D8A13CEDB7A3E0F98D

SSDEEP:

3072:cpDSvVVVVVVVV/OuO+pDSvVVVVVVVV/OuOO:cdSvVVVVVVVVrdSvVVVVVVVVT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
    • Executable content was dropped or overwritten

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
  • INFO

    • Creates files or folders in the user directory

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
    • UPX packer has been detected

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
    • Checks supported languages

      • 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe (PID: 5604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe

Process information

PID
CMD
Path
Indicators
Parent process
5604"C:\Users\admin\Desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe" C:\Users\admin\Desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\21be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 564
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exe
MD5:
SHA256:
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:39A177A78E8C2458C5DE686EA726133F
SHA256:343509336A2ABC9471CA11FE4E7291C89DD8BC8154DC14F2DD6291E998DCE453
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:3A2316C1C0418B5F337ECACBC4444FC6
SHA256:8AD75257B2E58ADE3926764D54F5CA91C620CC199721B952985CB466D360F2EF
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:0114254571CCFD98F959A6D31B8AAFD0
SHA256:0B0F63BBB10228A3EB19766199BEFC66B79A78D92EE2CDD68A7C86C1DD8ADBDE
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:0550D74BE827921CD65F4896046E7166
SHA256:66A4D12FD79D2B39F0FCD575758BFB35FDD1880F344FB69F06345F74AF8D7821
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:8943F64E11B5DED3FE7ED0909EC6DE1A
SHA256:898D310D336474149D529249C11285473B72B52A8CE1157E8B4E5C71864871AF
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:C9009478CC449181BE8C6C66F9219994
SHA256:DA3D5363979F58B151DB21525DECA9445FC2F345240961BAC8EEB571971140B7
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:EBAF0CA961775C3CBF979B4F6AB7B8ED
SHA256:D6E3A0D5D7098CB012F65F741B91C8D65A8A4F67527EA95F2E9A60E1B9C11D3B
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:FF83B2B33D92A306475B214CC5852326
SHA256:E2BE65EC5AF07D11FFD39CFB0138E96657B64C885B2DB06CA7B4DBC34D2A6435
560421be6e51b21a8e7bb605aa42047f885e97d60af4edf734d8a13cedb7a3e0f98d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:1BA9BB2CC49031D83909AA5716EC1F09
SHA256:B99EFD06AC3FF12DD030903797982BBA3139B1391819C22EB444CFE60B76763E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5448
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5160
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5160
RUXIMICS.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5448
svchost.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5160
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5448
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5448
svchost.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5160
RUXIMICS.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.137
  • 104.126.37.123
  • 104.126.37.131
  • 104.126.37.129
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.177
  • 104.126.37.186
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.156
  • 23.48.23.150
  • 23.48.23.137
  • 23.48.23.167
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 104.46.162.225
whitelisted

Threats

No threats detected
No debug info