| File name: | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4 |
| Full analysis: | https://app.any.run/tasks/47534f94-385a-453e-804e-5d9c086e6560 |
| Verdict: | Malicious activity |
| Analysis date: | January 10, 2025, 21:53:31 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections |
| MD5: | AC1FC8284D18AA671706661778D16F81 |
| SHA1: | 87DEB56CED369238096027812AA212593EDA7898 |
| SHA256: | 2CA0E2AFE43BA6EB8A069B84B7FDC9B55C0498E4035DFADCCF9E71B043B6CDB4 |
| SSDEEP: | 12288:DvVVVVVVVVtu74R0vVVVVVVVVtu74RYvVVVVVVVVtu74R0vVVVVVVVVtu74R5NA:U74RP74RD74RP74R5NA |
MALICIOUS
ZOMBIE has been detected (YARA)
- 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
SUSPICIOUS
Executable content was dropped or overwritten
- 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
The process creates files with name similar to system file names
- 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
INFO
Creates files or folders in the user directory
- 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
Checks supported languages
- 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
UPX packer has been detected
- 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (64.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.6) |
| .exe | | | Win32 Executable (generic) (10.6) |
| .exe | | | Generic Win/DOS Executable (4.7) |
| .exe | | | DOS Executable Generic (4.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2011:03:15 04:06:07+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 8192 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 24576 |
| EntryPoint: | 0x7f80 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6220 | "C:\Users\admin\Desktop\2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe" | C:\Users\admin\Desktop\2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
Total events
11
Read events
11
Write events
0
Delete events
0
Modification events
Executable files
1 386
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | — | ||
MD5:— | SHA256:— | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp | executable | |
MD5:A14FEFA7A80D336FCF9A57E5A057DD23 | SHA256:ECE4E516F738774ABB6B1D1F8DB8FC19D073DA5D1E20C1615DE30414D2EAA7AF | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp | executable | |
MD5:3A2EDE664C0D2574AEC4D9B990ABD613 | SHA256:627951B1BE01F83174B2901921B179D28E83B82A47B2354A6659E2572871BA71 | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp | executable | |
MD5:BD23B545970587E3861DDB974B81FA39 | SHA256:DB2B629E6FD9A1960ADEB0C205B9D453E70407FA357CC75E45D574D5FCC5C45B | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmp | executable | |
MD5:26F1EE63B1AA5BFAF7ACB5832A3F5B0C | SHA256:B8B4A3A86421A04E12A7CB994C9A5F3DB18CC04E9BDE529DC714B503088AE27E | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp | executable | |
MD5:ED9DE365A2F628C2B7F4B83DF7D93CE8 | SHA256:2BE54BCB9E7E1C3DCE38BE7D0053054C55BFDB07ACD9520EE6C1F8AB2921EB5A | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe | executable | |
MD5:193C03C5BCEC2483171518C68992D4A4 | SHA256:EBEA1DD9DB28EA4E2AEC9752BB7CB86C57F6106952D60A0E5AB27C7A1C29E816 | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp | executable | |
MD5:DA272034D993818D858C430BD2EA6F75 | SHA256:5F9CD87C79CC104DD94A89AF57F10BCB2A3CE3D1C5ED7F4ECE473455AC642432 | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp | executable | |
MD5:193C03C5BCEC2483171518C68992D4A4 | SHA256:EBEA1DD9DB28EA4E2AEC9752BB7CB86C57F6106952D60A0E5AB27C7A1C29E816 | |||
| 6220 | 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe | C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp | executable | |
MD5:443EB6415649316AC509450AFBABC8A8 | SHA256:F85DCDA7B4565605E118F380CC48ABFD3AF7EA941BF14DB7DC79E7E7F792B03A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3000 | svchost.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3000 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3000 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3000 | svchost.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
3000 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
3000 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3976 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |