File name:

2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe

Full analysis: https://app.any.run/tasks/1ffaf7cc-60a7-481e-9126-34d6d3439f15
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:47:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

3C10E5AFEFA2B9817F3453A8CBCEB693

SHA1:

306CD6860047D31760C2377657C7E566053B43DA

SHA256:

2FE6A2D337BB9FC791249C6DBDF32876F29A9A98790C74E6E6BB08028875B80A

SSDEEP:

768:Eh1IqQMy6cJgKAUo9AvVVVVVVVVgSjSs5ZEPzWuqxWsqxW/:EhPpyASvVVVVVVVVWs5ZEDgWsgW/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • The process creates files with name similar to system file names

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • Executable content was dropped or overwritten

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
  • INFO

    • Checks supported languages

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • Creates files or folders in the user directory

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • UPX packer has been detected

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Users\admin\Desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe" C:\Users\admin\Desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 618
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
MD5:
SHA256:
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:944122AFA1728BA9167AC913E5FB48D4
SHA256:C0C32B83F48269DBD23F5A8C0C9965D15629DAA9A69D17D0631D79A4BEDDD66C
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:92CC3576CEE31B042B02FC713E8DF7C1
SHA256:7062E420A6BAACC5AFD66B0A75447B7C292E0DD22D86FEFD3DF764842879B446
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:A14D502A9EC6368BEFC83B772D7B4F6C
SHA256:B8BA2F96502BAFC6D6E080E6233D23F0B5A8B86CCE145804EDB49EE995524CD2
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:DD6485B7BC48F96B86A97EED89BEA45E
SHA256:C80CD8D8B2BCBC28D1BF7816070C598CA08A0051135ADFB1A05ECC98249829F7
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:DD6485B7BC48F96B86A97EED89BEA45E
SHA256:C80CD8D8B2BCBC28D1BF7816070C598CA08A0051135ADFB1A05ECC98249829F7
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:328770757E87A79D3E02A2EE939B1BBA
SHA256:EAF7A28A51FFFFB04701F89A07F18C6DC21D7E9F811459599ECC702C4FDD9F8B
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:2FF3E06A7C6DD7AFBA713D596F621A9B
SHA256:AC67D22F65D901540B7659FD1866AE4522F936E63A6DEB2D51E6F6B4B2682F48
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:7BAC9B89981BFC71B50AB7CECF27538B
SHA256:28DE38C516520A9B3F63B1974D3A48610250BFEE2B87F1636D86E7AAD9C0CCC6
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:88F404A390698337C9FB9ECE6C1BE4E9
SHA256:6C67A5DF8B2F006DDFA8B00129106F95C7F670D7F83440C3910EDD34B7E251A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5004
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5004
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5004
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5004
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5004
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
unknown
www.bing.com
  • 104.126.37.144
  • 104.126.37.186
  • 104.126.37.160
  • 104.126.37.177
  • 104.126.37.155
  • 104.126.37.179
  • 104.126.37.154
  • 104.126.37.161
  • 104.126.37.123
unknown
google.com
  • 142.250.185.238
unknown
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.9
unknown

Threats

No threats detected
No debug info