File name:

2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe

Full analysis: https://app.any.run/tasks/1ffaf7cc-60a7-481e-9126-34d6d3439f15
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:47:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

3C10E5AFEFA2B9817F3453A8CBCEB693

SHA1:

306CD6860047D31760C2377657C7E566053B43DA

SHA256:

2FE6A2D337BB9FC791249C6DBDF32876F29A9A98790C74E6E6BB08028875B80A

SSDEEP:

768:Eh1IqQMy6cJgKAUo9AvVVVVVVVVgSjSs5ZEPzWuqxWsqxW/:EhPpyASvVVVVVVVVWs5ZEDgWsgW/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • Executable content was dropped or overwritten

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • The process creates files with name similar to system file names

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
  • INFO

    • UPX packer has been detected

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • Creates files or folders in the user directory

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
    • Checks supported languages

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Users\admin\Desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe" C:\Users\admin\Desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 618
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
MD5:
SHA256:
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:328770757E87A79D3E02A2EE939B1BBA
SHA256:EAF7A28A51FFFFB04701F89A07F18C6DC21D7E9F811459599ECC702C4FDD9F8B
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:6ECB3D236B4AFB6D0FBD7E9564740614
SHA256:8AB8238350F43233A2B27D999F02AC2A6CFEEB4B2891CC09E104F13AB50C3437
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:CFD475E3EB88FF88E7D16E8F0ABE70A0
SHA256:4B57EA80733522CDA1D4E4131EC7874D88E07AFAE70D371ABDA4492EC77C4B18
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:D528B72DE057358D4125BFFFA9F53098
SHA256:1EABA4F0AB2F2F538DA1AF9A4DA0D2A78A51726829E58564B0ADF0492787C7F6
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:DD6485B7BC48F96B86A97EED89BEA45E
SHA256:C80CD8D8B2BCBC28D1BF7816070C598CA08A0051135ADFB1A05ECC98249829F7
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:FB800A97568F43938EA3DF045BA8E5C5
SHA256:5EDB949C5C469ED940362AB76682C10523C4D2021BA11E82D461F8EB708184F0
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:944122AFA1728BA9167AC913E5FB48D4
SHA256:C0C32B83F48269DBD23F5A8C0C9965D15629DAA9A69D17D0631D79A4BEDDD66C
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:B82417934A0838E16FDC6BB078F7CFB7
SHA256:FC2345B4FADA91A6D1AB698EDF4FEFECBE0E7BB4B23995AAF9452615E9C0114B
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:DD6485B7BC48F96B86A97EED89BEA45E
SHA256:C80CD8D8B2BCBC28D1BF7816070C598CA08A0051135ADFB1A05ECC98249829F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5004
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5004
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5004
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5004
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5004
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
unknown
www.bing.com
  • 104.126.37.144
  • 104.126.37.186
  • 104.126.37.160
  • 104.126.37.177
  • 104.126.37.155
  • 104.126.37.179
  • 104.126.37.154
  • 104.126.37.161
  • 104.126.37.123
unknown
google.com
  • 142.250.185.238
unknown
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.9
unknown

Threats

No threats detected
No debug info