File name:

3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe

Full analysis: https://app.any.run/tasks/25105d5f-7a3f-41c6-bb72-b57231fb0bdf
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:45:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

D671321FF7DCE4A8E0F6B180556FCB2D

SHA1:

794A41CC79681B2F3A1D5788B34CDA28EC92F2F2

SHA256:

3998D04D564BA0F40F4CA6EBE2C01EC0278A555C5B6ED4A6C86F8D88F24917AC

SSDEEP:

24576:Hfuj5DuFRSfWJUq5kUe+fuj5DuFRSfWJUq5kUeofuj5DuFRSfWJUq5kUe+fuj5Dh:Hfuj56FRSfWJ9kUe+fuj56FRSfWJ9kUi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe (PID: 6268)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe (PID: 6268)
    • Executable content was dropped or overwritten

      • 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe (PID: 6268)
    • The process creates files with name similar to system file names

      • 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe (PID: 6268)
  • INFO

    • Creates files or folders in the user directory

      • 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe (PID: 6268)
    • Checks supported languages

      • 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe (PID: 6268)
    • UPX packer has been detected

      • 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x7f80
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Users\admin\Desktop\3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe" C:\Users\admin\Desktop\3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\3998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 020
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exe
MD5:
SHA256:
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:183FDF99FCCDA193C158F146D0BDEA3F
SHA256:FA9037981419323CB186305B1A364F8D7BD31D4E17A944BA449AAFC3A34660A9
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:25DC476C264A81A5CC3DF5C2715B15E9
SHA256:03FFBF777B1799B5C0F789A32B45924F6F54A5FEDEC7178AC4895EE5C7D8CBCE
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E05632F28500692844076F130408BAEA
SHA256:59331656DD4F8E9A3782BF12C388315930D948762D0B277DBA2B8CB00AFA2156
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:B4549C6159996EE89AB4DCFFFFBDA93F
SHA256:A608B993057056E53AB154A61970B1D8C2170B7B5DC699F43A0EFCA3548F043A
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:C401D0AD03C4ED14E9D26FB599483C56
SHA256:E2D66218635D8A448FE570FA0E1E6692EEB3F52965EDB9A4CEAD169AD0C091F2
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:63DD4CB7136065CF31FA31E0FD6DFB87
SHA256:8F8B991547ED93F5901554FEF8C30F0520FB7E89D566DA0B048C7AA77322E79F
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:20558A503B7D228C7E7BB6D5990F480A
SHA256:0D3A8A729221D7E6E447053AD337290AF64837AB899F86D003E7F2563071EA04
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:20558A503B7D228C7E7BB6D5990F480A
SHA256:0D3A8A729221D7E6E447053AD337290AF64837AB899F86D003E7F2563071EA04
62683998d04d564ba0f40f4ca6ebe2c01ec0278a555c5b6ed4a6c86f8d88f24917ac.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:644EC8393CEFB154AFE868457F7EB82E
SHA256:670DA17C2FFAA0F34B063A4917EBA25587E1437B123289D2F0492C3675A4A53C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
self.events.data.microsoft.com
  • 104.46.162.224
whitelisted

Threats

No threats detected
No debug info