File name:

639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122

Full analysis: https://app.any.run/tasks/e146711f-658c-451a-acc1-6bac973a7f89
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:53:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

02715805E25E14E5B16E8849EF30D657

SHA1:

AE7ECB3F5ADFEAB52BCBF1664E49AE36BE5848F0

SHA256:

639B6EC0C8975FAA8584FC08485C509C044E087A475BFEC3E12FD19179F44122

SSDEEP:

12288:DvVVVVVVVVtu74R0vVVVVVVVVtu74RYvVVVVVVVVtu74R0vVVVVVVVVtu74R5Nf:U74RP74RD74RP74R5Nf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • Executable content was dropped or overwritten

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • The process creates files with name similar to system file names

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
  • INFO

    • Checks supported languages

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • Creates files or folders in the user directory

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • UPX packer has been detected

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x7f80
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe

Process information

PID
CMD
Path
Indicators
Parent process
6564"C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe" C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 364
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
MD5:
SHA256:
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:DD2114159341AD1C8D2ACC2D6F0E2BDB
SHA256:3D4D8563E4EB09471B1AEAD6F043EDC7836D7B1DFD6566D87B664B1F633CD9A1
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:DD2114159341AD1C8D2ACC2D6F0E2BDB
SHA256:3D4D8563E4EB09471B1AEAD6F043EDC7836D7B1DFD6566D87B664B1F633CD9A1
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:918F30B9E59E62C6FE43E6997B1E2363
SHA256:BDC0A9FADBCDAFCB2248EABC9755685056C2BAB8646B4F33E51DB00EEBE4E185
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:D44B32C79C1A993D75B8E281B34C24AC
SHA256:BF827E8B0349267C275678D0A02EAE99C314380CCE4F4CD98A06317D07B369F6
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:9CF60F2D34D4C66910370815353D2161
SHA256:C35BF511A70C061320DEDB6FF3A08E1F452791F13EEB8061A111BE55B4669675
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:25C0A4319F61146E66DB69DF546C9379
SHA256:BC6559488D0C9955A9D5CF06CC753463D7A6D8AAB887ACD4D3441845B885CAB4
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:3DA775504271020205081EB9EDF54C5B
SHA256:5C46C1D3C30655A8AC4F2432C67CA9C70CB5E711958CCD0A4D342ACD97003C51
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:E721630035AFF3278012709636D72CDC
SHA256:D4C5D59BCE228D54F3FC45CD15752D7AD11323F90A6E015A6B2E9B585A84F682
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:C8BD8EE1416D4B6A4FABE5CF8C33DC2E
SHA256:063A67FA0D3E82373B231B39DD26F1615E7A0173A106541D068A97E42BB828F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3040
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3040
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3040
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3040
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3040
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

No threats detected
No debug info