File name:

639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122

Full analysis: https://app.any.run/tasks/e146711f-658c-451a-acc1-6bac973a7f89
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:53:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

02715805E25E14E5B16E8849EF30D657

SHA1:

AE7ECB3F5ADFEAB52BCBF1664E49AE36BE5848F0

SHA256:

639B6EC0C8975FAA8584FC08485C509C044E087A475BFEC3E12FD19179F44122

SSDEEP:

12288:DvVVVVVVVVtu74R0vVVVVVVVVtu74RYvVVVVVVVVtu74R0vVVVVVVVVtu74R5Nf:U74RP74RD74RP74R5Nf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • The process creates files with name similar to system file names

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • Executable content was dropped or overwritten

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
  • INFO

    • Creates files or folders in the user directory

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • Checks supported languages

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
    • UPX packer has been detected

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe

Process information

PID
CMD
Path
Indicators
Parent process
6564"C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe" C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 364
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
MD5:
SHA256:
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:B8DC43B2E89431B6CF817FEF4F2C2676
SHA256:40AE31E067297CC171D48B8508145A8A59BC113515625D51B6ABBFAB891D7D56
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:7AAAC923779EAA8D523CC97E1BC03C40
SHA256:1010CD0A33FB0EEDCB0FB037902E0F2580755EEF023243BFFA358B61C82BF0D6
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:DD2114159341AD1C8D2ACC2D6F0E2BDB
SHA256:3D4D8563E4EB09471B1AEAD6F043EDC7836D7B1DFD6566D87B664B1F633CD9A1
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:9CF60F2D34D4C66910370815353D2161
SHA256:C35BF511A70C061320DEDB6FF3A08E1F452791F13EEB8061A111BE55B4669675
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:E721630035AFF3278012709636D72CDC
SHA256:D4C5D59BCE228D54F3FC45CD15752D7AD11323F90A6E015A6B2E9B585A84F682
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:2E3728FFC23B903BD3D95CE7D50DD9BC
SHA256:994A11A9AC871B2A252E6FE8384946AADE314865466082E8B899F9511C9CBB2E
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:CA3F05276D89B3A4CC900F2C58A246A7
SHA256:7C6D1E0CDD4070EFCCEFDBF548A23F5AF296CAD72D91E9E49F57B5DF0E63B42F
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:E8CE1B687046D8DF7EF8A15AD139B1FA
SHA256:603873893DE336A7EED61DFE6D66F8069D0D5863B490B3C1F7B05085D27886F1
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:A116C56F08C3CB471D6FDD824E321504
SHA256:938EFE4737918489BF36CC2F9D94F26C336643DA35BC36BC09C842D8EEB96AE8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3040
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3040
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3040
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3040
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3040
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

No threats detected
No debug info