File name:

7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d

Full analysis: https://app.any.run/tasks/d74a3dc5-353c-41f5-a36e-dd867c24b994
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:26:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

E7EDC9A2C14CA15A99DDDED2756982BD

SHA1:

08A3594FD0D51A2103C9B89E6BD55B5591970D5F

SHA256:

7C393F0F65087B857D9308BB1A27C0D9871FCC138AE672E45C5806198A306E6D

SSDEEP:

3072:oSvVVVVVVVVwgWsgW2uFN1u8h55q8I+r8xLhWJEd2aNB415kUe7/wA:oSvVVVVVVVVguFTDhfqfWJUNo5kUe7/r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

  • INFO

    • Creates files or folders in the user directory

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

    • Checks supported languages

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

    • UPX packer has been detected

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe

Process information

PID
CMD
Path
Indicators
Parent process
6236"C:\Users\admin\Desktop\7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe" C:\Users\admin\Desktop\7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 193
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe
MD5:
SHA256:
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:148ED80DEB4C60774999DE5B86391A6E
SHA256:9EA7DDBB9F11ED6AD50414B9265E8E2E1C23145C6E274526634A48C048849850
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:A50B8F62E92698362778BF8651B11EB5
SHA256:FC4EEBC97C67AF3E9301E5C266A6B88F2BB873358666E9914128180FA8880F8C
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:10E400C37033EE8ABBD387993EA6D81B
SHA256:354EC786D1CD085A6EDD7FE7B4254B6850330F758DD4E2FE58995B08B1425DAC
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:8042DEEB1508BC48916418314F383F2B
SHA256:E4EDB5ADD1744AE6C93A46FF6166A3080DD93827024C0030D535DA9B24312E47
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:148ED80DEB4C60774999DE5B86391A6E
SHA256:9EA7DDBB9F11ED6AD50414B9265E8E2E1C23145C6E274526634A48C048849850
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:139A665BE655C1C3B11ED137DC5363F5
SHA256:5469EE85252347257F1FD6D2A092578D6444E43E74DFDA5101D9573832B65689
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:56AEB749A7D96ACFD9CCD2D638956553
SHA256:66BE38F93F074549CD50549B251B4386933961B4F3E1FB2922D08EA5368D6158
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:C2D0429C78327A10644FFD427B906A15
SHA256:F4CCA2B6162E6F6BFBA631A1C41E6D71303044104C34FCB0A4F9E695619C8CE3
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:0FCDCA9C3ABA832C897F19D817CBFFE4
SHA256:D7EA885955789C665DD9FE3D7D714CE25B1BDEEEC9D18DF65031FA6289B565F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
16
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
736
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4160
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.21.110.146:443
AKAMAI-AS
DE
unknown
4160
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4160
RUXIMICS.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
736
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 23.215.121.133
whitelisted
self.events.data.microsoft.com
  • 20.189.173.8
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d