File name:

917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe

Full analysis: https://app.any.run/tasks/d3937433-1de5-433e-9e73-90bc78130378
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:16:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

4291D1F08DD6113BF2AEEC009F6A6982

SHA1:

7EE2EBFA312BC029C831F4F519611B17D4C2CD73

SHA256:

917CE3341C85A86923DE21D414862C94550AFDAC9CB5B4766543FC1096E4A23C

SSDEEP:

1536:EhPpyASvVVVVVVVVWs5jfzQ/F3ZdUsj5qKEruDrDCKmrqTYQS8wgS5YxciXndnc9:cpDSvVVVVVVVVrfQF3Esj5qePCKy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe (PID: 4428)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe (PID: 4428)
    • Executable content was dropped or overwritten

      • 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe (PID: 4428)
    • The process creates files with name similar to system file names

      • 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe (PID: 4428)
  • INFO

    • Creates files or folders in the user directory

      • 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe (PID: 4428)
    • UPX packer has been detected

      • 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe (PID: 4428)
    • Checks supported languages

      • 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe (PID: 4428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe

Process information

PID
CMD
Path
Indicators
Parent process
4428"C:\Users\admin\Desktop\917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe" C:\Users\admin\Desktop\917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 667
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exe
MD5:
SHA256:
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:D2EDFB77D10970C4BD57F7281DEC473C
SHA256:CD2FDD096D1A5AAB181ECBA8A10294276EB8012F7FE3A7C669E6471E979E3A96
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:D4D45543E9F1F90CEDD3032D8C7489BF
SHA256:AD1A2D9E9A8145722F08397060249B8744184A3CF012D9D52F07938B1D9181E2
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:231587E622F773B64431F4326109C870
SHA256:B80F0B9F0DFEB17015DB253A357DA6DE747A1095D51EFB1C176C838A94AA746A
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C0295F044C08B2C4529E139502B8D408
SHA256:CD2BF044C04BE05E076A81E9E94852C5BF1B9B23A240719CD22D871E2AEDBDE1
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:D5FAAF95A89F3A26AD0C2D046D7B37D1
SHA256:0262CB04D1A363B1B39799C8419359EE912A7C3FDF3B93CE875849C1987E680B
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:D21B1C442EE246A9C4326141A5BE26AB
SHA256:B40333DD9BD9552F9CD98861D1B213ACEEB90F0C1E6CD57E1EE755A7C712ABEF
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:90C6F0A60AEC4BA819B5E1B2E6489573
SHA256:193CDDD8E78ADFD6D5AB8CC52ABDA9CD5015593CA7539C677C20A5F88A577924
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:A252487B8E9B32F68C80F44EF29B9D00
SHA256:FD6CDE9C420592B6A0F25C8AD74FA045540231E7722E2B723CA44A6824C366D9
4428917ce3341c85a86923de21d414862c94550afdac9cb5b4766543fc1096e4a23c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:C0295F044C08B2C4529E139502B8D408
SHA256:CD2BF044C04BE05E076A81E9E94852C5BF1B9B23A240719CD22D871E2AEDBDE1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
15
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2632
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2632
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2632
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2632
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.147
  • 23.48.23.176
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 51.116.246.105
whitelisted

Threats

No threats detected
No debug info