File name:

a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe

Full analysis: https://app.any.run/tasks/cd7a21e6-7804-4170-9660-7f1652e0a2d7
Verdict: Malicious activity
Analysis date: January 10, 2025, 23:21:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

B43F55AFA37E589FE710A24524955720

SHA1:

F8824B19E97222E2E117C418EC18BC2E8C37A193

SHA256:

A5B4B1248F8F9ABFBEFD58BE80700B940DDCE2D79C8FC3E2538387C308F4A7FC

SSDEEP:

6144:cdSvVVVVVVVVrfuj5q4uFTDhfqfWJUNo5kUe7xo6og:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5kB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe (PID: 2136)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe (PID: 2136)
    • Creates file in the systems drive root

      • a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe (PID: 2136)
    • The process creates files with name similar to system file names

      • a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe (PID: 2136)
  • INFO

    • Creates files or folders in the user directory

      • a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe (PID: 2136)
    • Checks supported languages

      • a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe (PID: 2136)
    • UPX packer has been detected

      • a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe (PID: 2136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2136"C:\Users\admin\Desktop\a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe" C:\Users\admin\Desktop\a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 551
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exe
MD5:
SHA256:
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:E9DC75E8B9954F97AC496E4D6134E6D5
SHA256:68C0CD6E0DB0B9397B1F1C0FBD6178D592E6096EA3388D3FCAE3C22250675CE2
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:30569A73475B2E6274CD0EEA7D42824F
SHA256:4D4BABB8DB183DE393577D5D81D5B30BC79E0BD7BF41E60232439558DC4D8A22
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:28FDC8736B665D612E46A20A35A20E42
SHA256:FCE90404AF668ACD1186F284EF0AC72DC6B2330E19A66F3C15BEBE3284310C0C
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:E050BB5D69D86EAB4C9A85303CB628B8
SHA256:A7EF06595003020DB37470E453BD5C75FC288CC7E4D187B5788E8C1767F1F269
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:AC1E4881462F0C86C71FBB50FB94E666
SHA256:29019DC0594B5917D8BFC3D56CE960CEB1D2B6FB8A23322235F36AC8E16AF578
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:EBFEFF31312DDFD9FB2E0B544916F248
SHA256:76C3CAE707748F34E46FB7F662F3264F03660C7CFF80F5F383F904AB3BE6A155
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:30F72FA9FF8E2BBD2BEF2810B49CCFDD
SHA256:FB98DC7EEA8CD4FEB4360EF6160F5F6166B5294ABA8A0EBD7E369073B8C5BECD
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:FB6270D01546D9307932CE5ADE4452F7
SHA256:FCBCC9284458C312FE811D4DD40AF10FD2A8C088234375773F74B6374EFA48EF
2136a5b4b1248f8f9abfbefd58be80700b940ddce2d79c8fc3e2538387c308f4a7fc.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:7727FC31B0209A839F33CB4895397B2C
SHA256:B0BFD54B0BF8E34F1913AA99454B3BB93FB47278477A93957987AB44E853C2B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3884
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.145
  • 104.126.37.139
  • 104.126.37.144
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.130
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info