File name:

Weather Zero.exe

Full analysis: https://app.any.run/tasks/1ae2ed18-ed24-4a8e-bf9b-966046ada0bd
Verdict: Malicious activity
Analysis date: February 21, 2024, 18:16:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0584DAB798512E3053948814ACCBB6F9

SHA1:

082AD7C7D350757E107841AA77402FBEF12DD10C

SHA256:

AAD3072A367A7B47C0EF0472BDE70721F5AFF5285DBD40310BB19C7B68FF3918

SSDEEP:

98304:Kc2hXS4/dQKlf/owWBUQa7UyoTxd3DXPLOUtIHz1L2ZAGB+gqcW47r+VicoJ1B6R:K0xf/C8Y6gdV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Weather Zero.exe (PID: 3708)

  • SUSPICIOUS

    • Reads the BIOS version

      • Weather Zero.exe (PID: 3708)

    • Executable content was dropped or overwritten

      • Weather Zero.exe (PID: 3708)

    • Reads the Internet Settings

      • Weather Zero.exe (PID: 3708)

    • Reads security settings of Internet Explorer

      • Weather Zero.exe (PID: 3708)

    • Reads settings of System Certificates

      • Weather Zero.exe (PID: 3708)

    • Checks Windows Trust Settings

      • Weather Zero.exe (PID: 3708)

  • INFO

    • Process checks whether UAC notifications are on

      • Weather Zero.exe (PID: 3708)

    • Checks supported languages

      • Weather Zero.exe (PID: 3708)
      • wmpnscfg.exe (PID: 3180)

    • Create files in a temporary directory

      • Weather Zero.exe (PID: 3708)

    • Reads the computer name

      • Weather Zero.exe (PID: 3708)
      • wmpnscfg.exe (PID: 3180)

    • Reads the machine GUID from the registry

      • Weather Zero.exe (PID: 3708)

    • Checks proxy server information

      • Weather Zero.exe (PID: 3708)

    • Creates files or folders in the user directory

      • Weather Zero.exe (PID: 3708)

    • Reads the software policy settings

      • Weather Zero.exe (PID: 3708)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:25 12:51:31+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 28672
InitializedDataSize: 142336
UninitializedDataSize: 2048
EntryPoint: 0x484f92
OSVersion: 5.1
ImageVersion: 6
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.0.1.5
ProductVersionNumber: 3.0.1.5
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: WeatherZero
FileVersion: 3.0.1.5
LegalCopyright: WeatherZero
ProductName: WeatherZero
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start weather zero.exe wmpnscfg.exe no specs weather zero.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1384"C:\Users\admin\AppData\Local\Temp\Weather Zero.exe" C:\Users\admin\AppData\Local\Temp\Weather Zero.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WeatherZero
Exit code:
3221226540
Version:
3.0.1.5
Modules
Images
c:\users\admin\appdata\local\temp\weather zero.exe
c:\windows\system32\ntdll.dll
3180"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3708"C:\Users\admin\AppData\Local\Temp\Weather Zero.exe" C:\Users\admin\AppData\Local\Temp\Weather Zero.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
WeatherZero
Exit code:
0
Version:
3.0.1.5
Modules
Images
c:\users\admin\appdata\local\temp\weather zero.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
7 303
Read events
7 257
Write events
37
Delete events
9

Modification events

(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) Weather Zero.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3708Weather Zero.exeC:\Users\admin\AppData\Local\Temp\nswF84B.tmp\Image1.bmpimage
MD5:F0501835A56B6CFB4655110580E37A45
SHA256:07461D20D2A84FF7229B68252FE0B36CF7685F9A71E1388B9C1EEB1084B3D27A
3708Weather Zero.exeC:\Users\admin\AppData\Local\Temp\nswF84B.tmp\INetC.dllexecutable
MD5:40D7ECA32B2F4D29DB98715DD45BFAC5
SHA256:85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
3708Weather Zero.exeC:\Users\admin\AppData\Local\Temp\nswF84B.tmp\xml.dllexecutable
MD5:C530BD7C386295637588943A0AFAF2CE
SHA256:84C45F2241801EE043FA6F3CAA2D41EAC490E1433B17E6B4447C0284465786F1
3708Weather Zero.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:5A00735D79213F6E2CE69A7DF1DEEDF3
SHA256:7718C49AAAF15ED65576B2AED53D31E551E4C5D6C6D9250CABDE46212873C916
3708Weather Zero.exeC:\Users\admin\AppData\Local\Temp\nswF84B.tmp\Image2.bmpimage
MD5:B24093D9724401CC327A77DF5D0DD56F
SHA256:3837269C349E8C8A2279395515BB8B781673D86C7990F637B3883EE2B4344CFD
3708Weather Zero.exeC:\Users\admin\AppData\Local\Temp\nswF84B.tmp\decline.icoimage
MD5:B38BE2FB9B7C098C928A771014E1A922
SHA256:F08C80561159891504852497F8D04ED40B1BE2CB997906570149CEA0894AC67F
3708Weather Zero.exeC:\Users\admin\AppData\Local\Temp\nswF84B.tmp\accept.icoimage
MD5:4C30ED94F0B57504F60ABE01BE761E7A
SHA256:D6CFCCECB86F767EB0EA300F7FC222BF5CB0DC6347E1DB380F20098970781ACF
3708Weather Zero.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:A0CFFC95DE455A31547B7F3997E66A6D
SHA256:0D6322E086D939F84C2E7E568030F5164D74D2618B0F43FF9F012D3BD95921F1
3708Weather Zero.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:A1CB665C1363C60A2D689B777B8B2B8D
SHA256:677B0366A8C7F92BF7E60D7F58E32823A66EC08CE9AD7DAADE0E5C0E3A42F693
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3708
Weather Zero.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
3708
Weather Zero.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f282f50ec3cdedc7
unknown
unknown
1080
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a414549a770d7263
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3708
Weather Zero.exe
104.26.10.57:443
weatherzero.com
CLOUDFLARENET
US
unknown
3708
Weather Zero.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3708
Weather Zero.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
weatherzero.com
  • 104.26.10.57
  • 104.26.11.57
  • 172.67.73.246
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Weather Zero.exe