File name:

aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe

Full analysis: https://app.any.run/tasks/1f25ea03-3ef3-4a4e-b230-f824c2928502
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:15:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

4A1EE23D58805B29664F68BA16236BE1

SHA1:

567906729E908632A6D7298C37BBD089482C7A20

SHA256:

AAF2EBE531FD8A56CA56615570B9D0D917CBA243F326FDEB6BC291AF226D95A2

SSDEEP:

768:vAUo9AvVVVVVVVV+s5ZEPzWuqxWsqxWbHvvDOZnvvT0OIa9QMqUUwnIlUUVUUhV6:vASvVVVVVVVV+s5ZEDgWsgWWZjTPZw6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • Executable content was dropped or overwritten

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • The process creates files with name similar to system file names

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
  • INFO

    • Creates files or folders in the user directory

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • Checks supported languages

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • UPX packer has been detected

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (39.5)
.exe | UPX compressed Win32 Executable (38.7)
.dll | Win32 Dynamic Link Library (generic) (9.4)
.exe | Win32 Executable (generic) (6.4)
.exe | Generic Win/DOS Executable (2.8)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x7f80
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe

Process information

PID
CMD
Path
Indicators
Parent process
6320"C:\Users\admin\Desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe" C:\Users\admin\Desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 580
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe
MD5:
SHA256:
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:16385AFDB6745FA92DAB3D5757B4DBF4
SHA256:E2F085595AAFD6AE234F619E7DD5042717989F906CD84F002175B893E0F198C6
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:50E02D77232FB6EBAB5C1690250522BE
SHA256:CABA3387F0C327716F187DC9238CDE1CBD9F3445AECBB55008FC583AB4742F55
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:1A98F4381326578CBAB9BC48F9B44827
SHA256:78F3FFA8A316CACB01C497F9D5047D39AB90059FCEFE18AC5E008EB7A120DEE8
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:70549B1495BE8BB6AA127F436CA8D53D
SHA256:A7E5722574300A859817C2DDC08F19FE5699F2E6F004DEC1B9D188CA6A2F54B7
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:0863303CBEDED78FCB9FBB744283229D
SHA256:1094258CA69841D2BFCEF629C902F9B448007AF0253C60895312608FF1363298
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:7BA5737EB9F8E968A3302466FBC7D828
SHA256:CE70BCB46AF8D13E4CD8502895EA6C3A84D5FB2B08F5F0977AA51CAF0DB45A04
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:2037275145841AB58ADE5377BB1485A4
SHA256:4894E2876061A77D879FF689D05563EE0E77D907E7288BCAD7FEEC103C9B99F0
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:95EB224570CEE8634E1E3D8415D770C1
SHA256:C7C65CE86AE4C3A76AF8141A5F4EA57E1221EDB69AC5CDB7C8F554CC9AF1E119
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:E3E2D0B1E5A46A97DED43213096D01AF
SHA256:7DC2BF54FFAA6E308F84E817D1D5DF29916540BED4ABF507811A26B0B379CC44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
640
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
640
svchost.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
640
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
640
svchost.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
640
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
640
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.150
  • 23.48.23.159
  • 23.48.23.179
  • 23.48.23.171
  • 23.48.23.174
  • 23.48.23.153
  • 23.48.23.185
  • 23.48.23.186
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 13.89.179.10
whitelisted

Threats

No threats detected
No debug info