File name:

aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe

Full analysis: https://app.any.run/tasks/1f25ea03-3ef3-4a4e-b230-f824c2928502
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:15:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

4A1EE23D58805B29664F68BA16236BE1

SHA1:

567906729E908632A6D7298C37BBD089482C7A20

SHA256:

AAF2EBE531FD8A56CA56615570B9D0D917CBA243F326FDEB6BC291AF226D95A2

SSDEEP:

768:vAUo9AvVVVVVVVV+s5ZEPzWuqxWsqxWbHvvDOZnvvT0OIa9QMqUUwnIlUUVUUhV6:vASvVVVVVVVV+s5ZEDgWsgWWZjTPZw6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • Creates file in the systems drive root

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • Executable content was dropped or overwritten

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
  • INFO

    • Creates files or folders in the user directory

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • Checks supported languages

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
    • UPX packer has been detected

      • aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe (PID: 6320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (39.5)
.exe | UPX compressed Win32 Executable (38.7)
.dll | Win32 Dynamic Link Library (generic) (9.4)
.exe | Win32 Executable (generic) (6.4)
.exe | Generic Win/DOS Executable (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe

Process information

PID
CMD
Path
Indicators
Parent process
6320"C:\Users\admin\Desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe" C:\Users\admin\Desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 580
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exe
MD5:
SHA256:
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:2C75078E4F19849F7CE39881BE7714ED
SHA256:AF19341BB4C096F1D09DE4E7F31900F96DC88FC8843D45CE6586CCF6AA7A0133
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:6944980AAF5FA9606BEC9801B05BF0B3
SHA256:F83E494BD4E21D69BD3E37504981CCF33165186EFAE68E55B66AE6CA9CF184A7
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:FB6FC53BE379DD1E5B765E45CB99953A
SHA256:2A1F1631614DCEC77C319BE5A5ED7A7C0A11E2426265C3B12F51F6ADFDD62E68
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:2037275145841AB58ADE5377BB1485A4
SHA256:4894E2876061A77D879FF689D05563EE0E77D907E7288BCAD7FEEC103C9B99F0
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:1197D9A903700882F0418BC87D6BD120
SHA256:F1FBCB7771C48CF0E0A194DF9D3F6FD7D830A8EBE4B3C94F0AAD87475535900C
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:E3E2D0B1E5A46A97DED43213096D01AF
SHA256:7DC2BF54FFAA6E308F84E817D1D5DF29916540BED4ABF507811A26B0B379CC44
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:7BA5737EB9F8E968A3302466FBC7D828
SHA256:CE70BCB46AF8D13E4CD8502895EA6C3A84D5FB2B08F5F0977AA51CAF0DB45A04
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:70549B1495BE8BB6AA127F436CA8D53D
SHA256:A7E5722574300A859817C2DDC08F19FE5699F2E6F004DEC1B9D188CA6A2F54B7
6320aaf2ebe531fd8a56ca56615570b9d0d917cba243f326fdeb6bc291af226d95a2.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:1A98F4381326578CBAB9BC48F9B44827
SHA256:78F3FFA8A316CACB01C497F9D5047D39AB90059FCEFE18AC5E008EB7A120DEE8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
640
svchost.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
640
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
640
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
640
svchost.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
640
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
640
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.150
  • 23.48.23.159
  • 23.48.23.179
  • 23.48.23.171
  • 23.48.23.174
  • 23.48.23.153
  • 23.48.23.185
  • 23.48.23.186
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 13.89.179.10
whitelisted

Threats

No threats detected
No debug info