File name:

b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835

Full analysis: https://app.any.run/tasks/f3067940-e398-485d-8e14-621d29eac4d3
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:20:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

625111165B46FA07216CB0B131F483F2

SHA1:

1EF5826BF30D1ED5752305F795A98F2967731325

SHA256:

B9CEACA5942E3E765D6D9C30422B56C0A7F98AAD31CA109E78561D0DCEE0A835

SSDEEP:

24576:BuFRSfWJUq5kUebuFRSfWJUq5kUeKuFRSfWJUq5kUebuFRSfWJUq5kUed:4FRSfWJ9kUeiFRSfWJ9kUejFRSfWJ9kn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • The process creates files with name similar to system file names

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • Executable content was dropped or overwritten

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

  • INFO

    • Creates files or folders in the user directory

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • UPX packer has been detected

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • Checks supported languages

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe

Process information

PID
CMD
Path
Indicators
Parent process
5864"C:\Users\admin\Desktop\b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe" C:\Users\admin\Desktop\b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 094
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe
MD5:
SHA256:
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:0354FC671FEEA75C9BB791D2480C67A8
SHA256:109EA1CD32C81B95A6A3313D19DBC781A27F324CFDC67FC3E5B096B115DE79AE
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:546B31CBA72CCF939183B9AB0594A4ED
SHA256:DF387FE7A02C8DCE495258BEE04D19C08912A8A9147CE39A11666C4FDFC3CB73
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:B37222A6A4E7AF5D700D6BD98B7E5007
SHA256:58B5837D02A0D8BC8D1696054672A9AF3453F4CE642ACA6ABDAF902A80366944
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:ADF4BAFF7779BBF9C68E3E3584781D1B
SHA256:487ABA3FB4EE032AB3F5F9954C8CF3E61F9E4C0D91866EA33AF107330F96A7E4
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:71349AAA0ACB4BE6D6FD1A80C0948C6C
SHA256:A8BFB57F8FE498FF10B788084B0CB0FC87D647565EF06EBB2B5ADF2A642C603A
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:5171C7943DB0F391A033A2EE2333C12D
SHA256:AA604813B94A6D89C544041CDD0C5863B2B92F79DAF78B1EAA44215B83701B23
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:B7003549FCE12971A3A4270ECF603F9B
SHA256:AB0080BCD55DF28D2811502032087A63D335B7DA0C8E51166170EA29DCE2BC8E
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:00AE7A1B4D3ADFEF913E6B846C864AF3
SHA256:343C899A13305395E1A98B9F8ED3313C4260E90371296031473179B56F29A6EB
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:D380BC2210A489C4B047E4CFD9B201FD
SHA256:DF0641BA67177147E8F62624156A495A6301FE61D3CF3B30F0A6357903C51FB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
188
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
188
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835