File name:

bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21

Full analysis: https://app.any.run/tasks/99486514-5d12-46df-a7d1-825789a50fce
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:10:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

C533D22B9B3D8B104178A82E133A794D

SHA1:

0A89DCBA6C634472CE10266D1504A5F4EEA2EFDA

SHA256:

BC085F728A5D36E9FAEA30E865E4CD9A51606C0A6C43AE6BAC6D610F23E7FA21

SSDEEP:

3072:cpDSvVVVVVVVVIgWsgW2uFN1u8h55q8I+r8xLhWJEd2aNB415kUe7g0j:cdSvVVVVVVVVIuFTDhfqfWJUNo5kUe7J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

    • Executable content was dropped or overwritten

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

  • INFO

    • Creates files or folders in the user directory

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

    • Checks supported languages

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

    • UPX packer has been detected

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Users\admin\Desktop\bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe" C:\Users\admin\Desktop\bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 479
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe
MD5:
SHA256:
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:640947F5D922636B7F6CA20304799390
SHA256:5F4F41FF2541BA2F8178B751A9302861FDD7E416FA9A11F8D202BD5826401230
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:20A2F7E1DA013034CBF56877A408B4F8
SHA256:452BBC2D3142F3FD772DD4EC04A05D1B565F1CDE93F093EBA48F5CA83BFB59A9
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:0BB370CBD9CC72F17AE0A740A1FEB89B
SHA256:953686853E0A963D9861E4F731E520C826A2354A4749450E85B3EA3A1DD948B9
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:B96760F829D2B450195C3113300A39D1
SHA256:B7608DBC64E76D3E9AE299970B467EDB8340D533184F2FF760F286226A238D63
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:08E90003E5C3BF97DAAA25FC89BDC197
SHA256:C911FE8D84FB198F5858D22EDFA25FF7A53E57B30FA4E7BBD7B13A3281E92FC3
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:07C2458505FD712FA66C06E6F826F2C1
SHA256:FB63F9B8500F635F1DE9A288C943A13635739CED696F1898B6A03D3CF4D8BFD9
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:5C5C22663DE31B9D4618BB4227055E21
SHA256:BD3C9F9B0035D269FA80CDB5B0B93A94088029E316361EAF5BB568F204C3DF40
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:17FA05A437DEE1A971FCE4B6800454F3
SHA256:BC0884432823B3169B55E77EBB5D5D5C336B554804F23446376F0566940BC18E
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:58115F902087FB8F13F56853D8731D0C
SHA256:365191064E90664067C124107FEE1BC4886FD3C1C0D4336FBCE079E59C280C9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.19.198.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.202.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
444
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
444
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.198.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.202.100:80
www.microsoft.com
Linknet-Fastnet ASN
ID
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.19.198.194
  • 23.32.238.34
whitelisted
www.microsoft.com
  • 23.37.202.100
whitelisted
self.events.data.microsoft.com
  • 20.42.73.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21