File name:

Lime-Worm-0.5.8D.exe

Full analysis: https://app.any.run/tasks/ff184739-3a9c-47bc-8cd3-2315ea7044dc
Verdict: Malicious activity
Analysis date: October 24, 2023, 08:42:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

28782DDDB3E4BF634C722CD015A8424A

SHA1:

27261E36C64D34C0941652155DBB8DAFD1FE201E

SHA256:

BCE9F2B048D74DD21F528D0A80EF7BB52583100BBCC201140A8AAEA579D8347F

SSDEEP:

49152:tM5aAg2uIwn2dP0U+o9cOK1zXt5l+9SHNn3tWOD+o5ZV75+NsP98uhZTgVG1yGS3:tM5u9n2dXTqz9z+EHvyUZN5XhZTg01yZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)

    • Create files in the Startup directory

      • svchost.exe (PID: 3448)

    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 3448)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Reads Microsoft Outlook installation path

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Reads Internet Explorer settings

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Creates executable files that already exist in Windows

      • svchost.exe (PID: 3448)
      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • The process creates files with name similar to system file names

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)

  • INFO

    • Checks supported languages

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)
      • wmpnscfg.exe (PID: 4016)

    • Reads the computer name

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)
      • wmpnscfg.exe (PID: 4016)

    • Checks proxy server information

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Reads the machine GUID from the registry

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)
      • wmpnscfg.exe (PID: 4016)

    • Create files in a temporary directory

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Creates files or folders in the user directory

      • svchost.exe (PID: 3448)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:14 21:15:49+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 188416
InitializedDataSize: 196096
UninitializedDataSize: -
EntryPoint: 0x1cab5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start lime-worm-0.5.8d.exe no specs svchost.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1884"C:\Users\admin\AppData\Local\Temp\Lime-Worm-0.5.8D.exe" C:\Users\admin\AppData\Local\Temp\Lime-Worm-0.5.8D.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\users\admin\appdata\local\temp\lime-worm-0.5.8d.exe
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
3448"C:\Users\admin\AppData\Local\Temp\svchost.exe" C:\Users\admin\AppData\Local\Temp\svchost.exe
Lime-Worm-0.5.8D.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\advapi32.dll
4016"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
1 151
Read events
1 138
Write events
10
Delete events
3

Modification events

(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4016) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C1685827-B752-4E18-9F78-62A2AA291865}\{5BCCDCD3-3B6F-425F-9BEC-F39821C1CD98}
Operation:delete keyName:(default)
Value:
(PID) Process:(4016) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C1685827-B752-4E18-9F78-62A2AA291865}
Operation:delete keyName:(default)
Value:
(PID) Process:(4016) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{B98B4755-6FAF-458B-83ED-B60ACA807518}
Operation:delete keyName:(default)
Value:
Executable files
17
Suspicious files
13
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\FM.xmlxml
MD5:D7831BBE61FD78168E2C30678B9DCCFB
SHA256:B6B9E4C2133E7BEDBA9D5B334946228A27E353780E081558A2124FCF2DBA79D3
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\ENC.xmlxml
MD5:E68ED9A4DE7A57824F2A56C0740810AB
SHA256:BBD4B40988F73CF21E9FFACE4D745D09728207757DCE50CACE4B99EAA0355A81
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\RDP.xmlxml
MD5:27C55C43E0FB89EC4D263D531544E8B1
SHA256:A8F03A3798F4848081E74862EC8D6847C045CBBFB97858DC312102FE34BA4C67
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:F83C1904404D2B40622D28A5C05420F9
SHA256:58FA8679EB278C0FBE4B9348E61CD274234037AF160878289A988260EAF6246E
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Lime Worm.exeexecutable
MD5:7028559ABF0CCEBF9692EB24651B4BE1
SHA256:B437592443E6C798AC25566400E1A1B4F29EF76A63BC5CD112316F5F4F34E45E
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\PWD.xmlxml
MD5:819C481430B20969333F05B0276A503E
SHA256:6CE1D176CB7F85CCBF33A9D8EED14B960E3BA63C178BDFE42F5464C446ED51E2
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\DET.dllexecutable
MD5:1DBBE360B98AC2C2696C1FA8F06FD6EB
SHA256:3D9414F2C561AF2226EFAE98FD27DF31D0EA2FD991571F9489C1287695CCC14D
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\WORM.exeexecutable
MD5:1ABCD41FEF3851AF5B9B0F8F95212104
SHA256:86BFAC5064D898CEA353560A4EDB8A15A6F1C306B6A20FEF07FB7F777EF39D4F
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\DEC.dllexecutable
MD5:2C0509AE8F4F7CFDF0A45C7018CCAFA9
SHA256:B8FA8DA0990A4BF496602D1DD0F352148A3612C6BA34739F08CC62DEFFAFD0D5
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\ENC.dllexecutable
MD5:133FEDA41E1F83417BBBA58012D45113
SHA256:2BDA1203B984DEC579A00CD9501F438D53FD67B9C22370A8A982098FB87E5494
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Lime-Worm-0.5.8D.exe