File name:

Lime-Worm-0.5.8D.exe

Full analysis: https://app.any.run/tasks/ff184739-3a9c-47bc-8cd3-2315ea7044dc
Verdict: Malicious activity
Analysis date: October 24, 2023, 08:42:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

28782DDDB3E4BF634C722CD015A8424A

SHA1:

27261E36C64D34C0941652155DBB8DAFD1FE201E

SHA256:

BCE9F2B048D74DD21F528D0A80EF7BB52583100BBCC201140A8AAEA579D8347F

SSDEEP:

49152:tM5aAg2uIwn2dP0U+o9cOK1zXt5l+9SHNn3tWOD+o5ZV75+NsP98uhZTgVG1yGS3:tM5u9n2dXTqz9z+EHvyUZN5XhZTg01yZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • svchost.exe (PID: 3448)
      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Create files in the Startup directory

      • svchost.exe (PID: 3448)

    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 3448)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Reads Microsoft Outlook installation path

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Reads Internet Explorer settings

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Creates executable files that already exist in Windows

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)

    • The process creates files with name similar to system file names

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)

  • INFO

    • Reads the computer name

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)
      • wmpnscfg.exe (PID: 4016)

    • Checks supported languages

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)
      • wmpnscfg.exe (PID: 4016)

    • Checks proxy server information

      • Lime-Worm-0.5.8D.exe (PID: 1884)

    • Reads the machine GUID from the registry

      • Lime-Worm-0.5.8D.exe (PID: 1884)
      • svchost.exe (PID: 3448)
      • wmpnscfg.exe (PID: 4016)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4016)

    • Creates files or folders in the user directory

      • svchost.exe (PID: 3448)

    • Create files in a temporary directory

      • Lime-Worm-0.5.8D.exe (PID: 1884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:14 21:15:49+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 188416
InitializedDataSize: 196096
UninitializedDataSize: -
EntryPoint: 0x1cab5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start lime-worm-0.5.8d.exe no specs svchost.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1884"C:\Users\admin\AppData\Local\Temp\Lime-Worm-0.5.8D.exe" C:\Users\admin\AppData\Local\Temp\Lime-Worm-0.5.8D.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\users\admin\appdata\local\temp\lime-worm-0.5.8d.exe
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
3448"C:\Users\admin\AppData\Local\Temp\svchost.exe" C:\Users\admin\AppData\Local\Temp\svchost.exe
Lime-Worm-0.5.8D.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\advapi32.dll
4016"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
1 151
Read events
1 138
Write events
10
Delete events
3

Modification events

(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1884) Lime-Worm-0.5.8D.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4016) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C1685827-B752-4E18-9F78-62A2AA291865}\{5BCCDCD3-3B6F-425F-9BEC-F39821C1CD98}
Operation:delete keyName:(default)
Value:
(PID) Process:(4016) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{C1685827-B752-4E18-9F78-62A2AA291865}
Operation:delete keyName:(default)
Value:
(PID) Process:(4016) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{B98B4755-6FAF-458B-83ED-B60ACA807518}
Operation:delete keyName:(default)
Value:
Executable files
17
Suspicious files
13
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\PWD.xmlxml
MD5:819C481430B20969333F05B0276A503E
SHA256:6CE1D176CB7F85CCBF33A9D8EED14B960E3BA63C178BDFE42F5464C446ED51E2
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\DET.dllexecutable
MD5:1DBBE360B98AC2C2696C1FA8F06FD6EB
SHA256:3D9414F2C561AF2226EFAE98FD27DF31D0EA2FD991571F9489C1287695CCC14D
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\WORM.exeexecutable
MD5:1ABCD41FEF3851AF5B9B0F8F95212104
SHA256:86BFAC5064D898CEA353560A4EDB8A15A6F1C306B6A20FEF07FB7F777EF39D4F
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Stub\Stub.exeexecutable
MD5:1CAF905BB41F2AD4276434E0FFC98E6D
SHA256:140FE71DD70D34732730DD15D685510F3F1C0E46D5D0FF19E93B6EAC183AD13E
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\FM.xmlxml
MD5:D7831BBE61FD78168E2C30678B9DCCFB
SHA256:B6B9E4C2133E7BEDBA9D5B334946228A27E353780E081558A2124FCF2DBA79D3
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\USB.xmlxml
MD5:8916603217870542DB104CD7AAE95A59
SHA256:96EE4D62B31BC8D958FD3D866D09A08D792DB294E38FDA13241CA61FA81980A4
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\FM.dllexecutable
MD5:C788693561DC4075F4E703ED11DEB273
SHA256:A47BBD8F6106490590AE0F2E2B8A9452FDA3ABB08591E0552468F86A348DF42B
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:F83C1904404D2B40622D28A5C05420F9
SHA256:58FA8679EB278C0FBE4B9348E61CD274234037AF160878289A988260EAF6246E
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\DEC.dllexecutable
MD5:2C0509AE8F4F7CFDF0A45C7018CCAFA9
SHA256:B8FA8DA0990A4BF496602D1DD0F352148A3612C6BA34739F08CC62DEFFAFD0D5
1884Lime-Worm-0.5.8D.exeC:\Users\admin\AppData\Local\Temp\Plugin\PIN.xmlxml
MD5:8AB476685F3D3118D5B8765063B957D0
SHA256:C044FD72DDC088F3181CB39261C4691BF1DA56DA7BE24D06EA03C055AC903356
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Lime-Worm-0.5.8D.exe