File name:

bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Full analysis: https://app.any.run/tasks/ef3c8fe8-307c-46b6-adad-5dae56fa4179
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:01:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

5159F505D351AAD992BB5A9228BB1474

SHA1:

A4DC91FF6BC6556B9BEEFC9DF02074E6964548AA

SHA256:

BEF09720420C26367F856266CF1803B7F235DB46DA3545EB7A7878E39570BFB2

SSDEEP:

6144:cdSvVVVVVVVVrfuj5q4uFTDhfqfWJUNo5kUe7xo6oD:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5ke

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • Executable content was dropped or overwritten

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • The process creates files with name similar to system file names

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
  • INFO

    • Creates files or folders in the user directory

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • Checks supported languages

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • UPX packer has been detected

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe" C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 220
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
MD5:
SHA256:
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:EC23035034E25BA1D8665E03F5D53C17
SHA256:7A3E1FCBB4733652F9640C2C84F06B757E7BF56C69B64730D26AD1AFEFFE60DE
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:7BC7B9C496C6AB4F33E78CB890768E17
SHA256:E9C1D4DF9A258C6927DBF4C162CDA0A4C29FBBD45AC638AC7432585349B31944
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:0436A84C8776892A9EFB198B03B803E2
SHA256:23F94973C824D7C4ACCCD14C18EB8131977B3D6585E0F7B41BB21C350563CCD9
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:16D6D65B0C940F748D2083E28D087945
SHA256:43B80654B8AF923080D8AED80CD3FB58D9E1ADB9158972553573F4E3C39822F7
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:76C33510668E48C7E1CC401BD622BFB0
SHA256:45D53649DA915C2576308F1B2CC2CC21AFE0C4053D6D05C51D86A39266734E9F
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:FDF1788AAD8B2FE0CA0097D4B852B974
SHA256:4EFCD1C7CB01C04DDD828F30207AD22BF75AAB155B5997F97E27E1B81B5B3DD7
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:7C451527C38639A9A9402F0649A28BA4
SHA256:A642C1BECAE7AE1CD33427DE47EF80EEDF6EBF1B985B5C7D61E560A4B1D52734
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:930208C890460E62F3F38890CB312506
SHA256:94CAAE5DA94FF7779880C274EDEA38FB8875B2E7CEF171352758FE08D6726B4C
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:B109EE2AC32EF0BA7CA92140DD4B1874
SHA256:B21CCEE087FF6505CFB0621C7C647B76C1A7989061A7A8D0DC0FE2D9DC45837D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:137
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
unknown
google.com
  • 216.58.206.46
unknown
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.194
  • 23.48.23.167
  • 23.48.23.173
  • 23.48.23.137
  • 23.48.23.180
  • 23.48.23.190
  • 23.48.23.169
  • 23.48.23.166
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.14
unknown

Threats

No threats detected
No debug info