File name:

bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Full analysis: https://app.any.run/tasks/ef3c8fe8-307c-46b6-adad-5dae56fa4179
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:01:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

5159F505D351AAD992BB5A9228BB1474

SHA1:

A4DC91FF6BC6556B9BEEFC9DF02074E6964548AA

SHA256:

BEF09720420C26367F856266CF1803B7F235DB46DA3545EB7A7878E39570BFB2

SSDEEP:

6144:cdSvVVVVVVVVrfuj5q4uFTDhfqfWJUNo5kUe7xo6oD:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5ke

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • Creates file in the systems drive root

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • Executable content was dropped or overwritten

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
  • INFO

    • UPX packer has been detected

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • Creates files or folders in the user directory

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
    • Checks supported languages

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe" C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 220
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
MD5:
SHA256:
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:3998CFE05C542B6AF248EB5657D9AF5A
SHA256:2BABF93127B59D3A3DBAECB3E6FB811B973BBE113F3209C1E67B5CCFE82DD1CD
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:1C5CCDA8BE65EE79D31FAEACEA188E68
SHA256:B72DA35240DDF457A3D88254A70E8397F865B95E00663EFCDD1C3B1DCF52A7A2
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:7C451527C38639A9A9402F0649A28BA4
SHA256:A642C1BECAE7AE1CD33427DE47EF80EEDF6EBF1B985B5C7D61E560A4B1D52734
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:0436A84C8776892A9EFB198B03B803E2
SHA256:23F94973C824D7C4ACCCD14C18EB8131977B3D6585E0F7B41BB21C350563CCD9
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:EC23035034E25BA1D8665E03F5D53C17
SHA256:7A3E1FCBB4733652F9640C2C84F06B757E7BF56C69B64730D26AD1AFEFFE60DE
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:B109EE2AC32EF0BA7CA92140DD4B1874
SHA256:B21CCEE087FF6505CFB0621C7C647B76C1A7989061A7A8D0DC0FE2D9DC45837D
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:DD3FB2C82DF4347178575789A97433BD
SHA256:A7FFA6280813619829B23C9DBBEAB24CE364CED16C14193012C03F086D7E929C
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:76C33510668E48C7E1CC401BD622BFB0
SHA256:45D53649DA915C2576308F1B2CC2CC21AFE0C4053D6D05C51D86A39266734E9F
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:9E6F0478A0225F6EF0A8653539FCC83D
SHA256:D0CC43143B7FC1859AE6EFD4247AB140DB0D9ABED464F300A8FD4E9B74BA3F65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:137
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
unknown
google.com
  • 216.58.206.46
unknown
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.194
  • 23.48.23.167
  • 23.48.23.173
  • 23.48.23.137
  • 23.48.23.180
  • 23.48.23.190
  • 23.48.23.169
  • 23.48.23.166
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.14
unknown

Threats

No threats detected
No debug info