File name:

d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb

Full analysis: https://app.any.run/tasks/cd4cecb3-1d5f-4407-9ed9-4981d09e7f60
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:41:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

FDD0D9AABE362320875655B2496A1F2A

SHA1:

445E06864055F6CED307084AAE3C6964A3F5029E

SHA256:

D8804AF1EF1DB28FB42859F5B2911DABE2B24C565D1B16413D3EFB23DD37F7EB

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7UvVVVVVVVVguFTDhSfWJUNo5kUe7P:AuFRSfWJUq5kUehuFRSfWJUq5kUeT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • The process creates files with name similar to system file names

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • Executable content was dropped or overwritten

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

  • INFO

    • Creates files or folders in the user directory

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • Checks supported languages

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • UPX packer has been detected

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe

Process information

PID
CMD
Path
Indicators
Parent process
1392"C:\Users\admin\Desktop\d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe" C:\Users\admin\Desktop\d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
925
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe
MD5:
SHA256:
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:EF8680FF75B13D31C8CE4D88974B6872
SHA256:65C23FCD4291576196A6D1092D94469E2BAB4CBF7711A85FB1B5A7D2ACD4BA70
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E3ED1E8E3730E8B88B552B4D475112B9
SHA256:7E401A7D05C859029739D4D623DD3090A55C1840F515B5E3056DF8E56E5DD9BA
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:BB277FA65845333C3CEB834DCBD29994
SHA256:2BE1ECDDCE53A47E6E5FFB8D8EDC48C7B795782C83DB51C1124CAC6C92CA3254
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:2F9C06925811B61CC3B8080070284714
SHA256:4C8D712AA03D3F9BB693F54C1A0BC5AE1DBF0F6373677A175A765E20D87129C2
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:1CA61430A84B88E5F895D9A7F99CB5BA
SHA256:62EB13A9C98AAC7A1341FEF7E244F137C52FB65B7D18795B5E98C0408CCF1CFE
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:8472C4E97F375881C28F98FD83A9D65B
SHA256:D880AAAAF0BB280C2E239E8D48124C669E9190B4A451F68190AF5E8C19B0BECC
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:CD6E86C56609E08331B668269415D886
SHA256:7D66A5083A0AA0207D9B8DB37CB4FC23BBDC7FE6BF72C41E08B338B105CBEE64
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:3600392BD84B67E3D15CF56914ABA32C
SHA256:535B6D2444F2B10A8BE6A274685237EB2171E14BD3E422B16A32E0F781774A71
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:A89ADC24AE11AEF24E0E4007722BE504
SHA256:9728029427DECF0394A1A4EB9445E60755FE63FF09B699BD6A0399D1869EBE0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.54.224:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3508
svchost.exe
GET
200
95.101.54.224:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
95.101.54.224:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3508
svchost.exe
95.101.54.224:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3508
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 95.101.54.224
  • 95.101.54.240
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 52.182.143.208
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb