File name:

dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580

Full analysis: https://app.any.run/tasks/ad5ec8c4-7f6d-4133-b49d-715b599fecc0
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:36:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

3D4CE9F06D976056BF3447AC0452BA2C

SHA1:

46392B7DDDD8982CFCBCB4311A321319F71871FD

SHA256:

DC01297C74F056AE175BAB404E6C27FD3062273EA11434A8DF115B4B82FCF580

SSDEEP:

1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfsS:cpDSvVVVVVVVVrf4SvVVVVVVVVTfH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

    • The process creates files with name similar to system file names

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

  • INFO

    • Checks supported languages

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

    • UPX packer has been detected

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

    • Creates files or folders in the user directory

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe

Process information

PID
CMD
Path
Indicators
Parent process
5432"C:\Users\admin\Desktop\dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe" C:\Users\admin\Desktop\dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 765
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp
MD5:
SHA256:
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe
MD5:
SHA256:
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:363BB330BCBE88C94E4390510D758254
SHA256:AF7E2D735A066B748A324991C1421951D39204A02A904B7FEADCACE7C23A4B9D
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:038DCA898BF6F09100AAEB9C4A95BF92
SHA256:2156AE6B76A38673424A83CC4B872FBD4A9E66C5F3E0F127D98C5C37E5636E57
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:AEEA10E7E1FC1670A7E144ADFDB2F069
SHA256:A5E984EFBD43E22DAEEE4E5F8E50886DF3190ED46B42EF196A45B31046DC760E
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:5A74BF15A93C56EC0AD1CB62C240537C
SHA256:7AFCCA6ECE1F74200AC0D9F66B5A80D39BECFAE545730183F2BE0E2C04F869E1
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:32ABAD12FC64B09B53D32498261E4CA0
SHA256:8E5E8F1E9BFBC4719BFC7A7BAC6183057555CA36D23E524AD26FB1F10829DBF9
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:E59744D65DC6CE79CCEABA6011CB72D8
SHA256:EC4491269463B649A701C98F0E37C0969AC1429335EC4B4B91EDE7BAF1FA2FAD
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:EB77E8C405CB884706D889D5D834E15F
SHA256:48B3F7BB45AAB3FC0B606232576897CC2C2F196280B6D6E5A06C743221D81C95
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:D879178E25EA096AC6CDA9F8E35104AA
SHA256:984762A304B1162572FF0C180F82CD2D2594DA87CA98E2F70C14A35A333A211A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5580
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5580
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
5580
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5580
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5580
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5580
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580