File name:

e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe

Full analysis: https://app.any.run/tasks/13d1c542-8976-444c-b40d-fe9d09166e12
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:34:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

C23436A55768FDAADAE63A0C8A5340A0

SHA1:

4A7BED3A42938356E86F1C8901F6EAB1E639DA74

SHA256:

E57BB38EAD28545CC162A12CB522C58A55518E454B365E7D7A90DC33E8060FA6

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7UvVVVVVVVVguFTDhSfWJUNo5kUe70Rqhjzum:AuFRSfWJUq5kUehuFRSfWJUq5kUeARqT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • Creates file in the systems drive root

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • Executable content was dropped or overwritten

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
  • INFO

    • Checks supported languages

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • Creates files or folders in the user directory

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • UPX packer has been detected

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe

Process information

PID
CMD
Path
Indicators
Parent process
4500"C:\Users\admin\Desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe" C:\Users\admin\Desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 217
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
MD5:
SHA256:
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:5F056DBBE02D8276C06D02F0B1D551E4
SHA256:D2EA847ACB12561C19CF3EA3C224D20A0C019D27045997CF6BFE1DAA87F27232
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:45BEDA62C42B292775C3F52CF5AA6C22
SHA256:485E31F4835126295E5F9AD9A3E95F110DC20A97CCB8EFB04AC7D0E9B504F164
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:027B418833150FF84DE66A5E622B0C6F
SHA256:24F3365B7F17C415FA8DDC9469E8C0FEA9B3612C38424045F6F9E8210FABA07C
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:3499973D429BD5EC544FBC07B8EFF04E
SHA256:3F7502EDFA9B2B09EF83D6741244F945D13960EC14397ECE2799966F127B9A7F
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:F8C831BB7C36F034F054001C8FFEA463
SHA256:7DA12B3A053180C203765778A467D8FAA0081D9F02560E44A601DACB19328867
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E34FA16414ED26734359CE584C0E26BC
SHA256:F808C8E5F8C9817173F7273A6D34CC6BDE23567348F30D52E69C2FA789992E54
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:4F178C7771F1BA2E752013E08108F5BB
SHA256:B77700FC792FC1E06DFD72927779A47C9541FDB554774A5B5D8204CE807E1077
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:53DBA566B2F2C108CA81D51FE7F21F8F
SHA256:4484D9BB6908ACE1610471D646D60B3D1CE13B8B74E87DF2CB687C2A4946E144
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:08E909505EB41D5C7C51763ADE4BA4BA
SHA256:B06892B78C3FE572BA8C2A5B9BA9CB29EC1FEC0ACDAF2EB207870CB6036EFBBF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
188
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1016
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1016
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
188
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1016
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1016
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
188
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1016
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
188
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info