File name:

e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe

Full analysis: https://app.any.run/tasks/13d1c542-8976-444c-b40d-fe9d09166e12
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:34:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

C23436A55768FDAADAE63A0C8A5340A0

SHA1:

4A7BED3A42938356E86F1C8901F6EAB1E639DA74

SHA256:

E57BB38EAD28545CC162A12CB522C58A55518E454B365E7D7A90DC33E8060FA6

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7UvVVVVVVVVguFTDhSfWJUNo5kUe70Rqhjzum:AuFRSfWJUq5kUehuFRSfWJUq5kUeARqT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
  • SUSPICIOUS

    • Creates file in the systems drive root

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • The process creates files with name similar to system file names

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • Executable content was dropped or overwritten

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
  • INFO

    • Creates files or folders in the user directory

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • UPX packer has been detected

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
    • Checks supported languages

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe

Process information

PID
CMD
Path
Indicators
Parent process
4500"C:\Users\admin\Desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe" C:\Users\admin\Desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 231
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
MD5:
SHA256:
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:027B418833150FF84DE66A5E622B0C6F
SHA256:24F3365B7F17C415FA8DDC9469E8C0FEA9B3612C38424045F6F9E8210FABA07C
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:3499973D429BD5EC544FBC07B8EFF04E
SHA256:3F7502EDFA9B2B09EF83D6741244F945D13960EC14397ECE2799966F127B9A7F
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:213E9D2C679E47EB432EB365508DA24E
SHA256:23C68A49902FA6CB8869EBA40D99FD51EEEB7EB236D13025669ACA0E3AF7AC33
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:4F178C7771F1BA2E752013E08108F5BB
SHA256:B77700FC792FC1E06DFD72927779A47C9541FDB554774A5B5D8204CE807E1077
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E34FA16414ED26734359CE584C0E26BC
SHA256:F808C8E5F8C9817173F7273A6D34CC6BDE23567348F30D52E69C2FA789992E54
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:56CEC30C922B323476C2EE881503E88E
SHA256:BA965AD96B49D33E1352A751CB9B396F60E9B1D4D387291CBF9D34FD51EAE361
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:53DBA566B2F2C108CA81D51FE7F21F8F
SHA256:4484D9BB6908ACE1610471D646D60B3D1CE13B8B74E87DF2CB687C2A4946E144
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:5F056DBBE02D8276C06D02F0B1D551E4
SHA256:D2EA847ACB12561C19CF3EA3C224D20A0C019D27045997CF6BFE1DAA87F27232
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:8DD2802206515A3D4E459ABF8B2014D9
SHA256:D2A0F090C0E2F68474095C4C8B12C13E0EFF6C639BC9F3F175E48AD5CD45265B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1016
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
188
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
188
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1016
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1016
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1016
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
188
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1016
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
188
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info