File name:

ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93

Full analysis: https://app.any.run/tasks/be0e52e1-f344-4e20-9c4c-f176f9ff8acd
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:42:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

18A7BFE9B0107C31BCB8AA6419398A8B

SHA1:

8B6EC61503AF53A1DF799EE5F0D05E7590FA48EF

SHA256:

EC97AF940E709F506E9F40E2B9E0EA5AB915ED637A3471DE54C9583A906B3C93

SSDEEP:

1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfs4:cpDSvVVVVVVVVrf4SvVVVVVVVVTf5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
    • Executable content was dropped or overwritten

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
    • Creates file in the systems drive root

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
  • INFO

    • Creates files or folders in the user directory

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
    • UPX packer has been detected

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
    • Checks supported languages

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe

Process information

PID
CMD
Path
Indicators
Parent process
3620"C:\Users\admin\Desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe" C:\Users\admin\Desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 187
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe
MD5:
SHA256:
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe
MD5:
SHA256:
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:754E67333D833FA0B08DB3B136244DC4
SHA256:F0C34237451D01B6B2D092A8F0EAF16FE344ECC90134AD5E7AC69D261547EF5B
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:E7EF6B7109A8AFCA1FE5FEBE681FC99F
SHA256:16DB9D59CF0DB26B7BB1638BC2BF6A855656D1E0B73E84A65C8ADD9EDB99D875
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:D8442D350E2B58DA11BBF0FAEF4EE9DF
SHA256:0107D4FEC811F5BEF16E9698E59753CF03BE9E7D01E573304495E0415524F704
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E2B8B028C76C2A74BF33A2DFC44927EC
SHA256:5AC7FDE3DF8F4A5737D20AD652538C9C6257D46F341F15F347FE0CCC7EF53FEE
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:90D905BEFEA6AB3427D78FE49E48C710
SHA256:3FD20B8352B9EEB807B3B134D75908FDE640E1C7CAD57200D8BB31F23F85C6B3
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:B353E8B1A17BD21E73E231BEC27F66B4
SHA256:CDC823A12241440C2D97F18CD53E7A821F88808F107061DCF26A56FDD232CD28
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:FA1902B8E716E66EBE0EC3566377A95F
SHA256:98AB9CB601A7F5CAE30813ED48112B6D85404E120CB21525F92C7D19386B4BCE
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:014ECC5A741F408A15F083909EE16C39
SHA256:E9DC37042E1725DF496FB2056FCF6925ED546BEF8EEC75137705C63CDF0AA1D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3996
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3996
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3996
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.139
  • 104.126.37.137
  • 104.126.37.177
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.178
  • 104.126.37.160
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.145
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
No debug info