File name:

eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0

Full analysis: https://app.any.run/tasks/f32732fe-f9df-4e03-9066-ee978c496580
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:27:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

A3EBF0FBF88F92F0F98641D050EF5935

SHA1:

E84546A0F1104F815C264747030D2CDA2686DBBF

SHA256:

EDA429E8EE24B9FBC6476BCB8E0AAAF8638FB95FA5796E902B87CA855F0115D0

SSDEEP:

24576:BuFRSfWJUq5kUehuFRSfWJUq5kUeccqto6qCQNvuFRSfWJUq5kUehuFRSfWJUq5X:4FRSfWJ9kUeYFRSfWJ9kUeccqto6qCQ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

  • INFO

    • Creates files or folders in the user directory

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

    • Checks supported languages

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

    • UPX packer has been detected

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe

Process information

PID
CMD
Path
Indicators
Parent process
828"C:\Users\admin\Desktop\eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe" C:\Users\admin\Desktop\eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 118
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe
MD5:
SHA256:
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:50FF873B7D54908FB3498EA3FB451F8C
SHA256:A1FD1246AB511E78A77B8CF6628C1142FBD68F84382B4DEB8EAF5C0E214992CC
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:48E2DA4EF3FBB864AD127E3E81945999
SHA256:4A37E215F8A95D8D4462BFC92D3485B72AA208F3388047D1E06B322AA94F073B
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:783432DD90B5207226EC619D88B5728D
SHA256:D9A0EF3CAE1F8E41F73AECED2A38EB15C6A81482C965B038061E1CD02611BD1A
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:D6C1AFEA06B744579A5CE9CDFBD959D2
SHA256:447D5B8F42747ECEC2CDFBE5AAA3D3C6150318F3B7771EF964CD17C4E97BA004
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:AA95517AF891A6E72994108F7ABF7B7A
SHA256:19805DBAFF05C1FB6998117D5FA4693C12B5FCA931819ED6B1A63FB495AA72BB
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:783432DD90B5207226EC619D88B5728D
SHA256:D9A0EF3CAE1F8E41F73AECED2A38EB15C6A81482C965B038061E1CD02611BD1A
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:B3EF29A4AC789A678FDEEFF2B92FDC12
SHA256:689D8183DEBD626330F6BF6DD0ED6D10D23A3EC82ACABBBDA02756D890946A69
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:A6A27D8C951F5EB6E2CA9B63FB38D992
SHA256:B321E8C77547CCD3366F3A6E867B59FC9D612C12F53A5A3FAC70B6E308AF09B7
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:FACBB39674F00BE418E09DC9C98E3DCE
SHA256:B3B03D6FA8354B1246B6855D59008DB611B6CD7E5DD8E6E395A18749764C7AA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4308
svchost.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4308
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4308
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4308
svchost.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4308
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.168
  • 23.48.23.169
  • 23.48.23.153
  • 23.48.23.158
  • 23.48.23.177
  • 23.48.23.156
  • 23.48.23.174
  • 23.48.23.162
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0