File name:

f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe

Full analysis: https://app.any.run/tasks/4a1fd3d1-80ef-4b2a-bd34-bbf51c55063e
Verdict: Malicious activity
Analysis date: January 11, 2025, 01:12:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

E092626673A02BF159D25015CEEBD22D

SHA1:

1D27DA3B192E0E95033D9F1046A80CDDAADEFF8B

SHA256:

F74890A14B0DC466298A5D1F03DEACC22296F0B14AD6E447CA8631A54449F01C

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7UvVVVVVVVVguFTDhSfWJUNo5kUe7YWs:AuFRSfWJUq5kUehuFRSfWJUq5kUes1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe (PID: 644)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe (PID: 644)
    • Creates file in the systems drive root

      • f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe (PID: 644)
    • The process creates files with name similar to system file names

      • f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe (PID: 644)
  • INFO

    • UPX packer has been detected

      • f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe (PID: 644)
    • Creates files or folders in the user directory

      • f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe (PID: 644)
    • Checks supported languages

      • f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe (PID: 644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2130
UninitializedDataSize: 24576
InitializedDataSize: 4096
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2011:03:15 04:06:07+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe

Process information

PID
CMD
Path
Indicators
Parent process
644"C:\Users\admin\Desktop\f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe" C:\Users\admin\Desktop\f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 240
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exe
MD5:
SHA256:
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:F0A1C8EE54A044DEE90FCC6CD3387ECF
SHA256:1E4309BE7EEFB9943A7F1DB810FA7B04451885492290274C0017048213F552BA
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:C83481DD6996397265DAEC3243F8E1D0
SHA256:387070A8C0B1EC530C0ACFE2183B89E86145B7DB36D95A4EB5C033E061E793DD
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:B2A8746A07859157C9DE5874DD3FC7D5
SHA256:AF65A14A0E0622D33C236FFBB51BF6AAB2683531050F560867F2D574054899E5
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:887A8533D1993B945AEA5F353655510D
SHA256:AA31242BFFFC2A26CA4EEF44A57B703443DE94DC80C4BCBABBD0116C444E0536
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:E50031DFCE1DBAC758EBB837AAC3F841
SHA256:B0283B8A3F005ADDAF3B7A11214485ED67E3A12AFE0C4CDFEF076DB2CD19F24D
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:DFC0D0E3B02849A93BAE888E98FFC5C6
SHA256:3DB00DC40E68115768A8CF8A45A1C71CB390DF85BECB2342CD4F5A0B9359AA49
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:B2A8746A07859157C9DE5874DD3FC7D5
SHA256:AF65A14A0E0622D33C236FFBB51BF6AAB2683531050F560867F2D574054899E5
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:12D9E19A4C1999301A254929D57923C8
SHA256:985C95DEEDA7DF7ADE3A6BBD7D18F6EC764AA8BB557BE43C3402B9163EF240E5
644f74890a14b0dc466298a5d1f03deacc22296f0b14ad6e447ca8631a54449f01c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:CF26849868F11E65E342A8CC41BC6045
SHA256:CCA274146661F57F8750945C6B97A5E2C2D732EDC01905A6C34D49B5BF810A03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
716
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
716
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
716
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
716
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
716
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.182.143.211
whitelisted

Threats

No threats detected
No debug info