File name:

fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad

Full analysis: https://app.any.run/tasks/ae51a3a1-c4c0-42f4-ac85-c168d3d27769
Verdict: Malicious activity
Analysis date: November 23, 2024, 05:38:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

688EDF0BDCCB5E27AC23F86E3CE9DC3C

SHA1:

D26BEE3EC333875A73060C99C6F643D66AA5C4BC

SHA256:

FC23D3501DD7E3462ACC42CD848C74343928087052B09680C434FD68CB5844AD

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7uvVVVVVVVVguFTDhSfWJUNo5kUe7L:AuFRSfWJUq5kUeDuFRSfWJUq5kUev

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • Executable content was dropped or overwritten

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • The process creates files with name similar to system file names

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

  • INFO

    • Checks supported languages

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • Creates files or folders in the user directory

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • UPX packer has been detected

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe

Process information

PID
CMD
Path
Indicators
Parent process
5472"C:\Users\admin\Desktop\fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe" C:\Users\admin\Desktop\fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 362
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe
MD5:
SHA256:
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:890F5EAEAC3C7752ED4CCA88B533B458
SHA256:04B966A571B7BF3ACFC3A0E08EB15F2F4FBF3AFFD07599F92E1FBAC850BBD8B0
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:096914746D415C408B9C8D7BFD4E2478
SHA256:120268F79B27C58DD0480090E2077A1D97DAC242BDD37E590B3047BAB9DCC12F
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:B6AFA63B2B172086462BA68252363E3E
SHA256:6BD07F404D2FFF2468EDE3BB73286C336E57CEA07871F0D3740FC94C57BAED0E
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:7CCA05112F5276CBCFF2D9FC86981914
SHA256:DE5F2D53E03AE120039C89C9CB713ED1B9B82B30998D293DBEE266B60F9D9D74
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:7E280D8C4539509C7D3982E4C9EBE35C
SHA256:BC12E040F90F33BD7319380837962881D7E93285DBC43EB6F6D22A17DA610279
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:9930E6841A10E2E83553FCE38B2D7411
SHA256:F5CC325464ABDD61EDD38A58579FD3A682C9E4221C1F27F6901CC7DEC0CCF0F0
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:B6AFA63B2B172086462BA68252363E3E
SHA256:6BD07F404D2FFF2468EDE3BB73286C336E57CEA07871F0D3740FC94C57BAED0E
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:E77284FEACAACF3718A04FAC2CBB1C19
SHA256:A5338571A7FC730382F386B81694BFF575629DEBD751457B88261B6BCF69115B
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:2C1F5CCBCAA777E1CFEECA3575202E6B
SHA256:6911705C4AD83B27CD0BDABA1CBD831019F6490F96573DDE971E3AE9D5E5A0BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
444
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
444
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
444
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
444
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2736
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
444
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.144
  • 104.126.37.145
  • 104.126.37.137
  • 104.126.37.136
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.154
  • 104.126.37.162
  • 104.126.37.155
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.7
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad