Summary

e37ac6dc5df5eb1a_7za.exe

File e37ac6dc5df5eb1a_7za.exe

Summary
Download Resubmit sample Download yara

Size 803.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b2e01d616f24281676d5b13be8788d7e
SHA1 f99d1e1e9539c474e81e99da96e2ac65d69ba061
SHA256 e37ac6dc5df5eb1ae74328d9f1a358eb52ed79c7025d75ec851f1720d68060d5
SHA512
a2576a7140bac19b9c5879d34911b2556b8f578c7dc0c0bd3cbce88d56a7bc506caafcbc8fb6ed6c4ab7a194b4b26fdc024efecd3f6079c7f53aaff1d55e7bc7
CRC32 9BB3BDAC
ssdeep None
Yara
  • DebuggerException__SetConsoleCtrl - (no description)
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:5653276

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Dec. 14, 2024, 5 p.m. Dec. 14, 2024, 5:08 p.m. 454 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2024-12-11 11:03:38,030 [analyzer] DEBUG: Starting analyzer from: C:\tmpf7a_02
2024-12-11 11:03:38,046 [analyzer] DEBUG: Pipe server name: \??\PIPE\vvGdXlDJGykluiBFuoLfuagJVUqK
2024-12-11 11:03:38,046 [analyzer] DEBUG: Log pipe server name: \??\PIPE\QvyyUsQeAlMvJpIxHL
2024-12-11 11:03:38,046 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2024-12-11 11:03:38,062 [analyzer] INFO: Automatically selected analysis package "exe"
2024-12-11 11:03:38,375 [analyzer] DEBUG: Started auxiliary module Curtain
2024-12-11 11:03:38,375 [analyzer] DEBUG: Started auxiliary module DbgView
2024-12-11 11:03:38,875 [analyzer] DEBUG: Started auxiliary module Disguise
2024-12-11 11:03:39,092 [analyzer] DEBUG: Loaded monitor into process with pid 504
2024-12-11 11:03:39,092 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2024-12-11 11:03:39,092 [analyzer] DEBUG: Started auxiliary module Human
2024-12-11 11:03:39,092 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2024-12-11 11:03:39,092 [analyzer] DEBUG: Started auxiliary module Reboot
2024-12-11 11:03:39,203 [analyzer] DEBUG: Started auxiliary module RecentFiles
2024-12-11 11:03:39,203 [analyzer] DEBUG: Started auxiliary module Screenshots
2024-12-11 11:03:39,217 [analyzer] DEBUG: Started auxiliary module Sysmon
2024-12-11 11:03:39,217 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2024-12-11 11:03:39,358 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\e37ac6dc5df5eb1a_7za.exe' with arguments '' and pid 2748
2024-12-11 11:03:39,546 [analyzer] DEBUG: Loaded monitor into process with pid 2748
2024-12-11 11:03:39,546 [analyzer] INFO: Added new file to list with pid 2748 and path C:\Users\Administrator\AppData\Local\Temp\3582-490\e37ac6dc5df5eb1a_7za.exe
2024-12-11 11:03:39,780 [analyzer] INFO: Injected into process with pid 2232 and name u'e37ac6dc5df5eb1a_7za.exe'
2024-12-11 11:03:39,780 [analyzer] INFO: Added new file to list with pid 2748 and path C:\Windows\svchost.com
2024-12-11 11:03:39,812 [analyzer] INFO: Added new file to list with pid 2748 and path C:\MSOCache\All Users\{90140000-0012-0000-1000-0000000FF1CE}-C\ose.exe
2024-12-11 11:03:39,842 [analyzer] INFO: Added new file to list with pid 2748 and path C:\MSOCache\All Users\{90140000-0012-0000-1000-0000000FF1CE}-C\setup.exe
2024-12-11 11:03:39,890 [analyzer] INFO: Added new file to list with pid 2748 and path C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE
2024-12-11 11:03:39,905 [analyzer] INFO: Added new file to list with pid 2748 and path C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe
2024-12-11 11:03:39,937 [analyzer] DEBUG: Loaded monitor into process with pid 2232
2024-12-11 11:03:39,937 [analyzer] INFO: Added pid 2232 for u'C:\\Users\\Administrator\\AppData\\Local\\Temp\\3582-490\\e37ac6dc5df5eb1a_7za.exe'
2024-12-11 11:03:40,092 [analyzer] INFO: Injected into process with pid 580 and name u'svchost.com'
2024-12-11 11:03:40,108 [analyzer] INFO: Added pid 2232 for u'C:\\Windows\\svchost.com'
2024-12-11 11:03:40,250 [analyzer] DEBUG: Loaded monitor into process with pid 580
2024-12-11 11:03:40,250 [analyzer] INFO: Added new file to list with pid 580 and path C:\Windows\directx.sys
2024-12-11 11:06:58,358 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2024-12-11 11:07:00,437 [analyzer] INFO: Terminating remaining processes before shutdown.
2024-12-11 11:07:00,437 [lib.api.process] INFO: Successfully terminated process with pid 2748.
2024-12-11 11:07:00,437 [lib.api.process] INFO: Successfully terminated process with pid 2232.
2024-12-11 11:07:00,515 [analyzer] INFO: Analysis completed.

Cuckoo Log

2024-12-14 17:00:39,434 [cuckoo.core.scheduler] INFO: Task #5654408: acquired machine win7x6427 (label=win7x6427)
2024-12-14 17:00:39,435 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.227 for task #5654408
2024-12-14 17:00:39,810 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 233958 (interface=vboxnet0, host=192.168.168.227)
2024-12-14 17:00:40,668 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6427
2024-12-14 17:00:41,314 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6427 to vmcloak
2024-12-14 17:03:16,452 [cuckoo.core.guest] INFO: Starting analysis #5654408 on guest (id=win7x6427, ip=192.168.168.227)
2024-12-14 17:03:17,458 [cuckoo.core.guest] DEBUG: win7x6427: not ready yet
2024-12-14 17:03:22,507 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6427, ip=192.168.168.227)
2024-12-14 17:03:22,636 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6427, ip=192.168.168.227, monitor=latest, size=6660546)
2024-12-14 17:03:24,012 [cuckoo.core.resultserver] DEBUG: Task #5654408: live log analysis.log initialized.
2024-12-14 17:03:25,027 [cuckoo.core.resultserver] DEBUG: Task #5654408 is sending a BSON stream
2024-12-14 17:03:25,459 [cuckoo.core.resultserver] DEBUG: Task #5654408 is sending a BSON stream
2024-12-14 17:03:25,849 [cuckoo.core.resultserver] DEBUG: Task #5654408 is sending a BSON stream
2024-12-14 17:03:25,946 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'files/4dc9c9cf89b72402_e37ac6dc5df5eb1a_7za.exe'
2024-12-14 17:03:25,968 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 781312
2024-12-14 17:03:26,104 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'files/980bac6c9afe8efc_svchost.com'
2024-12-14 17:03:26,107 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 41472
2024-12-14 17:03:26,162 [cuckoo.core.resultserver] DEBUG: Task #5654408 is sending a BSON stream
2024-12-14 17:03:26,367 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'shots/0001.jpg'
2024-12-14 17:03:26,419 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 133541
2024-12-14 17:03:38,710 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:03:53,827 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:04:08,930 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:04:24,130 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:04:39,304 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:04:54,415 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:05:09,543 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:05:24,851 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:05:40,018 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:05:55,150 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:06:10,287 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:06:25,437 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:06:40,520 [cuckoo.core.guest] DEBUG: win7x6427: analysis #5654408 still processing
2024-12-14 17:06:44,599 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'curtain/1733911618.47.curtain.log'
2024-12-14 17:06:44,602 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 36
2024-12-14 17:06:46,362 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'sysmon/1733911620.23.sysmon.xml'
2024-12-14 17:06:46,556 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 27003258
2024-12-14 17:06:46,593 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'files/0d49226b68b857ce_setup.exe'
2024-12-14 17:06:46,606 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 1419128
2024-12-14 17:06:46,615 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'files/ead58c483cb20bcd_dw20.exe'
2024-12-14 17:06:46,624 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 880008
2024-12-14 17:06:46,629 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'files/d387e1092ebc476e_ose.exe'
2024-12-14 17:06:46,632 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'files/9a67594de8d73cdc_directx.sys'
2024-12-14 17:06:46,633 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 60
2024-12-14 17:06:46,635 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 215912
2024-12-14 17:06:46,638 [cuckoo.core.resultserver] DEBUG: Task #5654408: File upload for 'files/593e60cc30ae0789_dwtrig20.exe'
2024-12-14 17:06:46,645 [cuckoo.core.resultserver] DEBUG: Task #5654408 uploaded file length: 561056
2024-12-14 17:06:46,657 [cuckoo.core.resultserver] DEBUG: Task #5654408 had connection reset for <Context for LOG>
2024-12-14 17:06:49,567 [cuckoo.core.guest] INFO: win7x6427: analysis completed successfully
2024-12-14 17:06:49,579 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2024-12-14 17:06:49,604 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2024-12-14 17:06:50,484 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6427 to path /srv/cuckoo/cwd/storage/analyses/5654408/memory.dmp
2024-12-14 17:06:50,485 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6427
2024-12-14 17:08:13,343 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.227 for task #5654408
2024-12-14 17:08:13,755 [cuckoo.core.scheduler] DEBUG: Released database task #5654408
2024-12-14 17:08:13,775 [cuckoo.core.scheduler] INFO: Task #5654408: analysis procedure completed

Signatures

Yara rules detected for file (8 events)
description (no description) rule DebuggerException__SetConsoleCtrl
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_files_operation
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)
section CODE
section DATA
section BSS
Creates executable files on the filesystem (6 events)
file C:\Users\Administrator\AppData\Local\Temp\3582-490\e37ac6dc5df5eb1a_7za.exe
file C:\MSOCache\All Users\{90140000-0012-0000-1000-0000000FF1CE}-C\setup.exe
file C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE
file C:\MSOCache\All Users\{90140000-0012-0000-1000-0000000FF1CE}-C\ose.exe
file C:\Windows\svchost.com
file C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe
Creates a suspicious process (1 event)
cmdline "C:\Windows\svchost.com" "C:\Users\ADMINI~1\AppData\Local\Temp\3582-490\E37AC6~1.EXE"
Drops a binary and executes it (2 events)
file C:\Users\Administrator\AppData\Local\Temp\3582-490\e37ac6dc5df5eb1a_7za.exe
file C:\Windows\svchost.com
Drops an executable to the user AppData folder (1 event)
file C:\Users\Administrator\AppData\Local\Temp\3582-490\e37ac6dc5df5eb1a_7za.exe
Installs itself for autorun at Windows startup (1 event)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) reg_value C:\Windows\svchost.com "%1" %*
Deletes executed files from disk (1 event)
file C:\Windows\svchost.com
File has been identified by 16 AntiVirus engine on IRMA as malicious (16 events)
G Data Antivirus (Windows) Virus: Win32.Neshta.A (Engine A), Win32.Virus.Neshta.D (Engine B)
Avast Core Security (Linux) Win32:Apanas [Trj]
C4S ClamAV (Linux) Win.Trojan.Neshuta-1
F-Secure Antivirus (Linux) Malware.W32/Neshta.A [Aquarius]
Windows Defender (Windows) Virus:Win32/Neshta.A
Forticlient (Linux) W32/Generic.AC.171!tr
Sophos Anti-Virus (Linux) W32/Neshta-D
eScan Antivirus (Linux) Win32.Neshta.A(DB)
ESET Security (Windows) Win32/Neshta.A virus
McAfee CLI scanner (Linux) W32/HLLP.41472.e virus
DrWeb Antivirus (Linux) Win32.HLLP.Neshta
Trend Micro SProtect (Linux) PE_NESHTA.A
ClamAV (Linux) Win.Trojan.Neshuta-1
Bitdefender Antivirus (Linux) Win32.Neshta.A
Kaspersky Standard (Windows) Virus.Win32.Neshta.a
Emsisoft Commandline Scanner (Windows) Win32.Neshta.A (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.