Cuckoo Sandbox

File 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133

Summary
Download Resubmit sample

Size	1.8MB
Type	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`e021760f40b14e88cfe5c58421b32d86`
SHA1	`1f869f22c3e597e82640db6ebe8d2038b846355d`
SHA256	`22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133`
SHA512	`a6a3e1110a98d7b341814a2fb9a63e196a491698481b438ee1551131f9227761fbcfcd4478bec7ff561391dc339ad8f23c9374e82db8c4e2b36d817b4e15a7e9`
CRC32	`8AFBC83B`
ssdeep	`None`
Yara	suspicious_packer_section - The packer/protector section names/keywords

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

5848328

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Jan. 25, 2025, 7:18 a.m.	Jan. 25, 2025, 7:25 a.m.	382 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-01-21 09:08:14,030 [analyzer] DEBUG: Starting analyzer from: C:\tmpwwr_kc
2025-01-21 09:08:14,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\DWwSnPUwcDGoIcMbgGbwpnJnI
2025-01-21 09:08:14,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\gjtJmEcbdHymrmkpveJidEeght
2025-01-21 09:08:14,342 [analyzer] DEBUG: Started auxiliary module Curtain
2025-01-21 09:08:14,342 [analyzer] DEBUG: Started auxiliary module DbgView
2025-01-21 09:08:14,828 [analyzer] DEBUG: Started auxiliary module Disguise
2025-01-21 09:08:15,092 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-01-21 09:08:15,092 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-01-21 09:08:15,092 [analyzer] DEBUG: Started auxiliary module Human
2025-01-21 09:08:15,092 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-01-21 09:08:15,092 [analyzer] DEBUG: Started auxiliary module Reboot
2025-01-21 09:08:15,203 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-01-21 09:08:15,203 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-01-21 09:08:15,203 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-01-21 09:08:15,203 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-01-21 09:08:15,342 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe' with arguments '' and pid 1056
2025-01-21 09:08:15,562 [analyzer] DEBUG: Loaded monitor into process with pid 1056
2025-01-21 09:08:15,717 [analyzer] INFO: Added new file to list with pid 1056 and path C:\Users\Administrator\AppData\Local\Temp\22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe
2025-01-21 09:08:15,858 [analyzer] INFO: Injected into process with pid 2636 and name ''
2025-01-21 09:08:16,000 [analyzer] DEBUG: Loaded monitor into process with pid 2636
2025-01-21 09:08:16,342 [analyzer] INFO: Process with pid 1056 has terminated
2025-01-21 09:08:18,342 [analyzer] INFO: Process with pid 2636 has terminated
2025-01-21 09:08:18,342 [analyzer] INFO: Process list is empty, terminating analysis.
2025-01-21 09:08:19,592 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-01-21 09:08:19,655 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-01-25 07:18:50,646 [cuckoo.core.scheduler] DEBUG: Task #5822183: no machine available yet
2025-01-25 07:18:51,679 [cuckoo.core.scheduler] DEBUG: Task #5822183: no machine available yet
2025-01-25 07:18:52,729 [cuckoo.core.scheduler] DEBUG: Task #5822183: no machine available yet
2025-01-25 07:18:53,791 [cuckoo.core.scheduler] INFO: Task #5822183: acquired machine win7x645 (label=win7x645)
2025-01-25 07:18:53,792 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.205 for task #5822183
2025-01-25 07:18:54,173 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1323681 (interface=vboxnet0, host=192.168.168.205)
2025-01-25 07:18:55,919 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x645
2025-01-25 07:18:56,789 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x645 to vmcloak
2025-01-25 07:22:22,704 [cuckoo.core.guest] INFO: Starting analysis #5822183 on guest (id=win7x645, ip=192.168.168.205)
2025-01-25 07:22:23,712 [cuckoo.core.guest] DEBUG: win7x645: not ready yet
2025-01-25 07:22:28,742 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x645, ip=192.168.168.205)
2025-01-25 07:22:28,834 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x645, ip=192.168.168.205, monitor=latest, size=6660546)
2025-01-25 07:22:30,353 [cuckoo.core.resultserver] DEBUG: Task #5822183: live log analysis.log initialized.
2025-01-25 07:22:31,391 [cuckoo.core.resultserver] DEBUG: Task #5822183 is sending a BSON stream
2025-01-25 07:22:31,850 [cuckoo.core.resultserver] DEBUG: Task #5822183 is sending a BSON stream
2025-01-25 07:22:32,285 [cuckoo.core.resultserver] DEBUG: Task #5822183 is sending a BSON stream
2025-01-25 07:22:32,504 [cuckoo.core.resultserver] DEBUG: Task #5822183: File upload for 'files/22eead17d837dc8d_old_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe'
2025-01-25 07:22:32,755 [cuckoo.core.resultserver] DEBUG: Task #5822183: File upload for 'shots/0001.jpg'
2025-01-25 07:22:32,783 [cuckoo.core.resultserver] DEBUG: Task #5822183 uploaded file length: 1835009
2025-01-25 07:22:32,803 [cuckoo.core.resultserver] DEBUG: Task #5822183 uploaded file length: 117213
2025-01-25 07:22:34,949 [cuckoo.core.resultserver] DEBUG: Task #5822183: File upload for 'shots/0002.jpg'
2025-01-25 07:22:34,967 [cuckoo.core.resultserver] DEBUG: Task #5822183 uploaded file length: 133485
2025-01-25 07:22:35,797 [cuckoo.core.resultserver] DEBUG: Task #5822183: File upload for 'curtain/1737446899.44.curtain.log'
2025-01-25 07:22:35,800 [cuckoo.core.resultserver] DEBUG: Task #5822183 uploaded file length: 36
2025-01-25 07:22:35,944 [cuckoo.core.resultserver] DEBUG: Task #5822183: File upload for 'sysmon/1737446899.58.sysmon.xml'
2025-01-25 07:22:35,955 [cuckoo.core.resultserver] DEBUG: Task #5822183 uploaded file length: 596820
2025-01-25 07:22:35,969 [cuckoo.core.resultserver] DEBUG: Task #5822183: File upload for 'files/4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe'
2025-01-25 07:22:36,018 [cuckoo.core.resultserver] DEBUG: Task #5822183 uploaded file length: 1835009
2025-01-25 07:22:36,041 [cuckoo.core.resultserver] DEBUG: Task #5822183 had connection reset for <Context for LOG>
2025-01-25 07:22:38,966 [cuckoo.core.guest] INFO: win7x645: analysis completed successfully
2025-01-25 07:22:38,979 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-01-25 07:22:39,008 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-01-25 07:22:40,213 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x645 to path /srv/cuckoo/cwd/storage/analyses/5822183/memory.dmp
2025-01-25 07:22:40,214 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x645
2025-01-25 07:25:11,877 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.205 for task #5822183
2025-01-25 07:25:12,280 [cuckoo.core.scheduler] DEBUG: Released database task #5822183
2025-01-25 07:25:12,307 [cuckoo.core.scheduler] INFO: Task #5822183: analysis procedure completed

Signatures

Yara rule detected for file (1 event)

description

The packer/protector section names/keywords

rule

suspicious_packer_section

Allocates read-write-execute memory (usually to unpack itself) (48 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 536875008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 1622016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21d00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 1695744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21e90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 1650688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00411000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00414000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 1056 region_size: 1560576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 536875008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1622016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21cf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1695744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21e80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1650688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00411000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00414000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1560576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1650688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1581056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00409000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1523712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1523712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x23850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1581056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x239d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1556480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 1228800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 86016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00569000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 10:08 a.m.	process_identifier: 2636 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.reltc

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 21, 2025, 10:08 a.m.	stacktrace: InternalLcidToName+0xbec GetCalendar-0x66 kernelbase+0x202a9 @ 0x770302a9 GetCalendar+0x624 GetNamedLocaleHashNode-0x158 kernelbase+0x20933 @ 0x77030933 GetNamedLocaleHashNode+0x56 GetCPHashNode-0x246 kernelbase+0x20ae1 @ 0x77030ae1 OpenRegKey+0xa2e GetNLSVersion-0x1b96 kernelbase+0x3492d @ 0x7704492d OpenRegKey+0xc45 GetNLSVersion-0x197f kernelbase+0x34b44 @ 0x77044b44 NlsValidateLocale+0x10 GetStringTableEntry-0x1e kernelbase+0x23f75 @ 0x77033f75 InternalLcidToName+0x13 GetCalendar-0xc3f kernelbase+0x1f6d0 @ 0x7702f6d0 CompareStringW+0xf FindNLSString-0x32 kernelbase+0x22ea2 @ 0x77032ea2 CompareStringA+0x13d GetLocaleInfoA-0x88 kernelbase+0x21715 @ 0x77031715 lstrcmp+0x24 lstrcmpi-0x66 kernelbase+0xac29 @ 0x7701ac29 WSAGetOverlappedResult+0x9c1 WahCreateHandleContextTable-0x1b ws2_32+0x7e4a @ 0x75ff7e4a WahOpenApcHelper+0x8a4 gethostname-0x1334 ws2_32+0x8d27 @ 0x75ff8d27 WahOpenApcHelper+0x847 gethostname-0x1391 ws2_32+0x8cca @ 0x75ff8cca New_ws2_32_WSAStartup@8+0xcb New_ws2_32_accept@12-0x64 @ 0x733ebd03 MHD_is_feature_supported+0x44 MHD_http_unescape-0x13c 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x861f4 @ 0x4861f4 0x239d8749 0x239d87b0 MHD_get_connection_values-0x7a846 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x15fa @ 0x4015fa exception.instruction_r: 39 17 74 26 8b cf 8b 7f 24 85 ff 75 f3 83 66 24 exception.symbol: CheckTokenMembership+0xd1d InternalLcidToName-0x27a kernelbase+0x1f443 exception.instruction: cmp dword ptr [edi], edx exception.module: KERNELBASE.dll exception.exception_code: 0xc0000005 exception.offset: 128067 exception.address: 0x7702f443 registers.esp: 27783256 registers.edi: 1262761285 registers.eax: 4 registers.ebp: 27783268 registers.edx: 1033 registers.ebx: 0 registers.esi: 30247688 registers.ecx: 1262761285	1	0	0
__exception__ Jan. 21, 2025, 10:08 a.m.	stacktrace: RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x774ff @ 0x778574ff RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77819f45 exception.instruction_r: f3 ab 8b 44 24 20 3b 45 0c 0f 8f 4e 30 00 00 8b exception.symbol: MHD_get_connection_values-0x74680 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x77c0 exception.instruction: stosd dword ptr es:[edi], eax exception.module: 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe exception.exception_code: 0xc0000005 exception.offset: 30656 exception.address: 0x4077c0 registers.esp: 27781280 registers.edi: 4803456 registers.eax: 4224960 registers.ebp: 27781412 registers.edx: 0 registers.ebx: 27781460 registers.esi: 1981547276 registers.ecx: 1967424268	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 21, 2025, 10:08 a.m.

stacktrace:

InternalLcidToName+0xbec GetCalendar-0x66 kernelbase+0x202a9 @ 0x770302a9
GetCalendar+0x624 GetNamedLocaleHashNode-0x158 kernelbase+0x20933 @ 0x77030933
GetNamedLocaleHashNode+0x56 GetCPHashNode-0x246 kernelbase+0x20ae1 @ 0x77030ae1
OpenRegKey+0xa2e GetNLSVersion-0x1b96 kernelbase+0x3492d @ 0x7704492d
OpenRegKey+0xc45 GetNLSVersion-0x197f kernelbase+0x34b44 @ 0x77044b44
NlsValidateLocale+0x10 GetStringTableEntry-0x1e kernelbase+0x23f75 @ 0x77033f75
InternalLcidToName+0x13 GetCalendar-0xc3f kernelbase+0x1f6d0 @ 0x7702f6d0
CompareStringW+0xf FindNLSString-0x32 kernelbase+0x22ea2 @ 0x77032ea2
CompareStringA+0x13d GetLocaleInfoA-0x88 kernelbase+0x21715 @ 0x77031715
lstrcmp+0x24 lstrcmpi-0x66 kernelbase+0xac29 @ 0x7701ac29
WSAGetOverlappedResult+0x9c1 WahCreateHandleContextTable-0x1b ws2_32+0x7e4a @ 0x75ff7e4a
WahOpenApcHelper+0x8a4 gethostname-0x1334 ws2_32+0x8d27 @ 0x75ff8d27
WahOpenApcHelper+0x847 gethostname-0x1391 ws2_32+0x8cca @ 0x75ff8cca
New_ws2_32_WSAStartup@8+0xcb New_ws2_32_accept@12-0x64 @ 0x733ebd03
MHD_is_feature_supported+0x44 MHD_http_unescape-0x13c 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x861f4 @ 0x4861f4
0x239d8749
0x239d87b0
MHD_get_connection_values-0x7a846 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x15fa @ 0x4015fa

exception.instruction_r: 39 17 74 26 8b cf 8b 7f 24 85 ff 75 f3 83 66 24
exception.symbol: CheckTokenMembership+0xd1d InternalLcidToName-0x27a kernelbase+0x1f443
exception.instruction: cmp dword ptr [edi], edx
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 128067
exception.address: 0x7702f443
registers.esp: 27783256
registers.edi: 1262761285
registers.eax: 4
registers.ebp: 27783268
registers.edx: 1033
registers.ebx: 0
registers.esi: 30247688
registers.ecx: 1262761285

__exception__

Jan. 21, 2025, 10:08 a.m.

stacktrace:

RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x774ff @ 0x778574ff
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77819f45

exception.instruction_r: f3 ab 8b 44 24 20 3b 45 0c 0f 8f 4e 30 00 00 8b
exception.symbol: MHD_get_connection_values-0x74680 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x77c0
exception.instruction: stosd dword ptr es:[edi], eax
exception.module: 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe
exception.exception_code: 0xc0000005
exception.offset: 30656
exception.address: 0x4077c0
registers.esp: 27781280
registers.edi: 4803456
registers.eax: 4224960
registers.ebp: 27781412
registers.edx: 0
registers.ebx: 27781460
registers.esi: 1981547276
registers.ecx: 1967424268

Creates executable files on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

Drops a binary and executes it (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\Administrator\AppData\Local\Temp\old_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe
file	C:\Users\Administrator\AppData\Local\Temp\22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX2				description	Section name indicates UPX

File has been identified by 14 AntiVirus engine on IRMA as malicious (14 events)

G Data Antivirus (Windows)	Virus: Trojan.Generic.37249517 (Engine A)
Avast Core Security (Linux)	Win32:Evo-gen [Trj]
C4S ClamAV (Linux)	Win.Malware.Genkryptik-10040056-0
Windows Defender (Windows)	Trojan:Win32/Copak.GPXA!MTB
Microsoft Defender ATP (Linux)	Trojan:Win32/Copak
Sophos Anti-Virus (Linux)	Mal/Generic-S
eScan Antivirus (Linux)	Trojan.Generic.37249517(DB)
ESET Security (Windows)	a variant of Win32/GenKryptik.FGBK trojan
McAfee CLI scanner (Linux)	GenericRXPS-ZX
DrWeb Antivirus (Linux)	Trojan.BtcMine.3724
ClamAV (Linux)	Win.Malware.Genkryptik-10040056-0
Bitdefender Antivirus (Linux)	Trojan.Generic.37249517
Kaspersky Standard (Windows)	HEUR:Trojan.Win32.Generic
Emsisoft Commandline Scanner (Windows)	Trojan.Generic.37249517 (B)

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Skyhigh	BehavesLike.Win32.Generic.tm
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
K7GW	Trojan ( 005a0d3d1 )
K7AntiVirus	Trojan ( 005a0d3d1 )
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik.FGBK
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Generic
NANO-Antivirus	Trojan.Win32.BtcMine.jvlrdu
Rising	Trojan.Kryptik!1.D12D (CLASSIC)
F-Secure	Heuristic.HEUR/AGEN.1368481
DrWeb	Trojan.BtcMine.3724
Zillya	Trojan.Injector.Win32.1064723
McAfeeD	Real Protect-LS!E021760F40B1
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.e021760f40b14e88
Webroot	W32.Trojan.Gen
Google	Detected
Avira	HEUR/AGEN.1368481
Antiy-AVL	Trojan/Win32.GenKryptik
Gridinsoft	Ransom.Win32.Wacatac.oa!s2
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Microsoft	Trojan:Win32/Copak.GPXA!MTB
Varist	W32/Copak.F.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R554362
McAfee	GenericRXPS-ZX!E021760F40B1
DeepInstinct	MALICIOUS
VBA32	Trojan.Copak
Malwarebytes	Trojan.MalPack.Generic
Ikarus	Trojan.Win32.Injector
Panda	Trj/Genetic.gen
Tencent	Trojan.Win32.Kryptik.hch
Fortinet	W32/GenKryptik.CRNJ!tr
AVG	Win32:Evo-gen [Trj]

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample