Cuckoo Sandbox

File 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

Summary
Download Resubmit sample

Size	1.8MB
Type	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`ff949228b1e9245b708f285ed4456b32`
SHA1	`95c2ac12cff323d1a4082ff236ddf0653f4ef403`
SHA256	`4e128bdcf46eb165cdf2d52e5d53a43c65bd330831f3a981f32b4134c3022399`
SHA512	`303959c2df60b7605c0014ec7881bb47d216553ce5b9530197431cb8433c043a4efdf865eea24a2238ef0452659f12986a3cc67bec160b73bfcd82ef6204ee36`
CRC32	`9520EA77`
ssdeep	`None`
Yara	suspicious_packer_section - The packer/protector section names/keywords

Score

This file is very suspicious, with a score of 8.9 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:5822183

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Jan. 29, 2025, 12:22 p.m.	Jan. 29, 2025, 12:27 p.m.	299 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-01-25 06:25:54,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpht3fil
2025-01-25 06:25:54,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\NzbBsyVCrHvkkaGLDcXfLCWKBGqDNDhe
2025-01-25 06:25:54,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\KMdgjErgfSwJOCylthKxll
2025-01-25 06:25:54,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-01-25 06:25:54,046 [analyzer] INFO: Automatically selected analysis package "exe"
2025-01-25 06:25:54,358 [analyzer] DEBUG: Started auxiliary module Curtain
2025-01-25 06:25:54,358 [analyzer] DEBUG: Started auxiliary module DbgView
2025-01-25 06:25:54,890 [analyzer] DEBUG: Started auxiliary module Disguise
2025-01-25 06:25:55,108 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-01-25 06:25:55,108 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-01-25 06:25:55,108 [analyzer] DEBUG: Started auxiliary module Human
2025-01-25 06:25:55,108 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-01-25 06:25:55,108 [analyzer] DEBUG: Started auxiliary module Reboot
2025-01-25 06:25:55,171 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-01-25 06:25:55,171 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-01-25 06:25:55,171 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-01-25 06:25:55,171 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-01-25 06:25:55,328 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe' with arguments '' and pid 2888
2025-01-25 06:25:55,546 [analyzer] DEBUG: Loaded monitor into process with pid 2888
2025-01-25 06:25:55,717 [analyzer] INFO: Added new file to list with pid 2888 and path C:\Users\Administrator\AppData\Local\Temp\4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe
2025-01-25 06:25:55,858 [analyzer] INFO: Injected into process with pid 3048 and name ''
2025-01-25 06:25:56,000 [analyzer] DEBUG: Loaded monitor into process with pid 3048
2025-01-25 06:25:56,328 [analyzer] INFO: Process with pid 2888 has terminated
2025-01-25 06:25:57,390 [analyzer] INFO: Process with pid 3048 has terminated
2025-01-25 06:25:57,390 [analyzer] INFO: Process list is empty, terminating analysis.
2025-01-25 06:25:58,608 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-01-25 06:25:58,703 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-01-29 12:22:49,820 [cuckoo.core.scheduler] INFO: Task #5848328: acquired machine win7x6411 (label=win7x6411)
2025-01-29 12:22:49,821 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.211 for task #5848328
2025-01-29 12:22:50,185 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1423189 (interface=vboxnet0, host=192.168.168.211)
2025-01-29 12:22:51,273 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6411
2025-01-29 12:22:52,268 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6411 to vmcloak
2025-01-29 12:25:18,579 [cuckoo.core.guest] INFO: Starting analysis #5848328 on guest (id=win7x6411, ip=192.168.168.211)
2025-01-29 12:25:19,591 [cuckoo.core.guest] DEBUG: win7x6411: not ready yet
2025-01-29 12:25:24,620 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6411, ip=192.168.168.211)
2025-01-29 12:25:24,898 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6411, ip=192.168.168.211, monitor=latest, size=6660546)
2025-01-29 12:25:26,442 [cuckoo.core.resultserver] DEBUG: Task #5848328: live log analysis.log initialized.
2025-01-29 12:25:27,490 [cuckoo.core.resultserver] DEBUG: Task #5848328 is sending a BSON stream
2025-01-29 12:25:27,928 [cuckoo.core.resultserver] DEBUG: Task #5848328 is sending a BSON stream
2025-01-29 12:25:28,388 [cuckoo.core.resultserver] DEBUG: Task #5848328 is sending a BSON stream
2025-01-29 12:25:28,593 [cuckoo.core.resultserver] DEBUG: Task #5848328: File upload for 'files/4e128bdcf46eb165_old_4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe'
2025-01-29 12:25:28,630 [cuckoo.core.resultserver] DEBUG: Task #5848328 uploaded file length: 1835009
2025-01-29 12:25:28,729 [cuckoo.core.resultserver] DEBUG: Task #5848328: File upload for 'shots/0001.jpg'
2025-01-29 12:25:28,740 [cuckoo.core.resultserver] DEBUG: Task #5848328 uploaded file length: 115697
2025-01-29 12:25:29,849 [cuckoo.core.resultserver] DEBUG: Task #5848328: File upload for 'shots/0002.jpg'
2025-01-29 12:25:29,863 [cuckoo.core.resultserver] DEBUG: Task #5848328 uploaded file length: 133469
2025-01-29 12:25:30,923 [cuckoo.core.resultserver] DEBUG: Task #5848328: File upload for 'curtain/1737782758.47.curtain.log'
2025-01-29 12:25:30,927 [cuckoo.core.resultserver] DEBUG: Task #5848328 uploaded file length: 36
2025-01-29 12:25:31,059 [cuckoo.core.resultserver] DEBUG: Task #5848328: File upload for 'sysmon/1737782758.61.sysmon.xml'
2025-01-29 12:25:31,067 [cuckoo.core.resultserver] DEBUG: Task #5848328 uploaded file length: 429552
2025-01-29 12:25:31,080 [cuckoo.core.resultserver] DEBUG: Task #5848328: File upload for 'files/e7df55d320f1fad1_4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe'
2025-01-29 12:25:31,149 [cuckoo.core.resultserver] DEBUG: Task #5848328 uploaded file length: 1835009
2025-01-29 12:25:31,999 [cuckoo.core.resultserver] DEBUG: Task #5848328 had connection reset for <Context for LOG>
2025-01-29 12:25:32,021 [cuckoo.core.guest] INFO: win7x6411: analysis completed successfully
2025-01-29 12:25:32,039 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-01-29 12:25:32,062 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-01-29 12:25:33,052 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6411 to path /srv/cuckoo/cwd/storage/analyses/5848328/memory.dmp
2025-01-29 12:25:33,053 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6411
2025-01-29 12:27:47,905 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.211 for task #5848328
2025-01-29 12:27:48,460 [cuckoo.core.scheduler] DEBUG: Released database task #5848328
2025-01-29 12:27:48,615 [cuckoo.core.scheduler] INFO: Task #5848328: analysis procedure completed

Signatures

Yara rule detected for file (1 event)

description

The packer/protector section names/keywords

rule

suspicious_packer_section

Allocates read-write-execute memory (usually to unpack itself) (48 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 536875008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01a80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 1622016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21a90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 1695744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21c20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 1650688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00411000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00414000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 2888 region_size: 1560576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 536875008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1622016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21cf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1695744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x21e80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1650688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00411000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00414000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1560576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1650688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1581056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00409000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1523712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1523712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x23850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1581056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x239d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1556480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 1228800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 86016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00569000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 25, 2025, 7:25 a.m.	process_identifier: 3048 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.reltc

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 25, 2025, 7:25 a.m.	stacktrace: InternalLcidToName+0xbec GetCalendar-0x66 kernelbase+0x202a9 @ 0x75eb02a9 GetCalendar+0x624 GetNamedLocaleHashNode-0x158 kernelbase+0x20933 @ 0x75eb0933 GetNamedLocaleHashNode+0x56 GetCPHashNode-0x246 kernelbase+0x20ae1 @ 0x75eb0ae1 OpenRegKey+0xa2e GetNLSVersion-0x1b96 kernelbase+0x3492d @ 0x75ec492d OpenRegKey+0xc45 GetNLSVersion-0x197f kernelbase+0x34b44 @ 0x75ec4b44 NlsValidateLocale+0x10 GetStringTableEntry-0x1e kernelbase+0x23f75 @ 0x75eb3f75 InternalLcidToName+0x13 GetCalendar-0xc3f kernelbase+0x1f6d0 @ 0x75eaf6d0 CompareStringW+0xf FindNLSString-0x32 kernelbase+0x22ea2 @ 0x75eb2ea2 CompareStringA+0x13d GetLocaleInfoA-0x88 kernelbase+0x21715 @ 0x75eb1715 lstrcmp+0x24 lstrcmpi-0x66 kernelbase+0xac29 @ 0x75e9ac29 WSAGetOverlappedResult+0x9c1 WahCreateHandleContextTable-0x1b ws2_32+0x7e4a @ 0x75ef7e4a WahOpenApcHelper+0x8a4 gethostname-0x1334 ws2_32+0x8d27 @ 0x75ef8d27 WahOpenApcHelper+0x847 gethostname-0x1391 ws2_32+0x8cca @ 0x75ef8cca New_ws2_32_WSAStartup@8+0xcb New_ws2_32_accept@12-0x64 @ 0x7332bd03 MHD_is_feature_supported+0x44 MHD_http_unescape-0x13c 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x861f4 @ 0x4861f4 0x239d8749 0x239d87b0 MHD_get_connection_values-0x7a846 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x15fa @ 0x4015fa exception.instruction_r: 39 17 74 26 8b cf 8b 7f 24 85 ff 75 f3 83 66 24 exception.symbol: CheckTokenMembership+0xd1d InternalLcidToName-0x27a kernelbase+0x1f443 exception.instruction: cmp dword ptr [edi], edx exception.module: KERNELBASE.dll exception.exception_code: 0xc0000005 exception.offset: 128067 exception.address: 0x75eaf443 registers.esp: 27783256 registers.edi: 1144341829 registers.eax: 4 registers.ebp: 27783268 registers.edx: 1033 registers.ebx: 0 registers.esi: 30247704 registers.ecx: 1144341829	1	0	0
__exception__ Jan. 25, 2025, 7:25 a.m.	stacktrace: RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x774ff @ 0x777974ff RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77759f45 exception.instruction_r: f3 ab 8b 44 24 20 3b 45 0c 0f 8f 4e 30 00 00 8b exception.symbol: MHD_get_connection_values-0x74680 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x77c0 exception.instruction: stosd dword ptr es:[edi], eax exception.module: 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe exception.exception_code: 0xc0000005 exception.offset: 30656 exception.address: 0x4077c0 registers.esp: 27781280 registers.edi: 4803456 registers.eax: 4224960 registers.ebp: 27781412 registers.edx: 0 registers.ebx: 27781460 registers.esi: 1974141708 registers.ecx: 1970176780	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 25, 2025, 7:25 a.m.

stacktrace:

InternalLcidToName+0xbec GetCalendar-0x66 kernelbase+0x202a9 @ 0x75eb02a9
GetCalendar+0x624 GetNamedLocaleHashNode-0x158 kernelbase+0x20933 @ 0x75eb0933
GetNamedLocaleHashNode+0x56 GetCPHashNode-0x246 kernelbase+0x20ae1 @ 0x75eb0ae1
OpenRegKey+0xa2e GetNLSVersion-0x1b96 kernelbase+0x3492d @ 0x75ec492d
OpenRegKey+0xc45 GetNLSVersion-0x197f kernelbase+0x34b44 @ 0x75ec4b44
NlsValidateLocale+0x10 GetStringTableEntry-0x1e kernelbase+0x23f75 @ 0x75eb3f75
InternalLcidToName+0x13 GetCalendar-0xc3f kernelbase+0x1f6d0 @ 0x75eaf6d0
CompareStringW+0xf FindNLSString-0x32 kernelbase+0x22ea2 @ 0x75eb2ea2
CompareStringA+0x13d GetLocaleInfoA-0x88 kernelbase+0x21715 @ 0x75eb1715
lstrcmp+0x24 lstrcmpi-0x66 kernelbase+0xac29 @ 0x75e9ac29
WSAGetOverlappedResult+0x9c1 WahCreateHandleContextTable-0x1b ws2_32+0x7e4a @ 0x75ef7e4a
WahOpenApcHelper+0x8a4 gethostname-0x1334 ws2_32+0x8d27 @ 0x75ef8d27
WahOpenApcHelper+0x847 gethostname-0x1391 ws2_32+0x8cca @ 0x75ef8cca
New_ws2_32_WSAStartup@8+0xcb New_ws2_32_accept@12-0x64 @ 0x7332bd03
MHD_is_feature_supported+0x44 MHD_http_unescape-0x13c 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x861f4 @ 0x4861f4
0x239d8749
0x239d87b0
MHD_get_connection_values-0x7a846 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x15fa @ 0x4015fa

exception.instruction_r: 39 17 74 26 8b cf 8b 7f 24 85 ff 75 f3 83 66 24
exception.symbol: CheckTokenMembership+0xd1d InternalLcidToName-0x27a kernelbase+0x1f443
exception.instruction: cmp dword ptr [edi], edx
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 128067
exception.address: 0x75eaf443
registers.esp: 27783256
registers.edi: 1144341829
registers.eax: 4
registers.ebp: 27783268
registers.edx: 1033
registers.ebx: 0
registers.esi: 30247704
registers.ecx: 1144341829

__exception__

Jan. 25, 2025, 7:25 a.m.

stacktrace:

RtlKnownExceptionFilter+0xb7 EtwEventWriteNoRegistration-0x49 ntdll+0x774ff @ 0x777974ff
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77759f45

exception.instruction_r: f3 ab 8b 44 24 20 3b 45 0c 0f 8f 4e 30 00 00 8b
exception.symbol: MHD_get_connection_values-0x74680 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133+0x77c0
exception.instruction: stosd dword ptr es:[edi], eax
exception.module: 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe
exception.exception_code: 0xc0000005
exception.offset: 30656
exception.address: 0x4077c0
registers.esp: 27781280
registers.edi: 4803456
registers.eax: 4224960
registers.ebp: 27781412
registers.edx: 0
registers.ebx: 27781460
registers.esi: 1974141708
registers.ecx: 1970176780

Creates executable files on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

Drops a binary and executes it (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\Administrator\AppData\Local\Temp\old_4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe
file	C:\Users\Administrator\AppData\Local\Temp\4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX2				description	Section name indicates UPX

File has been identified by 5 AntiVirus engine on IRMA as malicious (5 events)

Avast Core Security (Linux)	Win32:Evo-gen [Trj]
C4S ClamAV (Linux)	Win.Malware.Genkryptik-10040056-0
ESET Security (Windows)	a variant of Win32/GenKryptik.FGBK trojan
ClamAV (Linux)	Win.Malware.Genkryptik-10040056-0
Kaspersky Standard (Windows)	HEUR:Trojan.Win32.Generic

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 4e128bdcf46eb165_22eead17d837dc8d67d65341308015c0981ae00efed75f092da93a3dca73d133.exe

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample