Summary

54b8bd60fc3eabf4_grcopy.dll

File 54b8bd60fc3eabf4_grcopy.dll

Summary
Download Resubmit sample

Size 75.6KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 b1bda0e34fed25cf157b64840cd7a7de
SHA1 4191a8beafd46261e7f393957041d9ac8235f8c9
SHA256 54b8bd60fc3eabf4050f1ea0b0db89f58a06b7f00efcc72516d0742c25fb1108
SHA512
130250dbceb5487be65b7f5bbf4e0aa7b2e11e85214c494d03783d24626678321921329d703a75bece019144e8d5cfdd941b1f17b294abad3bebf3b703d394c8
CRC32 724787EB
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
  • anti_dbg - Checks if being debugged
  • network_udp_sock - Communications over UDP network
  • network_tcp_listen - Listen for incoming communication
  • network_smtp_raw - Communications smtp
  • network_dropper - File downloader/dropper
  • network_tcp_socket - Communications over RAW socket
  • network_dns - Communications use DNS
  • escalate_priv - Escalade priviledges
  • win_mutex - Create or check mutex

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:5822691

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Jan. 29, 2025, 12:32 p.m. Jan. 29, 2025, 12:37 p.m. 294 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-01-25 08:13:43,015 [analyzer] DEBUG: Starting analyzer from: C:\tmp564etj
2025-01-25 08:13:43,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\jZlwurkkzpMzVhQFVoQmM
2025-01-25 08:13:43,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\kZsIAzRBLfuRelVFOdu
2025-01-25 08:13:43,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-01-25 08:13:43,015 [analyzer] INFO: Automatically selected analysis package "exe"
2025-01-25 08:13:43,250 [analyzer] DEBUG: Started auxiliary module Curtain
2025-01-25 08:13:43,250 [analyzer] DEBUG: Started auxiliary module DbgView
2025-01-25 08:13:43,687 [analyzer] DEBUG: Started auxiliary module Disguise
2025-01-25 08:13:43,921 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-01-25 08:13:43,921 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-01-25 08:13:43,921 [analyzer] DEBUG: Started auxiliary module Human
2025-01-25 08:13:43,921 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-01-25 08:13:43,921 [analyzer] DEBUG: Started auxiliary module Reboot
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-01-25 08:13:43,967 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-01-25 08:13:44,108 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\54b8bd60fc3eabf4_grcopy.dll' with arguments '' and pid 2104
2025-01-25 08:13:44,312 [analyzer] DEBUG: Loaded monitor into process with pid 2104
2025-01-25 08:13:44,312 [analyzer] INFO: Added new file to list with pid 2104 and path C:\Windows\SysWOW64\ctfmen.exe
2025-01-25 08:13:44,358 [analyzer] INFO: Added new file to list with pid 2104 and path C:\Windows\SysWOW64\shervans.dll
2025-01-25 08:13:44,375 [analyzer] INFO: Added new file to list with pid 2104 and path C:\Windows\SysWOW64\grcopy.dll
2025-01-25 08:13:44,467 [analyzer] INFO: Added new file to list with pid 2104 and path C:\Windows\SysWOW64\satornas.dll
2025-01-25 08:13:48,515 [analyzer] INFO: Injected into process with pid 2644 and name u'ctfmen.exe'
2025-01-25 08:13:48,640 [analyzer] DEBUG: Loaded monitor into process with pid 2644
2025-01-25 08:13:48,687 [analyzer] INFO: Injected into process with pid 2352 and name u'smnss.exe'
2025-01-25 08:13:48,858 [analyzer] DEBUG: Loaded monitor into process with pid 2352
2025-01-25 08:13:48,858 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Windows\SysWOW64\zipfi.dll
2025-01-25 08:13:48,937 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Windows\SysWOW64\zipfiaq.dll
2025-01-25 08:13:49,108 [analyzer] INFO: Process with pid 2104 has terminated
2025-01-25 08:13:50,108 [analyzer] INFO: Process with pid 2644 has terminated
2025-01-25 08:13:58,108 [analyzer] INFO: Process with pid 2352 has terminated
2025-01-25 08:13:58,108 [analyzer] INFO: Process list is empty, terminating analysis.
2025-01-25 08:13:59,467 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-01-25 08:13:59,515 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-01-29 12:32:27,709 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:28,748 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:29,794 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:30,839 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:31,890 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:32,927 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:33,971 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:35,004 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:36,037 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:37,076 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:38,118 [cuckoo.core.scheduler] DEBUG: Task #5848426: no machine available yet
2025-01-29 12:32:39,195 [cuckoo.core.scheduler] INFO: Task #5848426: acquired machine win7x6419 (label=win7x6419)
2025-01-29 12:32:39,198 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.219 for task #5848426
2025-01-29 12:32:39,548 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1435685 (interface=vboxnet0, host=192.168.168.219)
2025-01-29 12:32:40,095 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6419
2025-01-29 12:32:41,082 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6419 to vmcloak
2025-01-29 12:35:13,507 [cuckoo.core.guest] INFO: Starting analysis #5848426 on guest (id=win7x6419, ip=192.168.168.219)
2025-01-29 12:35:14,526 [cuckoo.core.guest] DEBUG: win7x6419: not ready yet
2025-01-29 12:35:19,545 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6419, ip=192.168.168.219)
2025-01-29 12:35:19,623 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6419, ip=192.168.168.219, monitor=latest, size=6660546)
2025-01-29 12:35:20,837 [cuckoo.core.resultserver] DEBUG: Task #5848426: live log analysis.log initialized.
2025-01-29 12:35:21,702 [cuckoo.core.resultserver] DEBUG: Task #5848426 is sending a BSON stream
2025-01-29 12:35:22,077 [cuckoo.core.resultserver] DEBUG: Task #5848426 is sending a BSON stream
2025-01-29 12:35:22,944 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'shots/0001.jpg'
2025-01-29 12:35:23,060 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 133558
2025-01-29 12:35:26,421 [cuckoo.core.resultserver] DEBUG: Task #5848426 is sending a BSON stream
2025-01-29 12:35:26,624 [cuckoo.core.resultserver] DEBUG: Task #5848426 is sending a BSON stream
2025-01-29 12:35:35,545 [cuckoo.core.guest] DEBUG: win7x6419: analysis #5848426 still processing
2025-01-29 12:35:37,080 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'curtain/1737789239.23.curtain.log'
2025-01-29 12:35:37,085 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 36
2025-01-29 12:35:37,293 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'sysmon/1737789239.44.sysmon.xml'
2025-01-29 12:35:37,320 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 1202218
2025-01-29 12:35:37,326 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'files/16ab28b7473143f3_grcopy.dll'
2025-01-29 12:35:37,330 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 77445
2025-01-29 12:35:37,333 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'files/5eecfd7737c1e1f1_zipfi.dll'
2025-01-29 12:35:37,336 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 77563
2025-01-29 12:35:37,338 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'files/131c257a6a7b94b6_ctfmen.exe'
2025-01-29 12:35:37,339 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 4160
2025-01-29 12:35:37,342 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'files/04bad2096ca291a7_zipfiaq.dll'
2025-01-29 12:35:37,344 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 77559
2025-01-29 12:35:37,346 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'files/51ce24a0526cff50_satornas.dll'
2025-01-29 12:35:37,348 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 183
2025-01-29 12:35:37,359 [cuckoo.core.resultserver] DEBUG: Task #5848426: File upload for 'files/8732e94375ed8d98_shervans.dll'
2025-01-29 12:35:37,361 [cuckoo.core.resultserver] DEBUG: Task #5848426 uploaded file length: 8704
2025-01-29 12:35:37,381 [cuckoo.core.resultserver] DEBUG: Task #5848426 had connection reset for <Context for LOG>
2025-01-29 12:35:38,665 [cuckoo.core.guest] INFO: win7x6419: analysis completed successfully
2025-01-29 12:35:38,678 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-01-29 12:35:38,773 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-01-29 12:35:40,229 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6419 to path /srv/cuckoo/cwd/storage/analyses/5848426/memory.dmp
2025-01-29 12:35:40,232 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6419
2025-01-29 12:37:21,115 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.219 for task #5848426
2025-01-29 12:37:21,618 [cuckoo.core.scheduler] DEBUG: Released database task #5848426
2025-01-29 12:37:21,638 [cuckoo.core.scheduler] INFO: Task #5848426: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description Possibly employs anti-virtualization techniques rule vmdetect
description Checks if being debugged rule anti_dbg
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications smtp rule network_smtp_raw
description File downloader/dropper rule network_dropper
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Escalade priviledges rule escalate_priv
description Create or check mutex rule win_mutex
Checks if process is being debugged by a debugger (2 events)
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)
section 69y3oxjt
section 69k0eiyk
section 701ftags
section
The executable uses a known packer (1 event)
packer MinGW GCC 3.x
One or more processes crashed (9 events)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x777735b7
RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x777734a2
GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7563537d
smnss+0x6187 @ 0x406187
smnss+0x5fac @ 0x405fac
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00
exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0
exception.instruction: xor cl, byte ptr [esi + 2]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 209584
exception.address: 0x777732b0
registers.esp: 67762368
registers.edi: 8781824
registers.eax: 1048576
registers.ebp: 67762408
registers.edx: 2047
registers.ebx: 3808776
registers.esi: 3597520
registers.ecx: 1
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c5a @ 0x77773c5a
RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cfe @ 0x77773cfe
DnsApiFree+0x4a DnsApiAlloc-0x2e dnsapi+0x3195 @ 0x74883195
DnsApiFree+0x22 DnsApiAlloc-0x56 dnsapi+0x316d @ 0x7488316d
WSPStartup-0x36b4 mswsock+0x53f7 @ 0x736c53f7
WSPStartup-0x3730 mswsock+0x537b @ 0x736c537b
WSPStartup-0x386f mswsock+0x523c @ 0x736c523c
WSALookupServiceBeginW+0x257 WSAEventSelect-0xade ws2_32+0x59b1 @ 0x75ed59b1
WSALookupServiceBeginW+0x233 WSAEventSelect-0xb02 ws2_32+0x598d @ 0x75ed598d
WSALookupServiceBeginW+0x1c2 WSAEventSelect-0xb73 ws2_32+0x591c @ 0x75ed591c
WSALookupServiceBeginW+0x72 WSAEventSelect-0xcc3 ws2_32+0x57cc @ 0x75ed57cc
WSALookupServiceBeginA+0x74 WahCloseApcHelper-0x3b1 ws2_32+0xa6b6 @ 0x75eda6b6
gethostname+0x1bd WSALookupServiceNextA-0x63 ws2_32+0xa218 @ 0x75eda218
gethostbyname+0xe7 WSCInstallProviderAndChains-0x1039 ws2_32+0x1775a @ 0x75ee775a
New_ws2_32_gethostbyname@4+0xab New_ws2_32_getsockname@12-0x63 @ 0x7406c3e3
smnss+0x6326 @ 0x406326
smnss+0x600e @ 0x40600e
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 8b 49 04 89 55 ec 8b 12 3b d1 0f 85 fa 25 03 00
exception.symbol: RtlCleanUpTEBLangLists+0x9a RtlGetLastWin32Error-0x3a3 ntdll+0x58118
exception.instruction: mov ecx, dword ptr [ecx + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 360728
exception.address: 0x77798118
registers.esp: 67759824
registers.edi: 3808728
registers.eax: 3808784
registers.ebp: 67759860
registers.edx: 3808864
registers.ebx: 3801088
registers.esi: 3808776
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x777735b7
RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x777734a2
GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7563537d
smnss+0x6187 @ 0x406187
smnss+0x5fac @ 0x405fac
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00
exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0
exception.instruction: xor cl, byte ptr [esi + 2]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 209584
exception.address: 0x777732b0
registers.esp: 67762368
registers.edi: 8781824
registers.eax: 1048576
registers.ebp: 67762408
registers.edx: 2047
registers.ebx: 3809176
registers.esi: 3598016
registers.ecx: 1
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c5a @ 0x77773c5a
RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cfe @ 0x77773cfe
DnsApiFree+0x4a DnsApiAlloc-0x2e dnsapi+0x3195 @ 0x74883195
DnsApiFree+0x22 DnsApiAlloc-0x56 dnsapi+0x316d @ 0x7488316d
WSPStartup-0x36b4 mswsock+0x53f7 @ 0x736c53f7
WSPStartup-0x3730 mswsock+0x537b @ 0x736c537b
WSPStartup-0x386f mswsock+0x523c @ 0x736c523c
WSALookupServiceBeginW+0x257 WSAEventSelect-0xade ws2_32+0x59b1 @ 0x75ed59b1
WSALookupServiceBeginW+0x233 WSAEventSelect-0xb02 ws2_32+0x598d @ 0x75ed598d
WSALookupServiceBeginW+0x1c2 WSAEventSelect-0xb73 ws2_32+0x591c @ 0x75ed591c
WSALookupServiceBeginW+0x72 WSAEventSelect-0xcc3 ws2_32+0x57cc @ 0x75ed57cc
WSALookupServiceBeginA+0x74 WahCloseApcHelper-0x3b1 ws2_32+0xa6b6 @ 0x75eda6b6
gethostname+0x1bd WSALookupServiceNextA-0x63 ws2_32+0xa218 @ 0x75eda218
gethostbyname+0xe7 WSCInstallProviderAndChains-0x1039 ws2_32+0x1775a @ 0x75ee775a
New_ws2_32_gethostbyname@4+0xab New_ws2_32_getsockname@12-0x63 @ 0x7406c3e3
smnss+0x6326 @ 0x406326
smnss+0x600e @ 0x40600e
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 8b 49 04 89 55 ec 8b 12 3b d1 0f 85 fa 25 03 00
exception.symbol: RtlCleanUpTEBLangLists+0x9a RtlGetLastWin32Error-0x3a3 ntdll+0x58118
exception.instruction: mov ecx, dword ptr [ecx + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 360728
exception.address: 0x77798118
registers.esp: 67759824
registers.edi: 3809096
registers.eax: 3809184
registers.ebp: 67759860
registers.edx: 3809296
registers.ebx: 3801088
registers.esi: 3809176
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x777735b7
RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x777734a2
GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7563537d
smnss+0x6187 @ 0x406187
smnss+0x5fac @ 0x405fac
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00
exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0
exception.instruction: xor cl, byte ptr [esi + 2]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 209584
exception.address: 0x777732b0
registers.esp: 67762368
registers.edi: 8781824
registers.eax: 1048576
registers.ebp: 67762408
registers.edx: 2047
registers.ebx: 3810600
registers.esi: 3598384
registers.ecx: 1
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x777735b7
RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x777734a2
GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7563537d
smnss+0x6187 @ 0x406187
smnss+0x5fac @ 0x405fac
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00
exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0
exception.instruction: xor cl, byte ptr [esi + 2]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 209584
exception.address: 0x777732b0
registers.esp: 69859520
registers.edi: 8781824
registers.eax: 1048576
registers.ebp: 69859560
registers.edx: 2047
registers.ebx: 3812472
registers.esi: 3600256
registers.ecx: 1
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x777735b7
RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x777734a2
GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7563537d
smnss+0x6187 @ 0x406187
smnss+0x5fac @ 0x405fac
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00
exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0
exception.instruction: xor cl, byte ptr [esi + 2]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 209584
exception.address: 0x777732b0
registers.esp: 71956672
registers.edi: 8781824
registers.eax: 1048576
registers.ebp: 71956712
registers.edx: 2047
registers.ebx: 3803896
registers.esi: 3592096
registers.ecx: 1
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x777735b7
RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x777734a2
GlobalFree+0x27 HeapCreate-0x11f kernelbase+0x1537d @ 0x7563537d
smnss+0x6187 @ 0x406187
smnss+0x5fac @ 0x405fac
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 32 4e 02 f6 c1 01 0f 84 f5 10 00 00 83 7f 4c 00
exception.symbol: RtlImageNtHeader+0x11c RtlDeleteCriticalSection-0x1375 ntdll+0x332b0
exception.instruction: xor cl, byte ptr [esi + 2]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 209584
exception.address: 0x777732b0
registers.esp: 74053824
registers.edi: 8781824
registers.eax: 1048576
registers.ebp: 74053864
registers.edx: 2047
registers.ebx: 3813256
registers.esi: 3601856
registers.ecx: 1
1 0 0

__exception__

 stacktrace: 
RtlImageNtHeader+0x423 RtlDeleteCriticalSection-0x106e ntdll+0x335b7 @ 0x777735b7
RtlImageNtHeader+0x30e RtlDeleteCriticalSection-0x1183 ntdll+0x334a2 @ 0x777734a2
DnsLogIt+0x1e4 DnsApiFree-0x10 dnsapi+0x313b @ 0x7488313b
DnsLogIt+0x1bc DnsApiFree-0x38 dnsapi+0x3113 @ 0x74883113
Local_GetRecordsForLocalNameEx+0xc7e DnsQuery_UTF8-0x1d5 dnsapi+0x7efd @ 0x74887efd
DnsQuery_A+0x20 DnsQueryExA-0x9 dnsapi+0x2a9dc @ 0x748aa9dc
New_dnsapi_DnsQuery_A@24+0x130 New_dnsapi_DnsQuery_UTF8@24-0x72 @ 0x7405639e
smnss+0x60ec @ 0x4060ec
smnss+0x5fac @ 0x405fac
smnss+0x2f1d @ 0x402f1d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x751e33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77779f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77779f45

exception.instruction_r: 8b 49 04 89 55 f4 8b 12 3b d1 0f 85 19 54 00 00
exception.symbol: RtlImageNtHeader+0x19b RtlDeleteCriticalSection-0x12f6 ntdll+0x3332f
exception.instruction: mov ecx, dword ptr [ecx + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 209711
exception.address: 0x7777332f
registers.esp: 76150816
registers.edi: 3801088
registers.eax: 3813264
registers.ebp: 76150856
registers.edx: 3818456
registers.ebx: 3813208
registers.esi: 3813256
registers.ecx: 0
1 0 0
Creates executable files on the filesystem (6 events)
file C:\Windows\System32\zipfi.dll
file C:\Windows\System32\shervans.dll
file C:\Windows\System32\satornas.dll
file C:\Windows\System32\ctfmen.exe
file C:\Windows\System32\grcopy.dll
file C:\Windows\System32\zipfiaq.dll
Creates hidden or system file (1 event)
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Windows\system32\satornas.dll
filepath: C:\Windows\System32\satornas.dll
1 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 events)
section {u'size_of_data': u'0x00005600', u'virtual_address': u'0x0000e000', u'entropy': 7.662503336196652, u'name': u'701ftags', u'virtual_size': u'0x0000556c'} entropy 7.6625033362 description A section with a high entropy has been found
entropy 0.288590604027 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Detects virtualization software with SCSI Disk Identifier trick(s) (2 events)
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1
Installs itself for autorun at Windows startup (2 events)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen reg_value C:\Windows\system32\ctfmen.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen reg_value C:\Windows\system32\ctfmen.exe
File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)
G Data Antivirus (Windows) Virus: Dropped:Generic.Mydoom.5713DF4B (Engine A)
Avast Core Security (Linux) Win32:Mydoom-BJ [Wrm]
C4S ClamAV (Linux) Win.Malware.Generickdz-9918324-0
F-Secure Antivirus (Linux) Trojan.TR/Downloader.Gen [Aquarius]
Sophos Anti-Virus (Linux) Mal/Behav-104
eScan Antivirus (Linux) Dropped:Generic.Mydoom.5713DF4B(DB)
ESET Security (Windows) a variant of Win32/Agent.NHB worm
McAfee CLI scanner (Linux) Trojan-FRMT
DrWeb Antivirus (Linux) Trojan.DownLoader8.56532
ClamAV (Linux) Win.Malware.Generickdz-9918324-0
Bitdefender Antivirus (Linux) Dropped:Generic.Mydoom.5713DF4B
Kaspersky Standard (Windows) Trojan.Win32.Small.acli
Emsisoft Commandline Scanner (Windows) Dropped:Generic.Mydoom.5713DF4B (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.