Cuckoo Sandbox

File 4180cb51d0627ec86a36cfe1d8abafa22c4c3a5d0a8eccf26d1303e19fb8bd01

Summary
Download Resubmit sample

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ddcce96a9a77ce9f283a85e2519a6ed8`
SHA1	`f21646ed889e1131aefb98fbe6d25af18aac2253`
SHA256	`4180cb51d0627ec86a36cfe1d8abafa22c4c3a5d0a8eccf26d1303e19fb8bd01`
SHA512	`f3a6c3f1ffa435761023da8b28ae72bacee70e3cc1407645457b9d3073096043645de3d55915c54a801369464c8ca958e0a3903c86aaa5fdf09fa42abd4ebbf4`
CRC32	`1B9FE5E0`
ssdeep	`None`
Yara	disable_dep - Bypass DEP escalate_priv - Escalade priviledges win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	April 22, 2025, 10:53 a.m.	April 22, 2025, 10:58 a.m.	274 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-04-21 00:47:34,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpt1gcja
2025-04-21 00:47:34,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\TpWpMKbSvoVkpObWDMzGNWPpbGkTYF
2025-04-21 00:47:34,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\CPIGaERAxcLUlkIRDD
2025-04-21 00:47:34,312 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-21 00:47:34,312 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-21 00:47:34,828 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-21 00:47:35,046 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-04-21 00:47:35,046 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-21 00:47:35,046 [analyzer] DEBUG: Started auxiliary module Human
2025-04-21 00:47:35,046 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-21 00:47:35,046 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-21 00:47:35,092 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-21 00:47:35,092 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-21 00:47:35,092 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-21 00:47:35,092 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-21 00:47:35,312 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4180cb51d0627ec86a36cfe1d8abafa22c4c3a5d0a8eccf26d1303e19fb8bd01.exe' with arguments '' and pid 2152
2025-04-21 00:47:35,500 [analyzer] DEBUG: Loaded monitor into process with pid 2152
2025-04-21 00:47:35,796 [analyzer] INFO: Added new file to list with pid 2152 and path C:\Users\Administrator\AppData\Local\Temp\is-OAAHO.tmp\4180cb51d0627ec86a36cfe1d8abafa22c4c3a5d0a8eccf26d1303e19fb8bd01.tmp
2025-04-21 00:47:35,953 [analyzer] INFO: Injected into process with pid 1352 and name ''
2025-04-21 00:47:36,203 [analyzer] DEBUG: Loaded monitor into process with pid 1352
2025-04-21 00:47:36,328 [analyzer] INFO: Added new file to list with pid 1352 and path C:\Users\Administrator\AppData\Local\Temp\is-V6QBE.tmp\_isetup\_setup64.tmp
2025-04-21 00:47:36,375 [analyzer] INFO: Added new file to list with pid 1352 and path C:\Users\Administrator\AppData\Local\Temp\is-V6QBE.tmp\idp.dll
2025-04-21 00:48:04,328 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-04-21 00:48:05,000 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-04-21 00:48:05,000 [lib.api.process] INFO: Successfully terminated process with pid 2152.
2025-04-21 00:48:05,000 [lib.api.process] INFO: Successfully terminated process with pid 1352.
2025-04-21 00:48:05,092 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-04-22 10:53:27,435 [cuckoo.core.scheduler] INFO: Task #6318886: acquired machine win7x642 (label=win7x642)
2025-04-22 10:53:27,436 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.202 for task #6318886
2025-04-22 10:53:27,844 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2021034 (interface=vboxnet0, host=192.168.168.202)
2025-04-22 10:53:30,732 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x642
2025-04-22 10:53:31,335 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x642 to vmcloak
2025-04-22 10:55:12,295 [cuckoo.core.guest] INFO: Starting analysis #6318886 on guest (id=win7x642, ip=192.168.168.202)
2025-04-22 10:55:13,303 [cuckoo.core.guest] DEBUG: win7x642: not ready yet
2025-04-22 10:55:18,468 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x642, ip=192.168.168.202)
2025-04-22 10:55:18,608 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x642, ip=192.168.168.202, monitor=latest, size=6660546)
2025-04-22 10:55:20,221 [cuckoo.core.resultserver] DEBUG: Task #6318886: live log analysis.log initialized.
2025-04-22 10:55:21,187 [cuckoo.core.resultserver] DEBUG: Task #6318886 is sending a BSON stream
2025-04-22 10:55:21,624 [cuckoo.core.resultserver] DEBUG: Task #6318886 is sending a BSON stream
2025-04-22 10:55:22,265 [cuckoo.core.resultserver] DEBUG: Task #6318886 is sending a BSON stream
2025-04-22 10:55:22,423 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'shots/0001.jpg'
2025-04-22 10:55:22,449 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 133596
2025-04-22 10:55:23,537 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'shots/0002.jpg'
2025-04-22 10:55:23,549 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 135808
2025-04-22 10:55:35,048 [cuckoo.core.guest] DEBUG: win7x642: analysis #6318886 still processing
2025-04-22 10:55:50,140 [cuckoo.core.guest] DEBUG: win7x642: analysis #6318886 still processing
2025-04-22 10:55:50,802 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'curtain/1745189284.59.curtain.log'
2025-04-22 10:55:50,805 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 36
2025-04-22 10:55:51,176 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'sysmon/1745189284.81.sysmon.xml'
2025-04-22 10:55:51,208 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 1602280
2025-04-22 10:55:51,224 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'files/54e7e0ad32a22b77_idp.dll'
2025-04-22 10:55:51,231 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 237568
2025-04-22 10:55:51,257 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'files/11ce5c94d5a5702b_4180cb51d0627ec86a36cfe1d8abafa22c4c3a5d0a8eccf26d1303e19fb8bd01.tmp'
2025-04-22 10:55:51,295 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 3518976
2025-04-22 10:55:51,309 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'files/388a796580234efc__setup64.tmp'
2025-04-22 10:55:51,312 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 6144
2025-04-22 10:55:51,422 [cuckoo.core.resultserver] DEBUG: Task #6318886: File upload for 'shots/0003.jpg'
2025-04-22 10:55:51,440 [cuckoo.core.resultserver] DEBUG: Task #6318886 uploaded file length: 134023
2025-04-22 10:55:51,457 [cuckoo.core.resultserver] DEBUG: Task #6318886 had connection reset for <Context for LOG>
2025-04-22 10:55:53,157 [cuckoo.core.guest] INFO: win7x642: analysis completed successfully
2025-04-22 10:55:53,171 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-22 10:55:53,201 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-22 10:55:54,568 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x642 to path /srv/cuckoo/cwd/storage/analyses/6318886/memory.dmp
2025-04-22 10:55:54,570 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x642
2025-04-22 10:57:59,903 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.202 for task #6318886
2025-04-22 10:58:01,267 [cuckoo.core.scheduler] DEBUG: Released database task #6318886
2025-04-22 10:58:01,310 [cuckoo.core.scheduler] INFO: Task #6318886: analysis procedure completed

Signatures

Yara rules detected for file (5 events)

description	Bypass DEP	rule	disable_dep
description	Escalade priviledges	rule	escalate_priv
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2025, 1:47 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 1:47 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 688128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 1:47 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d67000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 1:47 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 147456 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d69000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 1:47 a.m.	process_identifier: 1352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2025, 1:47 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2025, 1:47 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

Creates executable files on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\is-V6QBE.tmp\idp.dll

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW April 21, 2025, 1:47 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\key-generator-dlya-easeus-mobiunlock.exe_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\key-generator-dlya-easeus-mobiunlock.exe_is1		2	0

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress April 21, 2025, 1:47 a.m.	ordinal: 0 function_address: 0x00cbf7a8 function_name: wine_get_version module: ntdll module_address: 0x77a40000		3221225785	0
LdrGetProcedureAddress April 21, 2025, 1:47 a.m.	ordinal: 0 function_address: 0x011517dc function_name: wine_get_version module: ntdll module_address: 0x77a40000		3221225785	0

File has been identified by 6 AntiVirus engine on IRMA as malicious (6 events)

Avast Core Security (Linux)	FileRepMalware [Misc]
WithSecure (Linux)	Trojan.TR/AVI.Agent.ybmmu
ESET Security (Windows)	a variant of Win32/TrojanDownloader.Agent.HIO trojan
Sophos Anti-Virus (Linux)	Mal/Generic-S
DrWeb Antivirus (Linux)	Trojan.DownLoad4.17531
Kaspersky Standard (Windows)	HEUR:Trojan-Downloader.Win32.OffLoader.gen

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetectMalware
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (D)
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.HIO
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.Win32.OffLoader.gen
Alibaba	TrojanDownloader:Win32/OffLoader.3ba05686
Rising	Downloader.Agent/IFPS!1.12740 (CLASSIC)
DrWeb	Trojan.DownLoad4.17531
McAfeeD	ti!4180CB51D062
Sophos	Mal/Generic-S
Google	Detected
Microsoft	Trojan:Win32/Wacatac.B!ml
DeepInstinct	MALICIOUS
Tencent	Trojan-DL.Win32.Agent.cp
huorong	HEUR:TrojanDownloader/Agent.dd
Fortinet	W32/DBadur.A!tr.dldr
alibabacloud	Trojan[downloader]:Win/Wacapew.C9nj

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 4180cb51d0627ec86a36cfe1d8abafa22c4c3a5d0a8eccf26d1303e19fb8bd01

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample