Cuckoo Sandbox

File f962fbd1d3802685ac9a074d0435b320e867faba8b41af6645ae031e97542fc8

Summary
Download Resubmit sample Download yara

Size	137.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`69f92a3a82f86c29e4229ca47c51d388`
SHA1	`648098882ed8d706129a370f4e5c613b890f9f95`
SHA256	`f962fbd1d3802685ac9a074d0435b320e867faba8b41af6645ae031e97542fc8`
SHA512	`b1533488936e65c5ecabab98a17fa412a47caa11de6f0e3bc9a4c26b8b0bcae3af7609c860434ac9ce3678d5fb52eeb137495aa5b885536bef7afede0da57998`
CRC32	`A58EF476`
ssdeep	`None`
Yara	create_service - Create a windows service escalate_priv - Escalade priviledges keylogger - Run a keylogger win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	April 22, 2025, 11:06 a.m.	April 22, 2025, 11:11 a.m.	315 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-04-21 01:24:02,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpsgyfoe
2025-04-21 01:24:02,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\avvNTwBwMFaTvYfWZQdNxCxYOXRrm
2025-04-21 01:24:02,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\ijYaFoqmCinCLnAUuXWNjDkV
2025-04-21 01:24:02,375 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-21 01:24:02,375 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-21 01:24:02,842 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-21 01:24:03,046 [analyzer] DEBUG: Loaded monitor into process with pid 516
2025-04-21 01:24:03,046 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-21 01:24:03,046 [analyzer] DEBUG: Started auxiliary module Human
2025-04-21 01:24:03,046 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-21 01:24:03,046 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-21 01:24:03,140 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-21 01:24:03,155 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-21 01:24:03,155 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-21 01:24:03,155 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-21 01:24:03,233 [lib.api.process] INFO: Successfully executed process from path 'C:\\Windows\\System32\\rundll32.exe' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\f962fbd1d3802685ac9a074d0435b320e867faba8b41af6645ae031e97542fc8.dll,DllMain'] and pid 2984
2025-04-21 01:24:03,453 [analyzer] DEBUG: Loaded monitor into process with pid 2984
2025-04-21 01:24:03,655 [analyzer] INFO: Injected into process with pid 2664 and name u'rundll32.exe'
2025-04-21 01:24:03,890 [analyzer] DEBUG: Loaded monitor into process with pid 2664
2025-04-21 01:24:04,000 [analyzer] INFO: Added new file to list with pid 2664 and path C:\Windows\AppPatch\ComBack.Dll
2025-04-21 01:24:04,000 [analyzer] INFO: Added new file to list with pid 2664 and path C:\Windows\SysWOW64\com\comb.dll
2025-04-21 01:24:05,062 [analyzer] INFO: Added new file to list with pid 2664 and path C:\Windows\SysWOW64\Miscson.dll
2025-04-21 01:24:05,092 [analyzer] INFO: Added new file to list with pid 2664 and path C:\Windows\SysWOW64\scsimon.dll
2025-04-21 01:24:07,671 [analyzer] INFO: Added new file to list with pid 2664 and path C:\Windows\AppPatch\AcSvcst.dll
2025-04-21 01:24:07,750 [analyzer] INFO: Injected into process with pid 1376 and name u'svchost.exe'
2025-04-21 01:24:07,842 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1376.
2025-04-21 01:24:07,983 [analyzer] DEBUG: Loaded monitor into process with pid 1376
2025-04-21 01:24:10,296 [analyzer] INFO: Process with pid 1376 has terminated
2025-04-21 01:24:32,296 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-04-21 01:24:32,717 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-04-21 01:24:32,717 [lib.api.process] INFO: Successfully terminated process with pid 2984.
2025-04-21 01:24:32,717 [lib.api.process] INFO: Successfully terminated process with pid 2664.
2025-04-21 01:24:32,765 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-04-22 11:06:33,438 [cuckoo.core.scheduler] INFO: Task #6318960: acquired machine win7x6413 (label=win7x6413)
2025-04-22 11:06:33,439 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.213 for task #6318960
2025-04-22 11:06:33,861 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2037708 (interface=vboxnet0, host=192.168.168.213)
2025-04-22 11:06:34,566 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6413
2025-04-22 11:06:35,239 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6413 to vmcloak
2025-04-22 11:08:43,039 [cuckoo.core.guest] INFO: Starting analysis #6318960 on guest (id=win7x6413, ip=192.168.168.213)
2025-04-22 11:08:44,044 [cuckoo.core.guest] DEBUG: win7x6413: not ready yet
2025-04-22 11:08:49,069 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6413, ip=192.168.168.213)
2025-04-22 11:08:49,140 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6413, ip=192.168.168.213, monitor=latest, size=6660546)
2025-04-22 11:08:50,616 [cuckoo.core.resultserver] DEBUG: Task #6318960: live log analysis.log initialized.
2025-04-22 11:08:51,616 [cuckoo.core.resultserver] DEBUG: Task #6318960 is sending a BSON stream
2025-04-22 11:08:51,944 [cuckoo.core.resultserver] DEBUG: Task #6318960 is sending a BSON stream
2025-04-22 11:08:52,443 [cuckoo.core.resultserver] DEBUG: Task #6318960 is sending a BSON stream
2025-04-22 11:08:52,947 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'shots/0001.jpg'
2025-04-22 11:08:53,026 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 136061
2025-04-22 11:08:56,574 [cuckoo.core.resultserver] DEBUG: Task #6318960 is sending a BSON stream
2025-04-22 11:09:05,290 [cuckoo.core.guest] DEBUG: win7x6413: analysis #6318960 still processing
2025-04-22 11:09:20,568 [cuckoo.core.guest] DEBUG: win7x6413: analysis #6318960 still processing
2025-04-22 11:09:21,082 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'curtain/1745191472.44.curtain.log'
2025-04-22 11:09:21,100 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 36
2025-04-22 11:09:21,317 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'sysmon/1745191472.67.sysmon.xml'
2025-04-22 11:09:21,357 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 1646896
2025-04-22 11:09:21,389 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'files/33c316b6d72eadef_comb.dll'
2025-04-22 11:09:21,413 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 329
2025-04-22 11:09:21,416 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'files/93303320ed9f17d5_miscson.dll'
2025-04-22 11:09:21,423 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'files/2caa231f5c41e8fd_acsvcst.dll'
2025-04-22 11:09:21,428 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 140820
2025-04-22 11:09:21,432 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 140892
2025-04-22 11:09:21,445 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'files/ac96e00d8bbe20b5_comback.dll'
2025-04-22 11:09:21,450 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 140856
2025-04-22 11:09:21,454 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'files/7037ebd295873621_scsimon.dll'
2025-04-22 11:09:21,468 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 140832
2025-04-22 11:09:21,937 [cuckoo.core.resultserver] DEBUG: Task #6318960: File upload for 'shots/0002.jpg'
2025-04-22 11:09:21,961 [cuckoo.core.resultserver] DEBUG: Task #6318960 uploaded file length: 133550
2025-04-22 11:09:21,980 [cuckoo.core.resultserver] DEBUG: Task #6318960 had connection reset for <Context for LOG>
2025-04-22 11:09:23,586 [cuckoo.core.guest] INFO: win7x6413: analysis completed successfully
2025-04-22 11:09:23,603 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-22 11:09:23,647 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-22 11:09:24,771 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6413 to path /srv/cuckoo/cwd/storage/analyses/6318960/memory.dmp
2025-04-22 11:09:24,791 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6413
2025-04-22 11:11:46,083 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.213 for task #6318960
2025-04-22 11:11:48,250 [cuckoo.core.scheduler] DEBUG: Released database task #6318960
2025-04-22 11:11:48,316 [cuckoo.core.scheduler] INFO: Task #6318960: analysis procedure completed

Signatures

Yara rules detected for file (7 events)

description	Create a windows service	rule	create_service
description	Escalade priviledges	rule	escalate_priv
description	Run a keylogger	rule	keylogger
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77606000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7790c000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e11000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03070000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74091000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x43e50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2664 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 1376 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ April 21, 2025, 2:24 a.m.	stacktrace: 0x100052b2 exception.instruction_r: 8a 01 88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff exception.symbol: lstrcpy+0x16 GetWindowsDirectoryA-0x57 kernel32+0x32a9b exception.instruction: mov al, byte ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 207515 exception.address: 0x75902a9b registers.esp: 51207296 registers.edi: 268509128 registers.eax: 51207320 registers.ebp: 51207336 registers.edx: 268508616 registers.ebx: 1996533343 registers.esi: 1972382341 registers.ecx: 0	1
__exception__ April 21, 2025, 2:24 a.m.	stacktrace: 0x100052c3 exception.instruction_r: 8a 01 88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff exception.symbol: lstrcpy+0x16 GetWindowsDirectoryA-0x57 kernel32+0x32a9b exception.instruction: mov al, byte ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 207515 exception.address: 0x75902a9b registers.esp: 51207296 registers.edi: 268509128 registers.eax: 51207320 registers.ebp: 51207336 registers.edx: 268508872 registers.ebx: 1996533343 registers.esi: 1972382341 registers.ecx: 0	1
__exception__ April 21, 2025, 2:24 a.m.	stacktrace: 0x100052b2 exception.instruction_r: 8a 01 88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff exception.symbol: lstrcpy+0x16 GetWindowsDirectoryA-0x57 kernel32+0x32a9b exception.instruction: mov al, byte ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 207515 exception.address: 0x75902a9b registers.esp: 51207296 registers.edi: 268509128 registers.eax: 51207320 registers.ebp: 51207336 registers.edx: 268508616 registers.ebx: 1996533343 registers.esi: 1972382341 registers.ecx: 0	1
__exception__ April 21, 2025, 2:24 a.m.	stacktrace: 0x100052c3 exception.instruction_r: 8a 01 88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff exception.symbol: lstrcpy+0x16 GetWindowsDirectoryA-0x57 kernel32+0x32a9b exception.instruction: mov al, byte ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 207515 exception.address: 0x75902a9b registers.esp: 51207296 registers.edi: 268509128 registers.eax: 51207320 registers.ebp: 51207336 registers.edx: 268508872 registers.ebx: 1996533343 registers.esi: 1972382341 registers.ecx: 0	1
__exception__ April 21, 2025, 2:24 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x7569fff6 registers.esp: 1898540 registers.edi: 2765436 registers.eax: 0 registers.ebp: 1898688 registers.edx: 2621442 registers.ebx: 1972174848 registers.esi: 983723 registers.ecx: 2765436	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem (5 events)

file	C:\Windows\System32\scsimon.dll
file	C:\Windows\AppPatch\AcSvcst.dll
file	C:\Windows\System32\com\comb.dll
file	C:\Windows\System32\Miscson.dll
file	C:\Windows\AppPatch\ComBack.Dll

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe -k rundll32

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001fe00', u'virtual_address': u'0x00001000', u'entropy': 7.664963816473899, u'name': u'CODE', u'virtual_size': u'0x0001fc68'}

entropy

7.66496381647

description

A section with a high entropy has been found

entropy

0.934065934066

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 21, 2025, 2:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 2:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 2:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 21, 2025, 2:24 a.m.	status_code: 0x00000000 process_identifier: 1376 process_handle: 0x00000194		0	0
NtTerminateProcess April 21, 2025, 2:24 a.m.	status_code: 0x00000000 process_identifier: 1376 process_handle: 0x00000194		3221225738	0

Raised Snort alerts (1 event)

snort

ET INFO DYNAMIC_DNS Query to 3322.org Domain

Raised Suricata alerts (1 event)

suricata

ET DYN_DNS DYNAMIC_DNS Query to 3322.org Domain

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 1376 region_size: 143360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000029c	1	0	0
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000198	1	0	0

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService April 21, 2025, 2:24 a.m.	service_handle: 0x005c6f38 service_name: Spooler control_code: 1	1	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath

reg_value

Spoolsv.exe

Deletes executed files from disk (1 event)

file

Manipulates memory of a non-child process indicative of process injection (2 events)

Process injection

Process 2664 manipulating memory of non-child process 2876

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000198	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Process injection

Process 2664 injected into non-child 2876

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 21, 2025, 2:24 a.m.	buffer: UìÄøSEPè4YØPCPÿPÿSEüCEø}ütEüÿÐjÿÿUø[YY]ÃÀèXÀÃÀ¿IuöÿiuÿuC:\Windows\AppPatch\AcSvcst.dllDllService base_address: 0x00080000 process_identifier: 2876 process_handle: 0x00000198	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Process injection	Process 2664 called NtSetContextThread to modify thread in remote process 1376
Process injection	Process 2664 called NtSetContextThread to modify thread in remote process 2876

Time & API	Arguments	Status	Return	Repeated
NtSetContextThread April 21, 2025, 2:24 a.m.	registers.eip: 983040 registers.esp: 1898692 registers.edi: 0 registers.eax: 6234372 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 1376	1	0	0
NtSetContextThread April 21, 2025, 2:24 a.m.	registers.eip: 524288 registers.esp: 2685028 registers.edi: 0 registers.eax: 11477252 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000194 process_identifier: 2876	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection

Process 2664 resumed a thread in remote process 1376

Time & API	Arguments	Status	Return	Repeated
NtResumeThread April 21, 2025, 2:24 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 1376	1	0	0

Stops Windows services (1 event)

service

Spooler (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Spooler\Start)

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 21, 2025, 2:24 a.m.	thread_identifier: 2920 thread_handle: 0x0000000000000048 process_identifier: 2664 current_directory: filepath: C:\Windows\SysWOW64\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\ADMINI~1\AppData\Local\Temp\f962fbd1d3802685ac9a074d0435b320e867faba8b41af6645ae031e97542fc8.dll,DllMain filepath_r: C:\Windows\SysWOW64\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000044	1	1
NtResumeThread April 21, 2025, 2:24 a.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 2664	1	0
CreateProcessInternalW April 21, 2025, 2:24 a.m.	thread_identifier: 348 thread_handle: 0x00000298 process_identifier: 1376 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe -k rundll32 filepath_r: stack_pivoted: 0 creation_flags: 524292 (CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000029c	1	1
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 1376 region_size: 143360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000029c	1	0
WriteProcessMemory April 21, 2025, 2:24 a.m.	buffer: base_address: 0x000f0000 process_identifier: 1376 process_handle: 0x0000029c	1	1
NtGetContextThread April 21, 2025, 2:24 a.m.	thread_handle: 0x00000298	1	0
NtSetContextThread April 21, 2025, 2:24 a.m.	registers.eip: 983040 registers.esp: 1898692 registers.edi: 0 registers.eax: 6234372 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 1376	1	0
NtResumeThread April 21, 2025, 2:24 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 1376	1	0
CreateProcessInternalW April 21, 2025, 2:24 a.m.	thread_identifier: 1784 thread_handle: 0x00000194 process_identifier: 2876 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe -k rundll32 filepath_r: stack_pivoted: 0 creation_flags: 524292 (CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000198	1	1
NtAllocateVirtualMemory April 21, 2025, 2:24 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000198	1	0
WriteProcessMemory April 21, 2025, 2:24 a.m.	buffer: UìÄøSEPè4YØPCPÿPÿSEüCEø}ütEüÿÐjÿÿUø[YY]ÃÀèXÀÃÀ¿IuöÿiuÿuC:\Windows\AppPatch\AcSvcst.dllDllService base_address: 0x00080000 process_identifier: 2876 process_handle: 0x00000198	1	1
NtGetContextThread April 21, 2025, 2:24 a.m.	thread_handle: 0x00000194	1	0
NtSetContextThread April 21, 2025, 2:24 a.m.	registers.eip: 524288 registers.esp: 2685028 registers.edi: 0 registers.eax: 11477252 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000194 process_identifier: 2876	1	0

File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)

G Data Antivirus (Windows)	Virus: Gen:Trojan.ExplorerHijack.iC5@aKlRihi (Engine A), Win32.Trojan.PSE.10038YY (Engine B)
Avast Core Security (Linux)	Win32:MalwareX-gen [Bd]
C4S ClamAV (Linux)	Win.Trojan.Sasfis-73
WithSecure (Linux)	Trojan:W32/Generic.avtd!fsmind
eScan Antivirus (Linux)	Gen:Trojan.ExplorerHijack.iC5@aKlRihi(DB)
ESET Security (Windows)	a variant of Win32/Delf.AJO trojan
Sophos Anti-Virus (Linux)	Troj/Delf-HOM
DrWeb Antivirus (Linux)	Trojan.MulDrop3.19480
ClamAV (Linux)	Win.Trojan.Sasfis-73
Bitdefender Antivirus (Linux)	Gen:Trojan.ExplorerHijack.iC5@aKlRihi
Kaspersky Standard (Windows)	Trojan.Win32.Sasfis.aqwf
Emsisoft Commandline Scanner (Windows)	Gen:Trojan.ExplorerHijack.iC5@aKlRihi (B)

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Cynet	Malicious (score: 100)
CTX	dll.trojan.aklrihi
ALYac	Gen:Trojan.ExplorerHijack.iC5@aKlRihi
Cylance	Unsafe
VIPRE	Gen:Trojan.ExplorerHijack.iC5@aKlRihi
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
K7GW	Trojan ( 005690671 )
K7AntiVirus	Trojan ( 005690671 )
Arcabit	Trojan.ExplorerHijack.E33CEF
VirIT	Backdoor.Win32.Generic.CCLQ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Delf.AJO
APEX	Malicious
ClamAV	Win.Trojan.Sasfis-73
NANO-Antivirus	Trojan.Win32.Sasfis.inuxo
MicroWorld-eScan	Gen:Trojan.ExplorerHijack.iC5@aKlRihi
Rising	Backdoor.Prosti!8.280 (TFE:3:577pK4pfyyV)
Emsisoft	Gen:Trojan.ExplorerHijack.iC5@aKlRihi (B)
F-Secure	Trojan.TR/ATRAPS.Gen
DrWeb	Trojan.MulDrop3.19480
Zillya	Trojan.Sasfis.Win32.25546
McAfeeD	ti!F962FBD1D380
Sophos	Troj/Delf-HOM
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan/Sasfis.lzc
Webroot	W32.Malware.gen
Avira	TR/ATRAPS.Gen
Antiy-AVL	Trojan/Win32.Sasfis
Kingsoft	malware.kb.a.999
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Microsoft	Backdoor:Win32/Prosti.L
ZoneAlarm	Troj/Delf-HOM
GData	Win32.Trojan.PSE.19YCTOZ
Google	Detected
AhnLab-V3	Trojan/Win32.Sasfis.R3331
Acronis	suspicious
VBA32	Trojan.Sasfis
TACHYON	Trojan/W32.DP-Sasfis.140828
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Backdoor.Win32.Prosti
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	Trojan.Win32.Sasfis.pa
Yandex	Trojan.GenAsa!YOsF5jLpW/g
huorong	Trojan/Injector.bli
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Sasfis.AQW!tr
Panda	Trj/Genetic.gen

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File f962fbd1d3802685ac9a074d0435b320e867faba8b41af6645ae031e97542fc8

Summary Download Resubmit sample Download yara

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample Download yara