Cuckoo Sandbox

File bbb3539e52ee7889_perfhost.exe

Summary
Download Resubmit sample

Size	1.2MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`7a850a48db391766706affd385b9a8be`
SHA1	`76f4a879a87718bace2175c7eed9844ac6576b06`
SHA256	`bbb3539e52ee788945703519b89a695f786a7cc73b12ac5e8c03d98b587a4369`
SHA512	`419090dc3c37a3234d3215f3f643981882f3da049188e3eda284be1fd3c7d9a37c94953dca3628988abd6055c98da296d8d8692742908f0bb21fc68494860360`
CRC32	`8744CCFD`
ssdeep	`None`
PDB Path	PerfHost.pdb
Yara	None matched

Score

This file is very suspicious, with a score of 9.9 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6432910

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	May 11, 2025, 4:07 a.m.	May 11, 2025, 4:16 a.m.	513 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-05-05 11:23:36,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpriinqn
2025-05-05 11:23:36,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\mKmfcViiDAwnsmAywfWUwWVPoQ
2025-05-05 11:23:36,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\WVLvzraHCUTEbpOeYQp
2025-05-05 11:23:36,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-05-05 11:23:36,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-05-05 11:23:36,296 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-05 11:23:36,296 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-05 11:23:36,765 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-05 11:23:36,967 [analyzer] DEBUG: Loaded monitor into process with pid 512
2025-05-05 11:23:36,967 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-05 11:23:36,967 [analyzer] DEBUG: Started auxiliary module Human
2025-05-05 11:23:36,967 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-05 11:23:36,967 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-05 11:23:37,015 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-05 11:23:37,015 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-05 11:23:37,015 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-05 11:23:37,015 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-05 11:23:37,171 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\bbb3539e52ee7889_perfhost.exe' with arguments '' and pid 2520
2025-05-05 11:23:37,375 [analyzer] DEBUG: Loaded monitor into process with pid 2520
2025-05-05 11:26:56,187 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-05-05 11:26:57,265 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-05 11:26:57,265 [lib.api.process] INFO: Successfully terminated process with pid 2520.
2025-05-05 11:26:57,265 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-11 04:07:53,703 [cuckoo.core.scheduler] INFO: Task #6433578: acquired machine win7x6426 (label=win7x6426)
2025-05-11 04:07:53,704 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.226 for task #6433578
2025-05-11 04:07:53,912 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3395232 (interface=vboxnet0, host=192.168.168.226)
2025-05-11 04:07:54,679 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6426
2025-05-11 04:07:55,079 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6426 to vmcloak
2025-05-11 04:10:16,507 [cuckoo.core.guest] INFO: Starting analysis #6433578 on guest (id=win7x6426, ip=192.168.168.226)
2025-05-11 04:10:17,513 [cuckoo.core.guest] DEBUG: win7x6426: not ready yet
2025-05-11 04:10:22,537 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6426, ip=192.168.168.226)
2025-05-11 04:10:22,622 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6426, ip=192.168.168.226, monitor=latest, size=6660546)
2025-05-11 04:10:24,041 [cuckoo.core.resultserver] DEBUG: Task #6433578: live log analysis.log initialized.
2025-05-11 04:10:24,918 [cuckoo.core.resultserver] DEBUG: Task #6433578 is sending a BSON stream
2025-05-11 04:10:25,324 [cuckoo.core.resultserver] DEBUG: Task #6433578 is sending a BSON stream
2025-05-11 04:10:26,128 [cuckoo.core.resultserver] DEBUG: Task #6433578: File upload for 'shots/0001.jpg'
2025-05-11 04:10:26,144 [cuckoo.core.resultserver] DEBUG: Task #6433578 uploaded file length: 116334
2025-05-11 04:10:38,709 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:10:53,793 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:11:08,890 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:11:24,023 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:11:39,154 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:11:54,262 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:12:09,371 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:12:24,459 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:12:39,540 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:12:54,826 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:13:09,930 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:13:25,176 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:13:40,264 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6433578 still processing
2025-05-11 04:13:44,403 [cuckoo.core.resultserver] DEBUG: Task #6433578: File upload for 'curtain/1746437216.38.curtain.log'
2025-05-11 04:13:44,405 [cuckoo.core.resultserver] DEBUG: Task #6433578 uploaded file length: 36
2025-05-11 04:13:45,198 [cuckoo.core.resultserver] DEBUG: Task #6433578: File upload for 'sysmon/1746437217.17.sysmon.xml'
2025-05-11 04:13:45,299 [cuckoo.core.resultserver] DEBUG: Task #6433578 uploaded file length: 11180130
2025-05-11 04:13:45,320 [cuckoo.core.resultserver] DEBUG: Task #6433578 had connection reset for <Context for LOG>
2025-05-11 04:13:46,364 [cuckoo.core.guest] INFO: win7x6426: analysis completed successfully
2025-05-11 04:13:46,377 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-11 04:13:46,404 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-11 04:13:47,022 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6426 to path /srv/cuckoo/cwd/storage/analyses/6433578/memory.dmp
2025-05-11 04:13:47,023 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6426
2025-05-11 04:16:25,618 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.226 for task #6433578
2025-05-11 04:16:26,856 [cuckoo.core.scheduler] DEBUG: Released database task #6433578
2025-05-11 04:16:26,884 [cuckoo.core.scheduler] INFO: Task #6433578: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 5, 2025, 12:23 p.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 421888 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0	0

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 5, 2025, 12:23 p.m.	computer_name: 뻯��		0	0
GetComputerNameW May 5, 2025, 12:23 p.m.	computer_name: CGJRIYXYRJBQOJY	1	1	0

This executable has a PDB path (1 event)

pdb_path

PerfHost.pdb

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MUI
resource name	WEVT_TEMPLATE

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Raised Suricata alerts (1 event)

suricata

Stamus Networks MS-SRVS service - NetrShareEnum

File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)

G Data Antivirus (Windows)	Virus: Win32.Expiro.Gen.7 (Engine A)
Avast Core Security (Linux)	Win32:Expiro-HJ [Inf]
C4S ClamAV (Linux)	Win.Virus.Expiro-9943521-0
WithSecure (Linux)	Malware.W32/Infector.Gen
eScan Antivirus (Linux)	Win32.Expiro.Gen.7(DB)
ESET Security (Windows)	a variant of Win32/Expiro.NDP virus
Sophos Anti-Virus (Linux)	W32/Moiva-A
DrWeb Antivirus (Linux)	Win32.Expiro.153
ClamAV (Linux)	Win.Virus.Expiro-9943521-0
Bitdefender Antivirus (Linux)	Win32.Expiro.Gen.7
Kaspersky Standard (Windows)	Virus.Win32.Moiva.a
Emsisoft Commandline Scanner (Windows)	Win32.Expiro.Gen.7 (B)

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File bbb3539e52ee7889_perfhost.exe

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample