Cuckoo Sandbox

File e535649aa2e3deff_aspnet_state.exe

Summary
Download Resubmit sample

Size	1.5MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`4f3ac5a3ae0d757eb3482f031f9fd7f6`
SHA1	`2e97f870daf173697cb4ce1886829e72ba636249`
SHA256	`e535649aa2e3deff83df3d6f1fb9b3d29bac052c4863f736e8d8b043cd307bc1`
SHA512	`886fe9b110d3ff5a324f37d01947625b63b8a7f66718fe4127c3a0646ea511a3bc2ff6df6642188243519a26f560527aa13f888bd8395987df1930e7a93db90a`
CRC32	`FA4F31E9`
ssdeep	`None`
PDB Path	aspnet_state.pdb
Yara	DebuggerException__SetConsoleCtrl - (no description) anti_dbg - Checks if being debugged network_tcp_listen - Listen for incoming communication network_tcp_socket - Communications over RAW socket win_registry - Affect system registries

Score

This file is very suspicious, with a score of 8.9 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6433152

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	May 11, 2025, 4:22 a.m.	May 11, 2025, 4:28 a.m.	340 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-05-05 12:11:15,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpblqbwr
2025-05-05 12:11:15,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\SFQXcCOQgUjzOvdXXReTNwO
2025-05-05 12:11:15,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\stUmFNWGHWIDfCtWgY
2025-05-05 12:11:15,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-05-05 12:11:15,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-05-05 12:11:15,358 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-05 12:11:15,358 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-05 12:11:15,796 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-05 12:11:16,015 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module Human
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-05 12:11:16,062 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-05 12:11:16,062 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-05 12:11:16,203 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\e535649aa2e3deff_aspnet_state.exe' with arguments '' and pid 2628
2025-05-05 12:11:17,203 [analyzer] INFO: Process with pid 2628 has terminated
2025-05-05 12:11:17,203 [analyzer] INFO: Process list is empty, terminating analysis.
2025-05-05 12:11:18,358 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-05 12:11:18,358 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-11 04:22:49,366 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:50,390 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:51,407 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:52,423 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:53,440 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:54,462 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:55,484 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:56,507 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:57,525 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:58,546 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:22:59,560 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:00,583 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:01,605 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:02,623 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:03,642 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:04,751 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:05,769 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:06,787 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:07,810 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:08,827 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:09,940 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:10,966 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:11,985 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:13,003 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:14,022 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:15,040 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:16,057 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:17,075 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:18,095 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:19,112 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:20,127 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:21,151 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:22,169 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:23,189 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:24,207 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:25,229 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:26,246 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:27,298 [cuckoo.core.scheduler] DEBUG: Task #6433787: no machine available yet
2025-05-11 04:23:28,323 [cuckoo.core.scheduler] INFO: Task #6433787: acquired machine win7x6418 (label=win7x6418)
2025-05-11 04:23:28,324 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.218 for task #6433787
2025-05-11 04:23:28,542 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3413197 (interface=vboxnet0, host=192.168.168.218)
2025-05-11 04:23:30,658 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6418
2025-05-11 04:23:31,115 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6418 to vmcloak
2025-05-11 04:25:36,439 [cuckoo.core.guest] INFO: Starting analysis #6433787 on guest (id=win7x6418, ip=192.168.168.218)
2025-05-11 04:25:37,494 [cuckoo.core.guest] DEBUG: win7x6418: not ready yet
2025-05-11 04:25:42,532 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6418, ip=192.168.168.218)
2025-05-11 04:25:42,590 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6418, ip=192.168.168.218, monitor=latest, size=6660546)
2025-05-11 04:25:43,830 [cuckoo.core.resultserver] DEBUG: Task #6433787: live log analysis.log initialized.
2025-05-11 04:25:44,790 [cuckoo.core.resultserver] DEBUG: Task #6433787 is sending a BSON stream
2025-05-11 04:25:46,057 [cuckoo.core.resultserver] DEBUG: Task #6433787: File upload for 'shots/0001.jpg'
2025-05-11 04:25:46,072 [cuckoo.core.resultserver] DEBUG: Task #6433787 uploaded file length: 133472
2025-05-11 04:25:47,129 [cuckoo.core.resultserver] DEBUG: Task #6433787: File upload for 'curtain/1746439878.28.curtain.log'
2025-05-11 04:25:47,132 [cuckoo.core.resultserver] DEBUG: Task #6433787 uploaded file length: 36
2025-05-11 04:25:47,207 [cuckoo.core.resultserver] DEBUG: Task #6433787: File upload for 'sysmon/1746439878.36.sysmon.xml'
2025-05-11 04:25:47,211 [cuckoo.core.resultserver] DEBUG: Task #6433787 uploaded file length: 110074
2025-05-11 04:25:48,150 [cuckoo.core.resultserver] DEBUG: Task #6433787 had connection reset for <Context for LOG>
2025-05-11 04:25:49,463 [cuckoo.core.guest] INFO: win7x6418: analysis completed successfully
2025-05-11 04:25:49,473 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-11 04:25:49,502 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-11 04:25:50,127 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6418 to path /srv/cuckoo/cwd/storage/analyses/6433787/memory.dmp
2025-05-11 04:25:50,128 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6418
2025-05-11 04:28:28,829 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.218 for task #6433787
2025-05-11 04:28:30,010 [cuckoo.core.scheduler] DEBUG: Released database task #6433787
2025-05-11 04:28:30,025 [cuckoo.core.scheduler] INFO: Task #6433787: analysis procedure completed

Signatures

Yara rules detected for file (5 events)

description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	Checks if being debugged	rule	anti_dbg
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over RAW socket	rule	network_tcp_socket
description	Affect system registries	rule	win_registry

This executable has a PDB path (1 event)

pdb_path

aspnet_state.pdb

File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)

G Data Antivirus (Windows)	Virus: Win64.Expiro.Gen.7 (Engine A)
Avast Core Security (Linux)	Win64:Expiro-AJ [Inf]
C4S ClamAV (Linux)	Win.Virus.Expiro-9955276-0
WithSecure (Linux)	Malware.W32/Infector.Gen
eScan Antivirus (Linux)	Win64.Expiro.Gen.7(DB)
ESET Security (Windows)	a variant of Win64/Expiro.CQ virus
Sophos Anti-Virus (Linux)	W64/Moiva-B
DrWeb Antivirus (Linux)	Win32.Expiro.153
ClamAV (Linux)	Win.Virus.Expiro-9955276-0
Bitdefender Antivirus (Linux)	Win64.Expiro.Gen.7
Kaspersky Standard (Windows)	Virus.Win64.Moiva.a
Emsisoft Commandline Scanner (Windows)	Win64.Expiro.Gen.7 (B)

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File e535649aa2e3deff_aspnet_state.exe

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample