Summary

bce8dabff7f6e783_perfhost.exe

File bce8dabff7f6e783_perfhost.exe

Summary
Download Resubmit sample

Size 1.4MB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 2139ccb3d710ef0da041a987a7bcc531
SHA1 347a1f83955d14771ba1a5f7a81ca0048b392437
SHA256 bce8dabff7f6e7838dafbb069cd0b67f08e5161cc40beec746ac4f87a49edae2
SHA512
c4b3013e073621d5a30f5315e2593f260dd4c9ca15c182c37d93ae4084526fbde8ca0f2a40973ebb8aaadedb2e87f0b1491b0ca7322d0c0d6f0e0c4edf567488
CRC32 3702B115
ssdeep None
PDB Path PerfHost.pdb
Yara None matched

Score

This file is very suspicious, with a score of 9.4 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6433156

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE May 11, 2025, 4:23 a.m. May 11, 2025, 4:28 a.m. 306 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-05-05 12:11:15,000 [analyzer] DEBUG: Starting analyzer from: C:\tmp4nivwu
2025-05-05 12:11:15,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\uEQSgMibpHyNyNUgfiJbZLolDhenHNdO
2025-05-05 12:11:15,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\ZoKlThDMJJtCNcDwiCEQZt
2025-05-05 12:11:15,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-05-05 12:11:15,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-05-05 12:11:15,250 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-05 12:11:15,265 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-05 12:11:15,765 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-05 12:11:15,967 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-05-05 12:11:15,967 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-05 12:11:15,967 [analyzer] DEBUG: Started auxiliary module Human
2025-05-05 12:11:15,967 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-05 12:11:15,967 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-05 12:11:16,062 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-05 12:11:16,062 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-05 12:11:16,250 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\bce8dabff7f6e783_perfhost.exe' with arguments '' and pid 2176
2025-05-05 12:11:16,437 [analyzer] DEBUG: Loaded monitor into process with pid 2176
2025-05-05 12:11:17,250 [analyzer] INFO: Process with pid 2176 has terminated
2025-05-05 12:11:17,250 [analyzer] INFO: Process list is empty, terminating analysis.
2025-05-05 12:11:18,405 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-05 12:11:18,405 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-11 04:23:30,593 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:31,722 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:32,862 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:33,890 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:35,014 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:36,042 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:37,059 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:38,079 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:39,107 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:40,137 [cuckoo.core.scheduler] DEBUG: Task #6433790: no machine available yet
2025-05-11 04:23:41,166 [cuckoo.core.scheduler] INFO: Task #6433790: acquired machine win7x6424 (label=win7x6424)
2025-05-11 04:23:41,166 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.224 for task #6433790
2025-05-11 04:23:41,402 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3413570 (interface=vboxnet0, host=192.168.168.224)
2025-05-11 04:23:45,057 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6424
2025-05-11 04:23:45,626 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6424 to vmcloak
2025-05-11 04:25:54,060 [cuckoo.core.guest] INFO: Starting analysis #6433790 on guest (id=win7x6424, ip=192.168.168.224)
2025-05-11 04:25:55,065 [cuckoo.core.guest] DEBUG: win7x6424: not ready yet
2025-05-11 04:26:00,156 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6424, ip=192.168.168.224)
2025-05-11 04:26:00,320 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6424, ip=192.168.168.224, monitor=latest, size=6660546)
2025-05-11 04:26:01,434 [cuckoo.core.resultserver] DEBUG: Task #6433790: live log analysis.log initialized.
2025-05-11 04:26:02,383 [cuckoo.core.resultserver] DEBUG: Task #6433790 is sending a BSON stream
2025-05-11 04:26:02,821 [cuckoo.core.resultserver] DEBUG: Task #6433790 is sending a BSON stream
2025-05-11 04:26:03,612 [cuckoo.core.resultserver] DEBUG: Task #6433790: File upload for 'shots/0001.jpg'
2025-05-11 04:26:03,624 [cuckoo.core.resultserver] DEBUG: Task #6433790 uploaded file length: 133472
2025-05-11 04:26:04,769 [cuckoo.core.resultserver] DEBUG: Task #6433790: File upload for 'curtain/1746439878.31.curtain.log'
2025-05-11 04:26:04,771 [cuckoo.core.resultserver] DEBUG: Task #6433790 uploaded file length: 36
2025-05-11 04:26:04,855 [cuckoo.core.resultserver] DEBUG: Task #6433790: File upload for 'sysmon/1746439878.41.sysmon.xml'
2025-05-11 04:26:04,864 [cuckoo.core.resultserver] DEBUG: Task #6433790 uploaded file length: 225102
2025-05-11 04:26:05,687 [cuckoo.core.resultserver] DEBUG: Task #6433790 had connection reset for <Context for LOG>
2025-05-11 04:26:07,111 [cuckoo.core.guest] INFO: win7x6424: analysis completed successfully
2025-05-11 04:26:07,124 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-11 04:26:07,149 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-11 04:26:07,726 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6424 to path /srv/cuckoo/cwd/storage/analyses/6433790/memory.dmp
2025-05-11 04:26:07,728 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6424
2025-05-11 04:28:29,048 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.224 for task #6433790
2025-05-11 04:28:30,292 [cuckoo.core.scheduler] DEBUG: Released database task #6433790
2025-05-11 04:28:30,321 [cuckoo.core.scheduler] INFO: Task #6433790: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (1 event)
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 421888
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f0000
process_handle: 0xffffffff
1 0 0
Queries for the computername (2 events)
Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: ë»¯íº­
0 0

GetComputerNameW

 computer_name: BQBHQDWYJ
1 1 0
This executable has a PDB path (1 event)
pdb_path PerfHost.pdb
The file contains an unknown PE resource name possibly indicative of a packer (2 events)
resource name MUI
resource name WEVT_TEMPLATE
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
File has been identified by 10 AntiVirus engine on IRMA as malicious (10 events)
G Data Antivirus (Windows) Virus: Win32.Expiro.Gen.7 (Engine A)
Avast Core Security (Linux) Win32:Malware-gen
WithSecure (Linux) Malware.W32/Infector.Gen
eScan Antivirus (Linux) Win32.Expiro.Gen.7(DB)
ESET Security (Windows) a variant of Win32/Expiro.NDP virus
Sophos Anti-Virus (Linux) W32/Moiva-A
DrWeb Antivirus (Linux) Win32.Expiro.153
Bitdefender Antivirus (Linux) Win32.Expiro.Gen.7
Kaspersky Standard (Windows) Virus.Win32.Moiva.a
Emsisoft Commandline Scanner (Windows) Win32.Expiro.Gen.7 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.