Cuckoo Sandbox

File 9cd385e64bbe57dd7e6317d6005cddedb482b5a3e04d1b973fcd27bff1be4cf4

Summary
Download Resubmit sample

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`285fadeb69897c849a54a5996eebd116`
SHA1	`1a605a88686eaf9376ca94c55aaf066c4d836ad8`
SHA256	`9cd385e64bbe57dd7e6317d6005cddedb482b5a3e04d1b973fcd27bff1be4cf4`
SHA512	`a179141b1d0b23cadc572dab475ce5564a7fab9f082b7dda7920234c46e58bf4c5c6cfc2fce5d5f19ca980366eb9740ac3c7b4632cae2d2be72747fc8984a4cd`
CRC32	`86E26A0A`
ssdeep	`None`
Yara	disable_dep - Bypass DEP escalate_priv - Escalade priviledges win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	July 8, 2025, 4:32 p.m.	July 8, 2025, 4:36 p.m.	231 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-07-07 15:09:54,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpqnr2dk
2025-07-07 15:09:54,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\VPwtnHghNSoOcDdVqYxtFAfeZjN
2025-07-07 15:09:54,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\KHRkGIWYmxnRFqTPrndNAe
2025-07-07 15:09:54,265 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-07 15:09:54,280 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-07 15:09:54,640 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-07 15:09:54,842 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-07-07 15:09:54,842 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-07 15:09:54,842 [analyzer] DEBUG: Started auxiliary module Human
2025-07-07 15:09:54,842 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-07 15:09:54,842 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-07 15:09:54,905 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-07 15:09:54,905 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-07 15:09:54,905 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-07 15:09:54,905 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-07 15:09:55,062 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\9cd385e64bbe57dd7e6317d6005cddedb482b5a3e04d1b973fcd27bff1be4cf4.exe' with arguments '' and pid 2068
2025-07-07 15:09:55,233 [analyzer] DEBUG: Loaded monitor into process with pid 2068
2025-07-07 15:09:55,467 [analyzer] INFO: Added new file to list with pid 2068 and path C:\Users\Administrator\AppData\Local\Temp\is-V5VTB.tmp\9cd385e64bbe57dd7e6317d6005cddedb482b5a3e04d1b973fcd27bff1be4cf4.tmp
2025-07-07 15:09:55,578 [analyzer] INFO: Injected into process with pid 124 and name ''
2025-07-07 15:09:55,750 [analyzer] DEBUG: Loaded monitor into process with pid 124
2025-07-07 15:09:55,812 [analyzer] INFO: Added new file to list with pid 124 and path C:\Users\Administrator\AppData\Local\Temp\is-94QL0.tmp\_isetup\_setup64.tmp
2025-07-07 15:09:55,842 [analyzer] INFO: Added new file to list with pid 124 and path C:\Users\Administrator\AppData\Local\Temp\is-94QL0.tmp\idp.dll
2025-07-07 15:10:24,092 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-07-07 15:10:24,483 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-07 15:10:24,483 [lib.api.process] INFO: Successfully terminated process with pid 2068.
2025-07-07 15:10:24,483 [lib.api.process] INFO: Successfully terminated process with pid 124.
2025-07-07 15:10:24,546 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-08 16:32:18,699 [cuckoo.core.scheduler] INFO: Task #6667550: acquired machine win7x6415 (label=win7x6415)
2025-07-08 16:32:18,699 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.215 for task #6667550
2025-07-08 16:32:19,001 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 527587 (interface=vboxnet0, host=192.168.168.215)
2025-07-08 16:32:23,962 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6415
2025-07-08 16:32:24,604 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6415 to vmcloak
2025-07-08 16:33:59,938 [cuckoo.core.guest] INFO: Starting analysis #6667550 on guest (id=win7x6415, ip=192.168.168.215)
2025-07-08 16:34:00,945 [cuckoo.core.guest] DEBUG: win7x6415: not ready yet
2025-07-08 16:34:05,967 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6415, ip=192.168.168.215)
2025-07-08 16:34:06,041 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6415, ip=192.168.168.215, monitor=latest, size=6660546)
2025-07-08 16:34:07,152 [cuckoo.core.resultserver] DEBUG: Task #6667550: live log analysis.log initialized.
2025-07-08 16:34:07,946 [cuckoo.core.resultserver] DEBUG: Task #6667550 is sending a BSON stream
2025-07-08 16:34:08,323 [cuckoo.core.resultserver] DEBUG: Task #6667550 is sending a BSON stream
2025-07-08 16:34:08,837 [cuckoo.core.resultserver] DEBUG: Task #6667550 is sending a BSON stream
2025-07-08 16:34:09,164 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'shots/0001.jpg'
2025-07-08 16:34:09,188 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 133436
2025-07-08 16:34:10,319 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'shots/0002.jpg'
2025-07-08 16:34:10,349 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 145476
2025-07-08 16:34:21,912 [cuckoo.core.guest] DEBUG: win7x6415: analysis #6667550 still processing
2025-07-08 16:34:37,440 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'curtain/1751893824.27.curtain.log'
2025-07-08 16:34:37,443 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 36
2025-07-08 16:34:37,637 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'sysmon/1751893824.47.sysmon.xml'
2025-07-08 16:34:37,657 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 2345148
2025-07-08 16:34:37,688 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'files/da37e71c59b7fb8c_9cd385e64bbe57dd7e6317d6005cddedb482b5a3e04d1b973fcd27bff1be4cf4.tmp'
2025-07-08 16:34:37,712 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 3518976
2025-07-08 16:34:37,721 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'files/54e7e0ad32a22b77_idp.dll'
2025-07-08 16:34:37,727 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'files/388a796580234efc__setup64.tmp'
2025-07-08 16:34:37,730 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 6144
2025-07-08 16:34:37,732 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 237568
2025-07-08 16:34:37,818 [cuckoo.core.guest] INFO: win7x6415: analysis completed successfully
2025-07-08 16:34:37,828 [cuckoo.core.resultserver] DEBUG: Task #6667550: File upload for 'shots/0003.jpg'
2025-07-08 16:34:37,831 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-08 16:34:37,839 [cuckoo.core.resultserver] DEBUG: Task #6667550 uploaded file length: 133848
2025-07-08 16:34:37,851 [cuckoo.core.resultserver] DEBUG: Task #6667550 had connection reset for <Context for LOG>
2025-07-08 16:34:37,857 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-08 16:34:38,654 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6415 to path /srv/cuckoo/cwd/storage/analyses/6667550/memory.dmp
2025-07-08 16:34:38,655 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6415
2025-07-08 16:36:09,402 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.215 for task #6667550
2025-07-08 16:36:09,762 [cuckoo.core.scheduler] DEBUG: Released database task #6667550
2025-07-08 16:36:09,797 [cuckoo.core.scheduler] INFO: Task #6667550: analysis procedure completed

Signatures

Yara rules detected for file (5 events)

description	Bypass DEP	rule	disable_dep
description	Escalade priviledges	rule	escalate_priv
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 7, 2025, 4:09 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01230000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2025, 4:09 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 688128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2025, 4:09 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2025, 4:09 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 147456 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e9000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2025, 4:09 p.m.	process_identifier: 124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 7, 2025, 4:09 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 7, 2025, 4:09 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

Creates executable files on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\is-94QL0.tmp\idp.dll

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW July 7, 2025, 4:09 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\VOIDSTRAP vs BLOXSTRAP Fast Flags Comparison for~E70F1879_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\VOIDSTRAP vs BLOXSTRAP Fast Flags Comparison for~E70F1879_is1		2	0

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress July 7, 2025, 4:09 p.m.	ordinal: 0 function_address: 0x0123f7a8 function_name: wine_get_version module: ntdll module_address: 0x77830000		3221225785	0
LdrGetProcedureAddress July 7, 2025, 4:09 p.m.	ordinal: 0 function_address: 0x002317dc function_name: wine_get_version module: ntdll module_address: 0x77830000		3221225785	0

File has been identified by 5 AntiVirus engine on IRMA as malicious (5 events)

WithSecure (Linux)	Trojan.TR/AVI.Agent.oioyy
ESET Security (Windows)	a variant of Win32/TrojanDownloader.Agent.HIO trojan
Sophos Anti-Virus (Linux)	Mal/Generic-S
DrWeb Antivirus (Linux)	Trojan.DownLoad4.17533
Kaspersky Standard (Windows)	HEUR:Trojan-Downloader.Win32.OffLoader.gen

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetectMalware
Skyhigh	BehavesLike.Win32.Trojan.tc
CrowdStrike	win/malicious_confidence_60% (D)
K7GW	Trojan-Downloader ( 005c7c341 )
K7AntiVirus	Trojan-Downloader ( 005c7c341 )
VirIT	Trojan.Win32.DelphGen.III
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.HIO
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.Win32.OffLoader.gen
Rising	Downloader.Agent/IFPS!1.12740 (CLASSIC)
DrWeb	Trojan.DownLoad4.17533
Google	Detected
Microsoft	Trojan:Win32/Phonzy.B!ml
Tencent	Trojan-DL.Win32.Agent.cp
huorong	HEUR:TrojanDownloader/Agent.dd
Fortinet	W32/DBadur.A!tr.dldr

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 9cd385e64bbe57dd7e6317d6005cddedb482b5a3e04d1b973fcd27bff1be4cf4

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample