Summary

afa29518deb31dfa_umcuwp8de.exe

File afa29518deb31dfa_umcuwp8de.exe

Summary
Download Resubmit sample Download yara

Size 61.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 30dc818aacda37f8e0496660595e68d8
SHA1 94cfd3b7af4024e035638d57c0e817fbad35e98c
SHA256 afa29518deb31dfae78f21bad6800c376120ccdf1b26edf29ef7a03fe6b1beb2
SHA512
1c52ef5f3ce5e022e6015a0e64112b6503eddb4001583ac8cacd2d2d3b90f1a5a7e30c20b8b1f8ac5fda5f764e7bec00c7a843b07f6337823bc0f744027b687b
CRC32 C0D39410
ssdeep None
Yara
  • anti_dbg - Checks if being debugged
  • network_http - Communications over HTTP
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6705059

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE July 18, 2025, 3:21 p.m. July 18, 2025, 3:28 p.m. 401 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-07-14 13:00:05,000 [analyzer] DEBUG: Starting analyzer from: C:\tmp564etj
2025-07-14 13:00:05,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\kebAHLEMRuUpYkBYKPn
2025-07-14 13:00:05,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\qQgoEJIUufaYeaMGYznSKYPiAKFRf
2025-07-14 13:00:05,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-07-14 13:00:05,015 [analyzer] INFO: Automatically selected analysis package "exe"
2025-07-14 13:00:05,405 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-14 13:00:05,405 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-14 13:00:05,937 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-14 13:00:06,155 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-07-14 13:00:06,155 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-14 13:00:06,155 [analyzer] DEBUG: Started auxiliary module Human
2025-07-14 13:00:06,155 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-14 13:00:06,171 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-14 13:00:06,233 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-14 13:00:06,233 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-14 13:00:06,233 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-14 13:00:06,233 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-14 13:00:06,358 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\afa29518deb31dfa_umcuwp8de.exe' with arguments '' and pid 2924
2025-07-14 13:00:06,562 [analyzer] DEBUG: Loaded monitor into process with pid 2924
2025-07-14 13:00:06,562 [analyzer] INFO: Added new file to list with pid 2924 and path C:\Users\Administrator\AppData\Roaming\v9g0134h.exe
2025-07-14 13:00:06,640 [analyzer] INFO: Injected into process with pid 392 and name u'v9g0134h.exe'
2025-07-14 13:00:06,812 [analyzer] DEBUG: Loaded monitor into process with pid 392
2025-07-14 13:00:06,812 [analyzer] INFO: Added new file to list with pid 392 and path C:\Users\Administrator\AppData\Roaming\2hepw.exe
2025-07-14 13:00:06,890 [analyzer] INFO: Injected into process with pid 2900 and name u'2hepw.exe'
2025-07-14 13:00:07,062 [analyzer] DEBUG: Loaded monitor into process with pid 2900
2025-07-14 13:00:52,453 [analyzer] INFO: Added new file to list with pid 2900 and path C:\Users\Administrator\AppData\Roaming2nw0
2025-07-14 13:01:07,375 [analyzer] INFO: Process with pid 2924 has terminated
2025-07-14 13:01:08,375 [analyzer] INFO: Process with pid 392 has terminated
2025-07-14 13:03:25,375 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-07-14 13:03:27,625 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-14 13:03:27,640 [lib.api.process] INFO: Successfully terminated process with pid 2900.
2025-07-14 13:03:27,671 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-18 15:21:54,239 [cuckoo.core.scheduler] INFO: Task #6732359: acquired machine win7x6419 (label=win7x6419)
2025-07-18 15:21:54,240 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.219 for task #6732359
2025-07-18 15:21:54,607 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2759702 (interface=vboxnet0, host=192.168.168.219)
2025-07-18 15:21:54,768 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6419
2025-07-18 15:21:55,723 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6419 to vmcloak
2025-07-18 15:23:51,572 [cuckoo.core.guest] INFO: Starting analysis #6732359 on guest (id=win7x6419, ip=192.168.168.219)
2025-07-18 15:23:52,577 [cuckoo.core.guest] DEBUG: win7x6419: not ready yet
2025-07-18 15:23:57,600 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6419, ip=192.168.168.219)
2025-07-18 15:23:57,714 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6419, ip=192.168.168.219, monitor=latest, size=6660546)
2025-07-18 15:23:59,224 [cuckoo.core.resultserver] DEBUG: Task #6732359: live log analysis.log initialized.
2025-07-18 15:24:00,332 [cuckoo.core.resultserver] DEBUG: Task #6732359 is sending a BSON stream
2025-07-18 15:24:00,722 [cuckoo.core.resultserver] DEBUG: Task #6732359 is sending a BSON stream
2025-07-18 15:24:00,974 [cuckoo.core.resultserver] DEBUG: Task #6732359 is sending a BSON stream
2025-07-18 15:24:01,222 [cuckoo.core.resultserver] DEBUG: Task #6732359 is sending a BSON stream
2025-07-18 15:24:01,586 [cuckoo.core.resultserver] DEBUG: Task #6732359: File upload for 'shots/0001.jpg'
2025-07-18 15:24:01,603 [cuckoo.core.resultserver] DEBUG: Task #6732359 uploaded file length: 133548
2025-07-18 15:24:14,048 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:24:29,146 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:24:44,230 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:24:59,318 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:25:14,517 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:25:29,645 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:25:44,769 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:25:59,988 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:26:15,210 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:26:30,391 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:26:45,620 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:27:00,842 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:27:16,200 [cuckoo.core.guest] DEBUG: win7x6419: analysis #6732359 still processing
2025-07-18 15:27:19,858 [cuckoo.core.resultserver] DEBUG: Task #6732359: File upload for 'curtain/1752491005.61.curtain.log'
2025-07-18 15:27:19,865 [cuckoo.core.resultserver] DEBUG: Task #6732359 uploaded file length: 36
2025-07-18 15:27:21,557 [cuckoo.core.resultserver] DEBUG: Task #6732359: File upload for 'sysmon/1752491007.16.sysmon.xml'
2025-07-18 15:27:21,872 [cuckoo.core.resultserver] DEBUG: Task #6732359 uploaded file length: 14557466
2025-07-18 15:27:21,907 [cuckoo.core.resultserver] DEBUG: Task #6732359: File upload for 'files/bf8e008adec34932_2hepw.exe'
2025-07-18 15:27:21,911 [cuckoo.core.resultserver] DEBUG: Task #6732359: File upload for 'files/0b05c32f3872c0e5_v9g0134h.exe'
2025-07-18 15:27:21,927 [cuckoo.core.resultserver] DEBUG: Task #6732359 uploaded file length: 62976
2025-07-18 15:27:21,929 [cuckoo.core.resultserver] DEBUG: Task #6732359 uploaded file length: 62976
2025-07-18 15:27:21,938 [cuckoo.core.resultserver] DEBUG: Task #6732359: File upload for 'files/bffee5d05218adc1_roaming2nw0'
2025-07-18 15:27:21,940 [cuckoo.core.resultserver] DEBUG: Task #6732359 uploaded file length: 100
2025-07-18 15:27:21,942 [cuckoo.core.resultserver] DEBUG: Task #6732359 had connection reset for <Context for LOG>
2025-07-18 15:27:22,243 [cuckoo.core.guest] INFO: win7x6419: analysis completed successfully
2025-07-18 15:27:22,260 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-18 15:27:22,291 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-18 15:27:23,419 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6419 to path /srv/cuckoo/cwd/storage/analyses/6732359/memory.dmp
2025-07-18 15:27:23,422 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6419
2025-07-18 15:28:34,853 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.219 for task #6732359
2025-07-18 15:28:35,289 [cuckoo.core.scheduler] DEBUG: Released database task #6732359
2025-07-18 15:28:35,310 [cuckoo.core.scheduler] INFO: Task #6732359: analysis procedure completed

Signatures

Yara rules detected for file (5 events)
description Checks if being debugged rule anti_dbg
description Communications over HTTP rule network_http
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect private profile rule win_files_operation
HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)
suspicious_features GET method with no useragent header suspicious_request GET http://mkkuei4kdsz.com/52/119.html
suspicious_features GET method with no useragent header suspicious_request GET http://ow5dirasuek.com/636/759.html
suspicious_features GET method with no useragent header suspicious_request GET http://mkkuei4kdsz.com/116/341.html
suspicious_features GET method with no useragent header suspicious_request GET http://ow5dirasuek.com/267/167.html
suspicious_features GET method with no useragent header suspicious_request GET http://mkkuei4kdsz.com/312/893.html
suspicious_features GET method with no useragent header suspicious_request GET http://ow5dirasuek.com/298/83.html
Performs some HTTP requests (6 events)
request GET http://mkkuei4kdsz.com/52/119.html
request GET http://ow5dirasuek.com/636/759.html
request GET http://mkkuei4kdsz.com/116/341.html
request GET http://ow5dirasuek.com/267/167.html
request GET http://mkkuei4kdsz.com/312/893.html
request GET http://ow5dirasuek.com/298/83.html
A process attempted to delay the analysis task. (1 event)
description 2hepw.exe tried to sleep 240 seconds, actually delayed analysis time by 240 seconds
Creates executable files on the filesystem (2 events)
file C:\Users\Administrator\AppData\Roaming\2hepw.exe
file C:\Users\Administrator\AppData\Roaming\v9g0134h.exe
Drops an executable to the user AppData folder (2 events)
file C:\Users\Administrator\AppData\Roaming\2hepw.exe
file C:\Users\Administrator\AppData\Roaming\v9g0134h.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 event)
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 46
family: 0
1 0 0
Raised Suricata alerts (3 events)
suricata ThreatFox botnet C2 traffic (domain - confidence level: 100%)
suricata ET MALWARE Ransom.Win32.Birele.gsg Checkin
suricata ThreatFox botnet C2 traffic (url - confidence level: 75%)
Installs itself for autorun at Windows startup (2 events)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\yauayui reg_value C:\Users\Administrator\AppData\Roaming\v9g0134h.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\chst reg_value C:\Users\Administrator\AppData\Roaming\2hepw.exe
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (10 events)
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x000002a0
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x000002a0
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: nê­:¿ôÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x000002a0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x000002a0
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
value: Network
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadNetworkName
1 0 0

RegSetValueExW

 key_handle: 0x000002ec
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x000002ec
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: nê­:¿ôÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x000002ec
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x000002ec
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x000002ec
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: nê­:¿ôÛ
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x000002ec
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0
File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)
G Data Antivirus (Windows) Virus: Generic.Dacic.1A7FA519.A.6CC4144B (Engine A), Win32.Trojan.PSE.14IDQ4O (Engine B)
Avast Core Security (Linux) Win32:Buterat-WQ [Trj]
C4S ClamAV (Linux) Win.Malware.Ulise-7170100-0
Trellix (Linux) GenericRXHT-PZ
WithSecure (Linux) Heuristic.HEUR/AGEN.1366724
eScan Antivirus (Linux) Generic.Dacic.1A7FA519.A.6CC4144B(DB)
ESET Security (Windows) a variant of Win32/SpyVoltar.B trojan
Sophos Anti-Virus (Linux) Troj/Buterat-E
DrWeb Antivirus (Linux) BackDoor.Butirat.245
Bitdefender Antivirus (Linux) Generic.Dacic.1A7FA519.A.6CC4144B
Kaspersky Standard (Windows) VHO:Trojan-Downloader.Win32.Agent.gen
Emsisoft Commandline Scanner (Windows) Generic.Dacic.1A7FA519.A.6CC4144B (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.