Summary

Archive wsl.exe @ Microsoft.WSL_2.6.3.0_ARM64.msix

Summary
Download Resubmit sample

Size 4.5MB
Type PE32+ executable (console) Aarch64, for MS Windows
MD5 6a481d988801e414576d33ae8967b33a
SHA1 9b6373894593953ba948437f3e64bbf48b2c8faf
SHA256 cf5112ca712e69e38ab930b4b8c372827d06a8d063d8f38cbadac2868d754cb7
SHA512
8f4e4731cc0db2ff24ee7a298758934eae60be18dd8312463850b9129ed505bb366eb03bffe2d45a7f1150f5ec6b26f506184163daa189b46dd2d4a8a0d98aa1
CRC32 F3AD1B8B
ssdeep None
PDB Path C:\__w\1\s\bin\arm64\Release\wsl.pdb
Yara
  • APT32_KerrDown - (no description)
  • DebuggerCheck__QueryInfo - (no description)
  • DebuggerHiding__Thread - (no description)
  • DebuggerException__SetConsoleCtrl - (no description)
  • anti_dbg - Checks if being debugged
  • network_tcp_listen - Listen for incoming communication
  • network_tcp_socket - Communications over RAW socket
  • escalate_priv - Escalade priviledges
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries

Score

This archive shows numerous signs of malicious behavior.

The score of this archive is 3.3 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
ARCHIVE Feb. 24, 2026, 9:29 p.m. Feb. 24, 2026, 9:30 p.m. 50 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2026-02-24 20:29:25,687 [analyzer] DEBUG: Starting analyzer from: C:\tmp1xmcit
2026-02-24 20:29:25,703 [analyzer] DEBUG: Pipe server name: \??\PIPE\LhQkFGtTuuvKOKxzCSYlrpEvJf
2026-02-24 20:29:25,703 [analyzer] DEBUG: Log pipe server name: \??\PIPE\lWiJtPjoRvJePKjbDTVgApRgOkYJEu
2026-02-24 20:29:26,062 [analyzer] DEBUG: Started auxiliary module Curtain
2026-02-24 20:29:26,062 [analyzer] DEBUG: Started auxiliary module DbgView
2026-02-24 20:29:26,437 [analyzer] DEBUG: Started auxiliary module Disguise
2026-02-24 20:29:26,625 [analyzer] DEBUG: Loaded monitor into process with pid 508
2026-02-24 20:29:26,625 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2026-02-24 20:29:26,625 [analyzer] DEBUG: Started auxiliary module Human
2026-02-24 20:29:26,625 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2026-02-24 20:29:26,625 [analyzer] DEBUG: Started auxiliary module Reboot
2026-02-24 20:29:26,765 [analyzer] DEBUG: Started auxiliary module RecentFiles
2026-02-24 20:29:26,765 [analyzer] DEBUG: Started auxiliary module Screenshots
2026-02-24 20:29:26,765 [analyzer] DEBUG: Started auxiliary module Sysmon
2026-02-24 20:29:26,780 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2026-02-24 20:29:26,890 [lib.api.process] ERROR: Failed to execute process from path 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\wsl.exe' with arguments ['bin\\inject-x86.exe', '--app', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\wsl.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp'] (Error: Command '['bin\\inject-x86.exe', '--app', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\wsl.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp']' returned non-zero exit status 1)

Cuckoo Log

2026-02-24 21:29:33,166 [cuckoo.core.scheduler] INFO: Task #7464459: acquired machine win7x6414 (label=win7x6414)
2026-02-24 21:29:33,167 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.214 for task #7464459
2026-02-24 21:29:33,608 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3866871 (interface=vboxnet0, host=192.168.168.214)
2026-02-24 21:29:33,633 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6414
2026-02-24 21:29:34,246 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6414 to vmcloak
2026-02-24 21:29:43,641 [cuckoo.core.guest] INFO: Starting analysis #7464459 on guest (id=win7x6414, ip=192.168.168.214)
2026-02-24 21:29:44,647 [cuckoo.core.guest] DEBUG: win7x6414: not ready yet
2026-02-24 21:29:49,676 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6414, ip=192.168.168.214)
2026-02-24 21:29:49,748 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6414, ip=192.168.168.214, monitor=latest, size=6660546)
2026-02-24 21:30:01,505 [cuckoo.core.resultserver] DEBUG: Task #7464459: live log analysis.log initialized.
2026-02-24 21:30:04,085 [cuckoo.core.resultserver] DEBUG: Task #7464459 is sending a BSON stream
2026-02-24 21:30:05,434 [cuckoo.core.resultserver] DEBUG: Task #7464459: File upload for 'shots/0001.jpg'
2026-02-24 21:30:05,461 [cuckoo.core.resultserver] DEBUG: Task #7464459 uploaded file length: 133465
2026-02-24 21:30:06,980 [cuckoo.core.guest] WARNING: win7x6414: analysis #7464459 caught an exception
Traceback (most recent call last):
  File "C:/tmp1xmcit/analyzer.py", line 824, in <module>
    success = analyzer.run()
  File "C:/tmp1xmcit/analyzer.py", line 673, in run
    pids = self.package.start(self.target)
  File "C:\tmp1xmcit\modules\packages\exe.py", line 34, in start
    return self.execute(path, args=shlex.split(args))
  File "C:\tmp1xmcit\lib\common\abstracts.py", line 205, in execute
    "Unable to execute the initial process, analysis aborted."
CuckooPackageError: Unable to execute the initial process, analysis aborted.

2026-02-24 21:30:06,994 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2026-02-24 21:30:07,019 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2026-02-24 21:30:07,884 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6414 to path /srv/cuckoo/cwd/storage/analyses/7464459/memory.dmp
2026-02-24 21:30:07,886 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6414
2026-02-24 21:30:15,253 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.214 for task #7464459
2026-02-24 21:30:15,254 [cuckoo.core.resultserver] DEBUG: Cancel <Context for LOG> for task 7464459
2026-02-24 21:30:15,571 [cuckoo.core.scheduler] DEBUG: Released database task #7464459
2026-02-24 21:30:15,588 [cuckoo.core.scheduler] INFO: Task #7464459: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description (no description) rule APT32_KerrDown
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerException__SetConsoleCtrl
description Checks if being debugged rule anti_dbg
description Listen for incoming communication rule network_tcp_listen
description Communications over RAW socket rule network_tcp_socket
description Escalade priviledges rule escalate_priv
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
This executable has a PDB path (1 event)
pdb_path C:\__w\1\s\bin\arm64\Release\wsl.pdb
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)
section .fptable
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)
DeepInstinct MALICIOUS
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.