Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-11-08 20:06:51 2019-11-08 20:07:10 19 seconds Show Options Show Log
  • Info: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
procdump = 1
2019-11-08 20:06:52,015 [root] INFO: Date set to: 11-08-19, time set to: 20:06:52, timeout set to: 200
2019-11-08 20:06:52,062 [root] DEBUG: Starting analyzer from: C:\qrdfraitj
2019-11-08 20:06:52,062 [root] DEBUG: Storing results at: C:\PCNwtciHr
2019-11-08 20:06:52,062 [root] DEBUG: Pipe server name: \\.\PIPE\FCbzRxpLNZ
2019-11-08 20:06:52,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-11-08 20:06:52,062 [root] INFO: Automatically selected analysis package "exe"
2019-11-08 20:06:53,092 [root] DEBUG: Started auxiliary module Browser
2019-11-08 20:06:53,092 [root] DEBUG: Started auxiliary module Curtain
2019-11-08 20:06:53,092 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-11-08 20:06:53,871 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-11-08 20:06:53,871 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-11-08 20:06:53,871 [root] DEBUG: Started auxiliary module DigiSig
2019-11-08 20:06:53,887 [root] DEBUG: Started auxiliary module Disguise
2019-11-08 20:06:53,887 [root] DEBUG: Started auxiliary module Human
2019-11-08 20:06:53,887 [root] DEBUG: Started auxiliary module Screenshots
2019-11-08 20:06:53,903 [root] DEBUG: Started auxiliary module Sysmon
2019-11-08 20:06:53,903 [root] DEBUG: Started auxiliary module Usage
2019-11-08 20:06:53,903 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-11-08 20:06:53,903 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-11-08 20:06:53,950 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\user\AppData\Local\Temp\46CVwQ.exe" with arguments "None" (Error: %1 is not a valid Win32 application (ERROR_BAD_EXE_FORMAT))
2019-11-08 20:06:53,950 [root] ERROR: Traceback (most recent call last):
  File "C:\qrdfraitj\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\qrdfraitj\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
Traceback (most recent call last):
  File "C:\qrdfraitj\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\qrdfraitj\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.

MalScore

0.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-11-08 20:06:51 2019-11-08 20:07:09

File Details

File Name 6bda106f4cdcc5036350853cf3885f87
File Size 61440 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6bda106f4cdcc5036350853cf3885f87
SHA1 db26de99c15b6a1b011f36cab0375a5c05a6be12
SHA256 ac69266bb0636985022ac68af2167e306aeddfc0c33fde1b8bc3dff35db3bede
SHA512 bc8ba4d393ccfc5aa0b7d07ffb3a6e9a2ce32a46a3a01456cd6f079c5cffea4b6b30d45bb295f30e174de0a13e6af98a2b7de659567de9892ceaf9ffe4d7c58e
CRC32 C7F28DA1
Ssdeep 768:BgJh5l9VKmDhIJ1M3Tq1j0gfwpfUHabsMiNXIMbuEzGpBvPn:mJEm/pQa4bWMJipB3
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

No signatures


Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

PE Information

Image Base 0x00400000
Entry Point 0x00405000
Reported Checksum 0x00000000
Actual Checksum 0x0001c008
Minimum OS Version 4.0
Compile Time 2017-04-29 06:04:16
Import Hash a49ad1d64126f3ac266ed2f5f4e22129

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000041aa 0x00005000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.88
.rdata 0x00006000 0x0000086e 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.94
.data 0x00007000 0x00048db8 0x00049000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.07
.rsrc 0x00050000 0x004685a8 0x00469000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 0.00

Overlay

Offset 0x00007000
Size 0x00008000

Imports

Library KERNEL32.dll:
0x406030 WaitForSingleObject
0x406034 GetTickCount
0x406038 ExitProcess
0x40603c WideCharToMultiByte
0x406040 MultiByteToWideChar
0x406044 TerminateThread
0x406048 GetLastError
0x40604c LoadLibraryA
0x406050 CopyFileA
0x406054 GetFileAttributesA
0x406058 CreateDirectoryA
0x40605c Sleep
0x406060 CreateProcessA
0x406064 MoveFileExA
0x406068 FindResourceA
0x40606c LoadResource
0x406070 LockResource
0x406074 SizeofResource
0x406078 CreateFileA
0x40607c WriteFile
0x406080 CloseHandle
0x406084 GetProcAddress
0x406088 GetModuleFileNameA
0x40608c GetModuleHandleA
0x406090 GetStartupInfoA
Library ADVAPI32.dll:
0x406000 ControlService
0x406004 StartServiceA
0x406008 DeleteService
0x40600c OpenSCManagerA
0x406010 OpenServiceA
0x406014 CloseServiceHandle
0x406024 SetServiceStatus
0x406028 CreateServiceA
Library WS2_32.dll:
0x40610c send
0x406110 recv
0x406114 WSAGetLastError
0x406118 ntohs
0x40611c inet_addr
0x406120 inet_ntoa
0x406124 htons
0x406128 closesocket
0x40612c ioctlsocket
0x406130 connect
0x406134 select
0x406138 WSAStartup
0x40613c socket
Library NETAPI32.dll:
0x406100 NetUserEnum
0x406104 NetApiBufferFree
Library MPR.dll:
0x40609c WNetAddConnection2A
Library MSVCRT.dll:
0x4060a4 _except_handler3
0x4060a8 __set_app_type
0x4060ac __p__fmode
0x4060b0 __p__commode
0x4060b4 _controlfp
0x4060b8 __setusermatherr
0x4060bc _initterm
0x4060c0 __getmainargs
0x4060c4 _acmdln
0x4060c8 exit
0x4060cc _XcptFilter
0x4060d0 _adjust_fdiv
0x4060d4 rand
0x4060d8 _endthreadex
0x4060dc strncpy
0x4060e0 sprintf
0x4060e4 _beginthreadex
0x4060e8 _exit
0x4060ec srand
0x4060f0 time
0x4060f4 __CxxFrameHandler
0x4060f8 printf

.text
`.rdata
@.data
.rsrc
T$$Qj
PQSSh
T$,h?
D$ Rj
GetModuleFileNameA
CloseHandle
WriteFile
CreateFileA
SizeofResource
LockResource
LoadResource
FindResourceA
MoveFileExA
CreateProcessA
Sleep
TerminateThread
WaitForSingleObject
GetTickCount
ExitProcess
WideCharToMultiByte
MultiByteToWideChar
GetProcAddress
GetLastError
LoadLibraryA
CopyFileA
GetFileAttributesA
CreateDirectoryA
KERNEL32.dll
SetServiceStatus
ChangeServiceConfig2A
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
DeleteService
StartServiceA
ControlService
CreateServiceA
ADVAPI32.dll
WS2_32.dll
NetApiBufferFree
NetUserEnum
NETAPI32.dll
WNetCancelConnection2A
WNetAddConnection2A
MPR.dll
_endthreadex
strncpy
sprintf
_beginthreadex
srand
__CxxFrameHandler
printf
MSVCRT.dll
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
.text
`.rdata
@.data
P(=3'
P(=3'
windows 2000 2195
windows 2000 5.0
This file is not on VirusTotal.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.38 seconds )

  • 0.115 TrID
  • 0.084 CAPE
  • 0.079 TargetInfo
  • 0.055 Static
  • 0.031 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.003 Strings
  • 0.001 Debug

Signatures ( 0.047 seconds )

  • 0.008 ransomware_files
  • 0.007 antiav_detectreg
  • 0.004 browser_security
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name

Reporting ( 0.0 seconds )

Task ID 108503
Mongo ID 5dc5caef03bfea2d656a03d6
Cuckoo release 1.3-CAPE
Delete