Analysis

Category Package Started Completed Duration Log
FILE exe 2019-10-10 00:07:23 2019-10-10 00:08:41 78 seconds Show Log
  • Info: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
2019-10-10 01:07:31,015 [root] INFO: Date set to: 10-10-19, time set to: 00:07:31, timeout set to: 200
2019-10-10 01:07:31,155 [root] DEBUG: Starting analyzer from: C:\aqasmjpk
2019-10-10 01:07:31,155 [root] DEBUG: Storing results at: C:\ANPQtLEeDM
2019-10-10 01:07:31,155 [root] DEBUG: Pipe server name: \\.\PIPE\aIGCxWvgn
2019-10-10 01:07:31,155 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:07:31,155 [root] INFO: Automatically selected analysis package "exe"
2019-10-10 01:07:45,507 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:07:45,507 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:07:45,507 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:07:55,615 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-10 01:07:55,615 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:07:55,615 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:07:55,631 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:07:55,631 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:07:55,631 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:07:55,631 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:07:55,648 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:07:55,648 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-10-10 01:07:55,648 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-10-10 01:07:55,819 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\user\AppData\Local\Temp\tmpmmajo4d_.exe" with arguments "None" (Error: %1 is not a valid Win32 application (ERROR_BAD_EXE_FORMAT))
2019-10-10 01:07:55,819 [root] ERROR: Traceback (most recent call last):
  File "C:\aqasmjpk\analyzer.py", line 1328, in <module>
    success = analyzer.run()
  File "C:\aqasmjpk\analyzer.py", line 1149, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
Traceback (most recent call last):
  File "C:\aqasmjpk\analyzer.py", line 1328, in <module>
    success = analyzer.run()
  File "C:\aqasmjpk\analyzer.py", line 1149, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.

MalScore

1.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-03 target-03 ESX 2019-10-10 00:07:24 2019-10-10 00:08:41

File Details

File Name tmpmmajo4d_
File Size 102296 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 beac846f6dfc0c6c6bfca0ef8cb4bd52
SHA1 f6add9216738baa2b97255a4db1722fc8bacbf9d
SHA256 e95df739247cd6391357e897b012fffed4f520e353b1e0d2e1cf58ea23bf1840
SHA512 b6065432996c44153e49d5f903c30db1fa31b62d47a24ee35f6fa120af3045088e0cece7825f0ecae481e3c3113dd1d4af80957ceee0cdc7923273d3a33849f9
CRC32 FDBA54F6
Ssdeep 3072:ED11hqJOUT2dfET84bmyopLW+Ukyq/ku3:4jhqEZda8EmyKF
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00010200, virtual_size: 0x00010150

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

PE Information

Image Base 0x00400000
Entry Point 0x00403945
Reported Checksum 0x00000000
Actual Checksum 0x0001c315
Minimum OS Version 5.1
Compile Time 2011-04-11 02:40:50
Import Hash b235711c958094502257545e92d1339e

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000073f4 0x00007400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.48
.rdata 0x00009000 0x00001190 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.23
.data 0x0000b000 0x00010150 0x00010200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.98
.reloc 0x0001c000 0x00000398 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.12

Imports

Library msvcrt.dll:
0x4090f4 printf
0x4090f8 strrchr
0x4090fc wcsrchr
0x409100 strchr
Library ntdll.dll:
0x409108 NtGetContextThread
0x409110 NtSetContextThread
0x409114 NtCreateSection
0x409118 ZwClose
0x409124 NtMapViewOfSection
Library ADVAPI32.dll:
0x409004 GetSidSubAuthority
0x409008 OpenProcessToken
0x40900c GetTokenInformation
Library KERNEL32.dll:
0x409014 lstrcatW
0x409018 lstrcmpiW
0x40901c VirtualAllocEx
0x409020 VirtualAlloc
0x409024 GetProcAddress
0x409028 lstrcmpiA
0x40902c GetCurrentProcessId
0x409030 GetVersion
0x409038 Process32NextW
0x40903c Process32FirstW
0x409040 OpenProcess
0x409044 VirtualFree
0x409048 GetModuleHandleW
0x40904c lstrcpyW
0x409050 CreateProcessW
0x409054 TerminateProcess
0x409058 GetModuleFileNameW
0x40905c ReadProcessMemory
0x409064 GetLastError
0x409068 CloseHandle
0x409070 GetFileSize
0x409074 SetFilePointer
0x409078 SetEndOfFile
0x40907c HeapAlloc
0x409080 HeapFree
0x409084 GetProcessHeap
0x409088 WriteFile
0x40908c Sleep
0x409090 ReadFile
0x409094 CreateFileW
0x409098 GetThreadContext
0x40909c WaitForSingleObject
0x4090a0 GetTickCount
0x4090a4 CreateRemoteThread
0x4090a8 GetCurrentProcess
0x4090ac VirtualProtectEx
0x4090b0 GetExitCodeThread
0x4090b4 GetModuleHandleA
0x4090b8 WriteProcessMemory
0x4090bc SuspendThread
0x4090c0 ResumeThread
0x4090c4 SwitchToThread
0x4090c8 lstrlenW
0x4090cc lstrcmpA
0x4090d0 SetLastError
Library USER32.dll:
0x4090e4 GetForegroundWindow
0x4090e8 wsprintfW
0x4090ec wsprintfA
Library SHELL32.dll:
0x4090d8 ShellExecuteW
0x4090dc ShellExecuteExW
Library ole32.dll:
0x40912c CoInitializeEx
0x409130 CoUninitialize

.text
`.rdata
@.data
.reloc
t&h0u
GetProcAddress
GetModuleFileNameA
NTDLL
SHELL32
GDI32
SetBitmapBits
GetBitmapBits
DeleteObject
CreateBitmap
AddFontMemResourceEx
RemoveFontMemResourceEx
GetCurrentProcess
GetVersionExA
GetModuleHandleA
LocalAlloc
LocalFree
GetWindowsDirectoryA
DuplicateHandle
WaitForSingleObject
GetProcessHeap
HeapAlloc
HeapFree
VerSetConditionMask
VerifyVersionInfoA
GetCurrentProcessId
Sleep
WS2_32
htonl
htons
KERNEL32
NtQuerySystemInformation
\SystemRoot\system32\CI.dll
\sysnative
\sysnative\CI.dll
RtlGetCurrentPeb
NamedEscape
csrss.exe
LdrLoadDll
NTDLL.DLL
kernelbase
CreateRemoteThread
LdrGetProcedureAddress
ZwProtectVirtualMemory
ZwWow64QueryInformationProcess64
KERNEL32.DLL
IsWow64Process
Wow64EnableWow64FsRedirection
LoadLibraryA
ZwWow64ReadVirtualMemory64
ZwGetContextThread
ZwSetContextThread
ZwMapViewOfSection
ZwUnmapViewOfSection
LoadLibraryW
FreeLibrary
GetNativeSystemInfo
strchr
wcsrchr
strrchr
printf
msvcrt.dll
NtMapViewOfSection
NtUnmapViewOfSection
RtlNtStatusToDosError
ZwClose
NtCreateSection
NtSetContextThread
ZwQueryInformationProcess
NtGetContextThread
ntdll.dll
OpenProcessToken
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
ADVAPI32.dll
GetEnvironmentVariableW
GetLastError
CloseHandle
ExpandEnvironmentStringsW
GetFileSize
SetFilePointer
SetEndOfFile
HeapAlloc
HeapFree
GetProcessHeap
WriteFile
Sleep
ReadFile
CreateFileW
GetThreadContext
WaitForSingleObject
GetTickCount
CreateRemoteThread
ReadProcessMemory
VirtualProtectEx
GetExitCodeThread
GetModuleHandleA
WriteProcessMemory
SuspendThread
ResumeThread
SwitchToThread
lstrlenW
lstrcmpA
GetCurrentProcess
GetModuleHandleW
VirtualFree
OpenProcess
GetModuleFileNameW
lstrcmpiA
GetProcAddress
VirtualAlloc
VirtualAllocEx
lstrcmpiW
lstrcatW
GetCurrentProcessId
lstrcpyW
CreateProcessW
TerminateProcess
SetLastError
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetVersion
KERNEL32.dll
GetForegroundWindow
wsprintfW
wsprintfA
USER32.dll
ShellExecuteExW
ShellExecuteW
SHELL32.dll
CoUninitialize
CoInitializeEx
ole32.dll
prodeputratos.com
mandaristaran.com
regressonpart.com
marbellinaste.com
crdabalestron.com
monettelestre.com
perderallinos.com
grostorestron.com
lamastrastras.com
perestalloman.com
explorer.exe
4A4F4
kernel32.dll
eatmfd.dll
windir
%s\system32\cmd.exe
/c "start %s"
runas
y%lu.bat
C:\Windows
\SysWOW64
\explorer.exe
explorer.exe
This file is not on VirusTotal.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.386 seconds )

  • 0.098 CAPE
  • 0.094 TrID
  • 0.088 TargetInfo
  • 0.084 Static
  • 0.008 AnalysisInfo
  • 0.007 NetworkAnalysis
  • 0.006 Strings
  • 0.001 Debug

Signatures ( 0.046 seconds )

  • 0.008 ransomware_files
  • 0.007 antiav_detectreg
  • 0.004 infostealer_ftp
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail

Reporting ( 0.0 seconds )

Task ID 94390
Mongo ID 5d9e768dc3c009112d67b3dd
Cuckoo release 1.3-CAPE
Delete