Summary

da3c012b024ab93ee61d4e54cbb0b41665eec0f69841f2dfc8158baa7cd027c9

File da3c012b024ab93ee61d4e54cbb0b41665eec0f69841f2dfc8158baa7cd027c9

Summary
Download Resubmit sample

Size 7.5MB
Type PE32+ executable (console) x86-64, for MS Windows
MD5 31c7ead9df030c82b109d6fa9555e71b
SHA1 cc6e78c414c540f4ea7ba7c9f47da578260ea7ec
SHA256 da3c012b024ab93ee61d4e54cbb0b41665eec0f69841f2dfc8158baa7cd027c9
SHA512
dbd83a2992cf0ed0fea6b77582e9a702d54c6ac42df560ee1a471be67f1e1fb764c9177b6c31fad5c83d9c21a3832fa2fd602851140367a0907792f65fd22942
CRC32 FAE2F52E
ssdeep None
Yara
  • Maldoc_CVE_2017_11882 - Detects maldoc With exploit for CVE_2017_11882
  • APT32_KerrDown - (no description)
  • DebuggerCheck__QueryInfo - (no description)
  • DebuggerHiding__Thread - (no description)
  • anti_dbg - Checks if being debugged
  • disable_dep - Bypass DEP
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_tcp_listen - Listen for incoming communication
  • network_http - Communications over HTTP
  • network_dropper - File downloader/dropper

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Aug. 28, 2025, 5:02 p.m. Aug. 28, 2025, 5:02 p.m. 32 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-08-26 16:59:43,000 [analyzer] DEBUG: Starting analyzer from: C:\tmp4nivwu
2025-08-26 16:59:43,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\zmygjzWaqGsxIipDVgxxHwIrUYGSIav
2025-08-26 16:59:43,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\tlBdsVemmEOaLTOVwqZk
2025-08-26 16:59:43,233 [analyzer] DEBUG: Started auxiliary module Curtain
2025-08-26 16:59:43,233 [analyzer] DEBUG: Started auxiliary module DbgView
2025-08-26 16:59:43,655 [analyzer] DEBUG: Started auxiliary module Disguise
2025-08-26 16:59:43,858 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-08-26 16:59:43,858 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-08-26 16:59:43,858 [analyzer] DEBUG: Started auxiliary module Human
2025-08-26 16:59:43,858 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-08-26 16:59:43,858 [analyzer] DEBUG: Started auxiliary module Reboot
2025-08-26 16:59:43,921 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-08-26 16:59:43,921 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-08-26 16:59:43,921 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-08-26 16:59:43,921 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-08-26 16:59:44,046 [lib.api.process] ERROR: Failed to execute process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\da3c012b024ab93ee61d4e54cbb0b41665eec0f69841f2dfc8158baa7cd027c9.exe' with arguments ['bin\\inject-x64.exe', '--app', u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\da3c012b024ab93ee61d4e54cbb0b41665eec0f69841f2dfc8158baa7cd027c9.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp'] (Error: Command '['bin\\inject-x64.exe', '--app', u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\da3c012b024ab93ee61d4e54cbb0b41665eec0f69841f2dfc8158baa7cd027c9.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp']' returned non-zero exit status 1)

Cuckoo Log

2025-08-28 17:02:24,865 [cuckoo.core.scheduler] INFO: Task #6920139: acquired machine win7x6424 (label=win7x6424)
2025-08-28 17:02:24,866 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.224 for task #6920139
2025-08-28 17:02:25,120 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2716559 (interface=vboxnet0, host=192.168.168.224)
2025-08-28 17:02:28,647 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6424
2025-08-28 17:02:29,247 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6424 to vmcloak
2025-08-28 17:02:38,596 [cuckoo.core.guest] INFO: Starting analysis #6920139 on guest (id=win7x6424, ip=192.168.168.224)
2025-08-28 17:02:39,608 [cuckoo.core.guest] DEBUG: win7x6424: not ready yet
2025-08-28 17:02:44,764 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6424, ip=192.168.168.224)
2025-08-28 17:02:44,884 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6424, ip=192.168.168.224, monitor=latest, size=6660546)
2025-08-28 17:02:46,406 [cuckoo.core.resultserver] DEBUG: Task #6920139: live log analysis.log initialized.
2025-08-28 17:02:47,232 [cuckoo.core.resultserver] DEBUG: Task #6920139 is sending a BSON stream
2025-08-28 17:02:48,479 [cuckoo.core.resultserver] DEBUG: Task #6920139: File upload for 'shots/0001.jpg'
2025-08-28 17:02:48,503 [cuckoo.core.resultserver] DEBUG: Task #6920139 uploaded file length: 133482
2025-08-28 17:02:49,022 [cuckoo.core.guest] WARNING: win7x6424: analysis #6920139 caught an exception
Traceback (most recent call last):
  File "C:/tmp4nivwu/analyzer.py", line 824, in <module>
    success = analyzer.run()
  File "C:/tmp4nivwu/analyzer.py", line 673, in run
    pids = self.package.start(self.target)
  File "C:\tmp4nivwu\modules\packages\exe.py", line 34, in start
    return self.execute(path, args=shlex.split(args))
  File "C:\tmp4nivwu\lib\common\abstracts.py", line 205, in execute
    "Unable to execute the initial process, analysis aborted."
CuckooPackageError: Unable to execute the initial process, analysis aborted.

2025-08-28 17:02:49,047 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-08-28 17:02:49,079 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-08-28 17:02:49,870 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6424 to path /srv/cuckoo/cwd/storage/analyses/6920139/memory.dmp
2025-08-28 17:02:49,875 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6424
2025-08-28 17:02:57,054 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.224 for task #6920139
2025-08-28 17:02:57,055 [cuckoo.core.resultserver] DEBUG: Cancel <Context for LOG> for task 6920139
2025-08-28 17:02:57,422 [cuckoo.core.scheduler] DEBUG: Released database task #6920139
2025-08-28 17:02:57,440 [cuckoo.core.scheduler] INFO: Task #6920139: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description Detects maldoc With exploit for CVE_2017_11882 rule Maldoc_CVE_2017_11882
description (no description) rule APT32_KerrDown
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Listen for incoming communication rule network_tcp_listen
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
File has been identified by 3 AntiVirus engine on IRMA as malicious (3 events)
Avast Core Security (Linux) Win64:Malware-gen
C4S ClamAV (Linux) Win.Virus.Zard-10028390-0
ClamAV (Linux) Win.Virus.Zard-10028390-0
File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)
Bkav W64.AIDetectMalware
Lionic Virus.Win32.Generic.n!c
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Ghanarava.175617880555e71b
Skyhigh BehavesLike.Win64.Suspicious.wh
Cylance Unsafe
Sangfor Suspicious.Win32.Save.pkr
CrowdStrike win/malicious_confidence_60% (W)
K7GW Riskware ( 00584baa1 )
K7AntiVirus Riskware ( 00584baa1 )
Symantec Trojan.Gen.MBT
Elastic malicious (high confidence)
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
ClamAV Win.Virus.Zard-10028390-0
Alibaba Trojan:Win64/Genric.25c373c8
Rising Trojan.Crypt!8.2E3 (CLOUD)
McAfeeD ti!DA3C012B024A
CTX exe.trojan.generic
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Malicious PE
Jiangmin Grayware.Tampering.a
Google Detected
Antiy-AVL GrayWare/Win32.Tampering
Kingsoft Win32.Troj.crypt.s
Gridinsoft Ransom.Win64.Sabsik.oa!s1
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win64.Trojan.Agent.26J12Q
Varist W64/Agent.EGV.gen!Eldorado
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware.AI.DDS
Ikarus Virus.Win32.Sality
TrellixENS Artemis!31C7EAD9DF03
huorong HEUR:Trojan/Crypt.s
Fortinet W32/Agent.C647!tr
AVG Win32:MalwareX-gen [Trj]
Paloalto generic.ml
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.