Malicious

How This Was Determined

Malicious Indicators

• CAPE signature: stealth_timeout - Possible date expiration check, exits too soon after checking local time (severity 1, confidence 40%)

Possible IOC / Review Indicators

• CAPE malscore is elevated: 2.2.
• YARA: INDICATOR_EXE_Packed_SmartAssembly - Detects executables packed with SmartAssembly
• CAPE signature: stealth_network - Network activity detected but not expressed in monitor API logs (severity 1, confidence 100%)
• CAPE signature: antivm_checks_available_memory - Checks available memory (severity 1, confidence 100%)
• CAPE signature: language_check_registry - Checks system language via registry key (possible geofencing) (severity 1, confidence 100%)
• CAPE signature: registers_vectored_exception_handler - Registers a vectored exception handler (VEH), possibly to hijack execution flow (severity 2, confidence 80%)
• CAPE signature: contains_pe_overlay - The PE file contains an overlay (severity 2, confidence 100%)
• CAPE signature: binary_yara - Binary file triggered YARA rule (severity 3, confidence 80%)
• CAPE signature: pe_deep_entrypoint - The PE entry point is located unusually far into section, indicative of an appended packer stub that jumps to the original entry point (OEP) (severity 3, confidence 100%)
• CAPE recorded network activity (27 network item(s)).
• CAPE extracted 2 payload-like item(s).

Lower-Risk Facts

• CAPE malstatus is Clean.
• No CAPE YARA hits were recorded.
• No ClamAV detection was recorded.

Important Notes

• VirusTotal was unavailable in CAPE: Unable to complete connection to VirusTotal. Status code: 429

VirusTotal

Stored CAPE result: Unable to complete connection to VirusTotal. Status code: 429

Manual lookup: Open SHA256 in VirusTotal

File Details

File name	DocRecord_Desktop.exe
File type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size	385056
MD5	271a8499e58fd6d75de606af4733a3a7
SHA1	478d12feb5ecc499d1ddd9ca3b726b59d3650084
SHA256	88866b914181c798be6908e5e48e69a8b86a92bcf33e34d736ab5e5bb2b4191e
VirusTotal lookup	Open SHA256 in VirusTotal

Sandbox Run Details

Task ID	23
Started	2026-06-17 19:49:19
Ended	2026-06-17 19:50:44
Duration	85 seconds
Package	exe
Route	internet
Machine	cuckoo1
CAPE score	2.2
CAPE status	Clean

YARA / AV Indicators

Source	Rule / Detection	Description / Evidence
YARA	INDICATOR_EXE_Packed_SmartAssembly	Detects executables packed with SmartAssembly
No CAPE YARA hits recorded.
No ClamAV hits recorded.

CAPE Signatures

Severity	Confidence	Signature	Description
3	80%	binary_yara	Binary file triggered YARA rule
3	100%	pe_deep_entrypoint	The PE entry point is located unusually far into section, indicative of an appended packer stub that jumps to the original entry point (OEP)
2	80%	registers_vectored_exception_handler	Registers a vectored exception handler (VEH), possibly to hijack execution flow
2	100%	contains_pe_overlay	The PE file contains an overlay
2	50%	injection_rwx	Creates RWX memory
1	100%	stealth_network	Network activity detected but not expressed in monitor API logs
1	100%	antivm_checks_available_memory	Checks available memory
1	40%	antidebug_setunhandledexceptionfilter	SetUnhandledExceptionFilter detected (possible anti-debug)
1	40%	stealth_timeout	Possible date expiration check, exits too soon after checking local time
1	100%	language_check_registry	Checks system language via registry key (possible geofencing)

Behavior Summary

Executed commands / child processes	0
File writes	0
File deletes	0
Registry writes	0
Created services	0
Started services	0
CAPE payload-like items	2
CAPE extracted configs	0
Dropped/related files captured	0
Network indicators	27

Executed Commands / Child Processes

None recorded.

File Writes

None recorded.

Registry Writes

None recorded.

Created Services

None recorded.

Started Services

None recorded.

CAPE Extracted Items

Payload-like Items

/opt/CAPEv2/storage/analyses/23/CAPE/910b8907c800d66f31c52485c45d9bf7caf11b3d3f67cdf7f149211ec0c2a398

/opt/CAPEv2/storage/analyses/23/CAPE/ef8aa40fb1449f0889516baf8f325f591a5f472b2344087684525fe6ab2e95d6

Extracted Configs

None recorded.

Network Activity

Network activity was recorded.

{'ip': '20.184.175.8', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'ip': '184.31.114.99', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [80]}

{'ip': '23.50.37.248', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'ip': '23.65.16.228', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'ip': '23.15.3.76', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'domain': 'edge-consumer-static.azureedge.net', 'ip': '150.171.110.209'}

edge-consumer-static.azureedge.net

40.126.29.14

150.171.28.11

204.79.197.203

Generated 2026-06-17T19:51:01 from /opt/CAPEv2/storage/analyses/23/reports/report.json