'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-13 12:05:03.336980 2016-09-13 12:05:57.496745 54 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-13 12:05:04 2016-09-13 12:05:57

File Details

File name 1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe
File size 882889 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 E23C0637
MD5 6c4f97f0f2a9982657fcf8edaee37f8c
SHA1 1b35b55bc0cb9ec970e2cfddfcfb54cd66713677
SHA256 e01821082d855f27f194381a369f840ffa4ad8a8d412e0cd625c22252a108541
SHA512 0eb194c195c7b33f354fc0e4671065294032b56487f8d0fb829f515744ecd7db607b80969eb0089de0683ef9a50fd3519a21dcf421d5798544281afcb619552b
Ssdeep 12288:C5Xj0Aa7VgJGY7eiVqrRuws4UOqEGZIw4ZoFsy7taEh98ots9KMG/4Pme:Ida7VjCLYRFsrOkZIw157ta+YBPL
PEiD None matched
Yara
  • Str_Win32_Wininet_Library (Match Windows Inet API library declaration)
  • Str_Win32_Internet_API (Match Windows Inet API call)
  • Str_Win32_Http_API (Match Windows Http API call)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=6, VT[1473768369]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
c2476eb29bd74117_1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe: Str_Win32_Wininet_Library

Signatures

has_pdb details
Long_Alphanum_Exe_Name details
dropper details
polymorphic details
packer_polymorphic details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

9daa53e100fd923f_mbapreq.dll

9d369f742e8cec17_setup_20160913064510_failed.txt

e5b064589d741bdb_BootstrapperCore.dll

6adc2a6b25dea736_mbahost.dll

c2476eb29bd74117_1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\Setup_20160913064510_Failed.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\mbapreq.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\BootstrapperCore.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\mbahost.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\mbapreq.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\BootstrapperCore.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\mbahost.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe
File-Opened
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\mbapreq.dll ->
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\mbapreq.dll -> C:\Users\Harry Dresden\AppData\Local\Temp\DELC3FE.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\mbapreq.dll -> C:\Users\Harry Dresden\AppData\Local\Temp\DELC3FD.tmp
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr
Directory-Removed
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr\
Directory-Enumerated
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{45533D05-5744-464B-A5A7-560203B3D886}\.ba\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\*.*
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WiX\Burn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID
  • HKEY_CURRENT_USER\Msxml2.DOMDocument
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WiX\Burn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID
  • HKEY_CURRENT_USER\Msxml2.DOMDocument
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe" PID: 3656, Parent PID: 3948

"C:\Users\HARRYD~1\AppData\Local\Temp\{DC5DD235-D595-4B0D-B9B4-FA4735DDC7EF}\.cr\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe" -burn.clean.room="C:\Users\Harry Dresden\AppData\Local\Temp\1b35b55bc0cb9ec970e2cfddfcfb54cd66713677.exe" PID: 4336, Parent PID: 3656

Volatility

Nothing to display.