'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-13 00:35:05.955672 2016-09-13 00:35:48.915159 42 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-13 00:35:06 2016-09-13 00:35:46

File Details

File name 37c2010e41cf20b90187bd4d4cc0efe751adf439.zip
File size 386547 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 5DC3B828
MD5 f0616fe4c0f651da95e2ee4b629b9930
SHA1 37c2010e41cf20b90187bd4d4cc0efe751adf439
SHA256 43868518544e4e4742a704f658ddcdc355d8423b3c1b22a7cdfaa7907c8bbe55
SHA512 566f593f67894c8f332b72534c60a2fcf3563775240e7c55b7f7f1a9ae2e6185baa28d449324fb38ffa4d81a729e9e714acfc1788e76494b6cc36b82a4afe16a
Ssdeep 6144:6dBAcwSjV2EOgxuYzIxpKvfb7SYrSXQ4oDHLnn661ubwWKqq+ZLJBbw86un/RS68:6XAcwSjNbceTmSSXforbn661ubwW8S5E
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1473726955]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

Long_Alphanum_Exe_Name details
dropper details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

49512ef297d1394c_tk21r334ydsnv6ese.exe

07d56940e312b99a_pi6nha2nxdw

shirley.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Read
  • c:\Users\harry dresden\AppData\Local\Temp\shirley.exe
File-Written
  • C:\oaxpubblgzws\pi6nha2nxdw
  • C:\oaxpubblgzws\tk21r334ydsnv6ese.exe
  • C:\Windows\oaxpubblgzws\pi6nha2nxdw
File-Deleted
  • C:\oaxpubblgzws\tk21r334ydsnv6ese.exe
  • C:\Windows\oaxpubblgzws\pi6nha2nxdw
File-Opened
  • c:\Users\harry dresden\AppData\Local\Temp\shirley.exe
Directory-Created
  • C:\oaxpubblgzws\
  • C:\Windows\oaxpubblgzws\
Directory-Removed
  • C:\Windows\
Directory-Enumerated
  • C:\oaxpubblgzws\tk2*
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\Windows\LoadAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\Windows\LoadAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\shirley.exe" PID: 3156, Parent PID: 4808

"C:\oaxpubblgzws\tk21r334ydsnv6ese.exe" PID: 3232, Parent PID: 3156

Volatility

Nothing to display.