'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-13 13:35:04.124183 2016-09-13 13:35:45.612423 41 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-13 13:35:04 2016-09-13 13:35:43

File Details

File name ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe
File size 803908 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 1372A50C
MD5 cf1966397b476ff520f8e2d63a2caad7
SHA1 ae8bd056800b0e04a4dfeffdc4f0408a3a028d64
SHA256 0e31e6409d5f5d0137316565b4840a3b5b38e9d3f8c2420ad0fc3ebeb116e353
SHA512 2a5083d309ffad79e47dfce21bc9b34e46a1d103c31628607ece1a365fff0bbd78d032b510ba348ff9083a52d7b96e15500116048095af842ce75047a3756e48
Ssdeep 12288:C5Xj0Aa7VgJGY7eiVqrRuws4UOqEGZIw4ZoFsy7taEh98otD:Ida7VjCLYRFsrOkZIw157ta+1
PEiD None matched
Yara
  • Str_Win32_Wininet_Library (Match Windows Inet API library declaration)
  • Str_Win32_Internet_API (Match Windows Inet API call)
  • Str_Win32_Http_API (Match Windows Http API call)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=6, VT[1473773753]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
db74be7eece50490_ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe: Str_Win32_Wininet_Library

Signatures

has_pdb details
dropper details
polymorphic details
packer_polymorphic details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

c06303b34bc4ced6_setup_20160913093504_failed.txt

db74be7eece50490_ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe

8e4a51d89478fd84_mbahost.dll

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\Setup_20160913093504_Failed.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\mbahost.dll
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\mbahost.dll
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\mbahost.dll -> C:\Users\Harry Dresden\AppData\Local\Temp\DEL9B58.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\mbahost.dll -> C:\Users\Harry Dresden\AppData\Local\Temp\DEL9B57.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\mbahost.dll ->
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\
Directory-Removed
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\
Directory-Enumerated
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\.ba\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{13501969-6B74-40D1-B4AE-1E745BA6953E}\*.*
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WiX\Burn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID
  • HKEY_CURRENT_USER\Msxml2.DOMDocument
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WiX\Burn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID
  • HKEY_CURRENT_USER\Msxml2.DOMDocument
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe" PID: 3904, Parent PID: 2696

"C:\Users\HARRYD~1\AppData\Local\Temp\{535DCA83-3A30-468B-B574-7836F4B92449}\.cr\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe" -burn.clean.room="C:\Users\Harry Dresden\AppData\Local\Temp\ae8bd056800b0e04a4dfeffdc4f0408a3a028d64.exe" PID: 3996, Parent PID: 3904

Volatility

Nothing to display.