'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-13 10:30:03.455580 2016-09-13 10:30:42.859654 39 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-13 10:30:04 2016-09-13 10:30:42

File Details

File name e81cfe70daff4be7a632a1725496e25488680eea.exe
File size 789907 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 C3E676EA
MD5 cc5e2cd7ad4de4e144ec9fdcc4f32f8b
SHA1 e81cfe70daff4be7a632a1725496e25488680eea
SHA256 579d965e7dd03d71794df4d311ea3edf34f8d4e4a7caa4dd9af79427e5af629d
SHA512 39e6352fca864af1f41472359c12acaff060108e8d16f010ce1ac44461703f179c2f7c92deb941b31f3392b0e4a66407f65f33669634c02fa9a13b7b545e87c9
Ssdeep 12288:C5Xj0Aa7VgJGY7eiVqrRuws4UOqEGZIw4ZoFsy7taEh98o0:Ida7VjCLYRFsrOkZIw157ta+k
PEiD None matched
Yara
  • Str_Win32_Wininet_Library (Match Windows Inet API library declaration)
  • Str_Win32_Internet_API (Match Windows Inet API call)
  • Str_Win32_Http_API (Match Windows Http API call)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=6, VT[1473762651]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
aa49be6e6c86f4a4_e81cfe70daff4be7a632a1725496e25488680eea.exe: Str_Win32_Wininet_Library

Signatures

has_pdb details
Long_Alphanum_Exe_Name details
dropper details
polymorphic details
packer_polymorphic details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

8f7df6650d08ffde_mbahost.dll

b66b594c0cb4697b_setup_20160913121003_failed.txt

aa49be6e6c86f4a4_e81cfe70daff4be7a632a1725496e25488680eea.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr\e81cfe70daff4be7a632a1725496e25488680eea.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\e81cfe70daff4be7a632a1725496e25488680eea.exe
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\mbahost.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Setup_20160913121003_Failed.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr\e81cfe70daff4be7a632a1725496e25488680eea.exe
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\mbahost.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr\e81cfe70daff4be7a632a1725496e25488680eea.exe
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr\e81cfe70daff4be7a632a1725496e25488680eea.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\e81cfe70daff4be7a632a1725496e25488680eea.exe
  • C:\Windows\Globalization\Sorting\sortdefault.nls
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\mbahost.dll -> C:\Users\Harry Dresden\AppData\Local\Temp\DEL9B66.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\mbahost.dll ->
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\mbahost.dll -> C:\Users\Harry Dresden\AppData\Local\Temp\DEL9B77.tmp
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr
Directory-Removed
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr\
Directory-Enumerated
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\.ba\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{8BFE9F73-7D25-4413-851F-C7B6C6FE8DF5}\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr\*.*
  • C:\Users\Harry Dresden\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\*.*
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WiX\Burn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID
  • HKEY_CURRENT_USER\Msxml2.DOMDocument
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WiX\Burn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID
  • HKEY_CURRENT_USER\Msxml2.DOMDocument
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msxml2.DOMDocument\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\e81cfe70daff4be7a632a1725496e25488680eea.exe" PID: 1864, Parent PID: 2404

"C:\Users\HARRYD~1\AppData\Local\Temp\{206FD407-FB7A-4B45-BF44-4F04639C26EF}\.cr\e81cfe70daff4be7a632a1725496e25488680eea.exe" -burn.clean.room="C:\Users\Harry Dresden\AppData\Local\Temp\e81cfe70daff4be7a632a1725496e25488680eea.exe" PID: 3480, Parent PID: 1864

Volatility

Nothing to display.