'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-01-07 13:05:05.357067 2017-01-07 13:07:11.760461 126 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-01-07 13:05:05 2017-01-07 13:07:11

File Details

File name 7cdbacd6fcc3eddf4432b7cc407664c62646db38.zip
File size 130267 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 2621B505
MD5 6aafcccf57d9254a7b28a08e409986bb
SHA1 7cdbacd6fcc3eddf4432b7cc407664c62646db38
SHA256 a10a3ac5b18bb6757834ebb04b5b7585c7fd3f935a1e5fde8fefe50afc49d52b
SHA512 98b79ab1c3bf20b23a37f9f3423dc8c00f1bc152f77db90ab54d17a8aa92cf87b75ac079d36b77c7f70c6729ecc5b1ea17bebfdd3135bf6bdc880881240d2a5d
Ssdeep 3072:27wJS4uZy3BoziLooWw6HR4/4e4CRRWAENM/2lDZmP98j+N1SGo6x:js4L3B2WoTwC4KCRLENMuq9nUB6x
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2017-01-07 06:25:04
Detection Rate: 3/57 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1483794474]=0): Snort Events=0, AV Events=0
Total Score=75

MetaFlows Virus DB DETECTED Dropped File:
E- 21623867-SY-EK.exe INFECTED - Antivirus report:Here

Signatures

Attempt_to_open_VBA_AutoRun details
antivm_vbox_files details
Jalik_Trojan_Behavior details
antivm_vbox_devices details
antivm_vbox_files details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

E- 21623867-SY-EK.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Opened
  • \??\VBoxMiniRdrDN
  • c:\
  • C:\Users\Harry Dresden\AppData\Local\Temp
Directory-Enumerated
  • C:\Users\Harry Dresden\AppData\Local\Temp\*.*
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\control\NetworkProvider\HwOrder
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\E- 21623867-SY-EK.exe
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider\Class
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\Name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\Class
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder\ProviderOrder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\Class
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\Name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\Class

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\E- 21623867-SY-EK.exe" PID: 1864, Parent PID: 2404

Volatility

Nothing to display.