'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-02-28 16:20:07.476925 2017-02-28 16:22:20.106402 132 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-02-28 16:20:08 2017-02-28 16:22:19

File Details

File name abc3047332aa290f463731d4d9e333d57719f447.zip
File size 4604138 bytes
File type Zip archive data, at least v1.0 to extract
CRC32 99E3EC82
MD5 22e684dfe0447017923502cc40461712
SHA1 abc3047332aa290f463731d4d9e333d57719f447
SHA256 fb36befc524c57d62ff562100a5621101a782bc0b0b7d3c04500210a89ceb983
SHA512 1ffc4d2e79c2a437b90529122b133b13fe6ccbfec7461f356322dc0e5c988fbd888c1746d6c146f20b8e6cb582ff75f1cb1c2246facb0352d5bdf45a36ac0539
Ssdeep 98304:FjQkBr3GPdZQKS3bsGbJPHUwIHx1JixrmnsNWbHCkR68Bi:FUmDG/QKI7HUNd0rmnEWbCkR6Ui
PEiD None matched
Yara
  • shellcode (Matched shellcode byte patterns)
VirusTotal Permalink
VirusTotal Scan Date: 2017-01-14 06:32:07
Detection Rate: 1/55 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=50, Anomalies=0, PEiD=0, Yara=2, VT[1488298986]=0): Snort Events=0, AV Events=0
Total Score=50

Dropped File/Buffer Yara Signatures:
LicenseRecover.exe: CAP_HookExKeylogger


Zipped File Yara Signatures:
LicenseRecovery/LicenseRecover.exe: CAP_HookExKeylogger
LicenseRecovery/python25.dll: ldpreload

Signatures

suspicious_process details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

LicenseRecover.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\LicenseRecover.exe
File-Opened
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32api.pyd
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\_ctypes.pyd
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\LicenseRecover.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32security.pyd
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32process.pyd
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32event.pyd
Directory-Enumerated
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users
  • C:\Users\Harry Dresden\AppData
  • C:\Users\Harry Dresden\lib\os.pyc
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Temp\lib\os.py
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32api.pyd
  • C:\Users\lib\os.pyc
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32process
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\warnings
  • C:\Users\lib\os.py
  • C:\Users\Harry Dresden\AppData\Local\lib\os.pyc
  • C:\lib\os.pyc
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\LicenseRecover.exe\ctypes
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\python25.zip
  • C:\Users\Harry Dresden\AppData\Local\Temp\lib\lib-tk
  • C:\Users\Harry Dresden\lib\os.py
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\lib\os.pyc
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32security
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32process.pyd
  • C:\Users\Harry Dresden\AppData\Local\Temp\lib
  • C:\Users\Harry Dresden\AppData\Local\Temp\DLLs
  • C:\Users\Harry Dresden\AppData\Local\Temp\lib\plat-win
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32security.pyd
  • C:\Users\Harry Dresden\AppData\Local\Temp\lib\os.pyc
  • C:\Users\Harry Dresden\AppData\Local\Temp\lib\lib\os.py
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\_ctypes
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\LicenseRecover.exe\win32com
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32event
  • C:\Users\Harry Dresden\AppData\Local\lib\os.py
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32event.pyd
  • C:\Users\Harry Dresden\AppData\lib\os.py
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\LicenseRecover.exe\encodings
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\win32api
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery
  • C:\lib\os.py
  • C:\Users\Harry Dresden\AppData\lib\os.pyc
  • C:\Users\Harry Dresden\AppData\Local\Temp\lib\lib\os.pyc
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\_ctypes.pyd
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\lib\os.py
  • C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\LicenseRecover.exe
Registry Key-Opened
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\win32event
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\ntpath
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\copy_reg
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\sre_compile
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\string
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\traceback
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\sre_constants
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\pythoncom
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\ntpath
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\encodings
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\warnings
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\os
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\platform
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\UserDict
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\copy_reg
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\re
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\PythonPath
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\sre_parse
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\stat
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\pywintypes
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\_ctypes
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\warnings
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\new
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\win32com
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\linecache
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\stat
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\fnmatch
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\glob
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\codecs
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\textwrap
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\types
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\struct
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\sre_constants
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\fnmatch
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\re
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\textwrap
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\win32process
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\glob
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\win32event
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\win32api
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\ctypes
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\sre_parse
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\ntsecuritycon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\win32com
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\win32con
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\linecache
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\ntsecuritycon
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\win32process
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\struct
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\codecs
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\ctypes
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\platform
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\_ctypes
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\pythoncom
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\types
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\UserDict
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\win32api
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\pywintypes
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\win32security
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\PythonPath
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\win32security
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\os
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\new
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\sre_compile
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\win32con
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\traceback
  • HKEY_CURRENT_USER\Software\Python\PythonCore\2.5\Modules\string
  • HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.5\Modules\encodings
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\LicenseRecovery\LicenseRecover.exe" PID: 3516, Parent PID: 2176

C:\Windows\system32\cmd.exe /c cls PID: 3232, Parent PID: 3516

Volatility

Nothing to display.