Category	Started On	Completed On	Duration	Cuckoo Version
FILE	2018-08-17 18:08:20.058326	2018-08-17 18:08:44.870168	24 seconds	2.0-dev

Machine	Label	Manager	Started On	Shutdown On
win7cuckoo	win7 Clone 1	VirtualBox	2018-08-17 18:08:20	2018-08-17 18:08:44

File Details

File name

cce6e761b12f42887388a273d4c5609e56a1ce38.dll

File size

530305 bytes

File type

PE32 executable (console) Intel 80386, for MS Windows

CRC32

27925464

MD5

e37211b58ae7c8a669bae32dd8e3b8d1

SHA1

cce6e761b12f42887388a273d4c5609e56a1ce38

SHA256

420133fc76a2c94b09ef0ce22c77c176a5fbcbc6489e64044f35796c1a6c140c

SHA512

c155c3ee20cff72886c940fd519560375d6545fafb59880cfc25b0b1966ff6d3a051d2cd4c656a5fa84afcfb668d31cc6318e4be35aef300ee83aea86339b2d8

Ssdeep

None

PEiD

None matched

Yara

spyeye (SpyEye X.Y memory)
RooterStrings (Rooter Identifying Strings)
Rooter (Rooter)

VirusTotal

Permalink
VirusTotal Scan Date: 2018-08-03 00:13:59
Detection Rate: 1/68 (Expand)

Antivirus	Version	Result
Ad-Aware	3.0.5.370	Clean
AegisLab	4.2	Clean
AhnLab-V3	3.13.1.21616	Clean
ALYac	1.1.1.5	Clean
Antiy-AVL	3.0.0.1	Clean
Arcabit	1.0.0.831	Clean
Avast	18.4.3895.0	Clean
Avast-Mobile	180802-00	Clean
AVG	18.4.3895.0	Clean
Avira	8.3.3.6	Clean
AVware	1.6.0.52	Clean
Babable	9107201	Clean
Baidu	1.0.0.2	Clean
BitDefender	7.2	Clean
Bkav	1.3.0.9466	Clean
CAT-QuickHeal	14.00	Clean
ClamAV	0.100.1.0	Clean
CMC	1.1.0.977	Clean
Comodo	29457	Clean
CrowdStrike	1.0	Clean
Cybereason	1.2.27	Clean
Cylance	2.3.1.101	Unsafe
Cyren	6.0.0.4	Clean
DrWeb	7.0.33.6080	Clean
eGambit	None	Clean
Emsisoft	2018.4.0.1029	Clean
Endgame	3.0.1	Clean
ESET-NOD32	17820	Clean
F-Prot	4.7.1.166	Clean
F-Secure	11.0.19100.45	Clean
Fortinet	5.4.247.0	Clean
GData	A:25.17970B:25.12874	Clean
Ikarus	0.1.5.2	Clean
Invincea	6.3.5.26121	Clean
Jiangmin	16.0.100	Clean
K7AntiVirus	10.56.27956	Clean
K7GW	10.56.27956	Clean
Kaspersky	15.0.1.13	Clean
Kingsoft	2013.8.14.323	Clean
Malwarebytes	2.1.1.1115	Clean
MAX	2017.11.15.1	Clean
McAfee	6.0.6.653	Clean
McAfee-GW-Edition	v2017.3010	Clean
Microsoft	1.1.15100.1	Clean
MicroWorld-eScan	14.0.297.0	Clean
NANO-Antivirus	1.0.116.23366	Clean
Paloalto	1.0	Clean
Panda	4.6.4.2	Clean
Qihoo-360	1.0.0.1120	Clean
Rising	25.0.0.24	Clean
SentinelOne	1.0.17.227	Clean
Sophos	4.98.0	Clean
SUPERAntiSpyware	5.6.0.1032	Clean
Symantec	1.6.0.0	Clean
TACHYON	2018-08-02.04	Clean
Tencent	1.0.0.1	Clean
TheHacker	6.8.0.5.3481	Clean
TotalDefense	37.1.62.1	Clean
TrendMicro	10.0.0.1040	Clean
TrendMicro-HouseCall	9.950.0.1006	Clean
VBA32	3.12.32.0	Clean
VIPRE	68574	Clean
ViRobot	2014.3.20.0	Clean
Webroot	1.0.0.403	Clean
Yandex	5.5.1.3	Clean
Zillya	2.0.0.3608	Clean
ZoneAlarm	1.0	Clean
Zoner	1.0	Clean

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1534543727]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

console_output details

packer_entropy details

nolookup_communication details

Screenshots

No screenshots available.

Static Analysis

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x000372e4	0x00037400	5.88565105837
.data	0x00039000	0x000002ac	0x00000400	1.82983070256
.rdata	0x0003a000	0x0000abb8	0x0000ac00	6.9936005185
.bss	0x00045000	0x0000b280	0x00000000	0.0
.idata	0x00051000	0x0000093c	0x00000a00	4.388856173
.CRT	0x00052000	0x00000034	0x00000200	0.278926778006
.tls	0x00053000	0x00000020	0x00000200	0.20058190744
/4	0x00054000	0x000003b8	0x00000400	2.36750935572
/19	0x00055000	0x0001b66c	0x0001b800	6.08667191923
/31	0x00071000	0x00002411	0x00002600	4.53812827925
/45	0x00074000	0x0000653b	0x00006600	5.99021808132
/57	0x0007b000	0x00003534	0x00003600	4.66018750533
/70	0x0007f000	0x00000741	0x00000800	4.50451325445
/81	0x00080000	0x0000240b	0x00002600	3.84932575397
/92	0x00083000	0x00000438	0x00000600	2.17616683852

Imports

Library KERNEL32.DLL:

• 0x4511a0 - CloseHandle

• 0x4511a4 - CreateFileA

• 0x4511a8 - DeleteCriticalSection

• 0x4511ac - EnterCriticalSection

• 0x4511b0 - FormatMessageA

• 0x4511b4 - GetCurrentProcess

• 0x4511b8 - GetCurrentProcessId

• 0x4511bc - GetCurrentThreadId

• 0x4511c0 - GetFileSizeEx

• 0x4511c4 - GetFileType

• 0x4511c8 - GetLastError

• 0x4511cc - GetLocalTime

• 0x4511d0 - GetModuleHandleA

• 0x4511d4 - GetProcAddress

• 0x4511d8 - GetStartupInfoA

• 0x4511dc - GetStdHandle

• 0x4511e0 - GetSystemTimeAsFileTime

• 0x4511e4 - GetTickCount

• 0x4511e8 - InitializeCriticalSection

• 0x4511ec - LeaveCriticalSection

• 0x4511f0 - QueryPerformanceCounter

• 0x4511f4 - ReadFile

• 0x4511f8 - SetFilePointerEx

• 0x4511fc - SetUnhandledExceptionFilter

• 0x451200 - Sleep

• 0x451204 - SystemTimeToFileTime

• 0x451208 - TerminateProcess

• 0x45120c - TlsGetValue

• 0x451210 - UnhandledExceptionFilter

• 0x451214 - VirtualAlloc

• 0x451218 - VirtualFree

• 0x45121c - VirtualProtect

• 0x451220 - VirtualQuery

• 0x451224 - WriteFile

Library msvcrt.dll:

• 0x45122c - __dllonexit

• 0x451230 - __getmainargs

• 0x451234 - __initenv

• 0x451238 - __lconv_init

• 0x45123c - __set_app_type

• 0x451240 - __setusermatherr

• 0x451244 - _acmdln

• 0x451248 - _amsg_exit

• 0x45124c - _cexit

• 0x451250 - _errno

• 0x451254 - _fmode

• 0x451258 - _initterm

• 0x45125c - _iob

• 0x451260 - _lock

• 0x451264 - _onexit

• 0x451268 - _snprintf

• 0x45126c - _stati64

• 0x451270 - _vsnprintf

• 0x451274 - calloc

• 0x451278 - exit

• 0x45127c - fclose

• 0x451280 - fflush

• 0x451284 - fopen

• 0x451288 - fprintf

• 0x45128c - fread

• 0x451290 - free

• 0x451294 - fwrite

• 0x451298 - getenv

• 0x45129c - islower

• 0x4512a0 - isspace

• 0x4512a4 - isupper

• 0x4512a8 - malloc

• 0x4512ac - memcmp

• 0x4512b0 - memcpy

• 0x4512b4 - memmove

• 0x4512b8 - memset

• 0x4512bc - setvbuf

• 0x4512c0 - signal

• 0x4512c4 - strchr

• 0x4512c8 - strcmp

• 0x4512cc - strcpy

• 0x4512d0 - strerror

• 0x4512d4 - strlen

• 0x4512d8 - strncmp

• 0x4512dc - strncpy

• 0x4512e0 - strrchr

• 0x4512e4 - strtol

• 0x4512e8 - _unlock

• 0x4512ec - abort

• 0x4512f0 - system

• 0x4512f4 - vfprintf

• 0x4512f8 - _unlink

• 0x4512fc - _getpid

Strings

Dropped Files

Nothing to display.

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Opened

C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui

Registry Key-Read

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguageFallback
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US\Type
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US\AlternateCodePage
HKEY_CURRENT_USER\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\EMPTY
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\cce6e761b12f42887388a273d4c5609e56a1ce38.dll" PID: 1320, Parent PID: 572

Volatility

Nothing to display.

Domain	IP Address
armmf.adobe.com	23.218.74.56
dns.msftncsi.com	131.107.255.255
teredo.ipv6.microsoft.com	52.52.215.201
ipv6.msftncsi.com

IP Address
104.75.133.129
70.186.27.9
8.8.8.8