'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-08-27 07:25:08.473887 2018-08-27 07:25:37.245967 28 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-08-27 07:25:09 2018-08-27 07:25:36

File Details

File name Mondiale payment invoice.exe
File size 401863 bytes
File type PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 C4A98397
MD5 212f6ed83d033db03e18feb6cf1cf13c
SHA1 a2ef78d1f7f89d41116ec9d795e81d36b17674ce
SHA256 92e10a8dd28ecd67b571eec86259823406365f411ec83c41680ca829dd7f88bd
SHA512 76c44bd58da93aa92d49558a1847d99a6c4d5668bf728b104eb2b0c370e05f7c8ec943e719c3bc171ae050aef821ee765d6079ef7d447c59991d3a9b1fa3695e
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1535369143]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

raises_exception details
dumped_buffer details
Attempt_to_open_VBA_AutoRun details
allocates_rwx details
packer_entropy details
privilege_luid_check details
Jalik_Trojan_Behavior details
nolookup_communication details
persistence_autorun details
antisandbox_unhook details
upatre details
antivm_vmware_in_instruction details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

de055a89de246e62_symsrv.dll

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\SysWOW64\gdi32.dll
  • C:\Windows\SysWOW64\CRYPTBASE.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Mondiale payment invoice.exe
  • C:\Windows\SysWOW64\user32.dll
  • C:\Windows\SysWOW64\advapi32.dll
  • C:\Program Files\Common Files\System\symsrv.dll
  • C:\Windows\SysWOW64\ntdll.dll
  • C:\Windows\SysWOW64\sspicli.dll
  • C:\Windows\SysWOW64\usp10.dll
  • C:\Windows\SysWOW64\kernel32.dll
  • C:\Windows\SysWOW64\msvcrt.dll
  • C:\Windows\SysWOW64\lpk.dll
  • C:\Windows\SysWOW64\sechost.dll
  • C:\Windows\SysWOW64\rpcrt4.dll
  • C:\Windows\SysWOW64\KERNELBASE.dll
  • C:\Windows\System32\msvbvm60.dll
File-Written
  • C:\Program Files\Common Files\System\symsrv.dll
File-Opened
  • C:\Windows\SysWOW64\gdi32.dll
  • C:\Windows\SysWOW64\CRYPTBASE.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Mondiale payment invoice.exe
  • C:\Windows\SysWOW64\user32.dll
  • C:\Windows\SysWOW64\advapi32.dll
  • C:\Program Files\Common Files\System\symsrv.dll
  • C:\Windows\SysWOW64\ntdll.dll
  • C:\Windows\SysWOW64\sspicli.dll
  • C:\Windows\SysWOW64\ole32.dll
  • C:\Windows\SysWOW64\usp10.dll
  • C:\Windows\SysWOW64\kernel32.dll
  • C:\Windows\SysWOW64\msvcrt.dll
  • C:\Windows\SysWOW64\lpk.dll
  • C:\Windows\SysWOW64\sechost.dll
  • C:\Windows\SysWOW64\rpcrt4.dll
  • C:\Windows\SysWOW64\KERNELBASE.dll
  • C:\Windows\System32\msvbvm60.dll
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
Registry Key-Written
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\RequireSignedAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\Mondiale payment invoice.exe" PID: 2912, Parent PID: 2460

Volatility

Nothing to display.