'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-08-27 07:23:50.395068 2018-08-27 07:24:20.406502 30 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-08-27 07:23:50 2018-08-27 07:24:20

File Details

File name b89d1194a86e53f238b0509fc5192569ab649b07.zip
File size 301188 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 75FF60A5
MD5 4f8a353e4176a53c1a6be3596e819cf1
SHA1 b89d1194a86e53f238b0509fc5192569ab649b07
SHA256 0905423504ade766fc2a7903c0bcc538be81f97697a39c076941a8259a4e14d4
SHA512 0c8b14989cfcf9a9cebb602d23d0ba318356cd51661ff061b167246eb37b3ef6589dfd31e6bf1e71b2f19b8fdeb1a3116ebe40807cb12ce6058e3ed6718e9f91
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1535369107]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

raises_exception details
dumped_buffer details
Attempt_to_open_VBA_AutoRun details
allocates_rwx details
privilege_luid_check details
MF_Heuristic details
Jalik_Trojan_Behavior details
nolookup_communication details
persistence_autorun details
antisandbox_unhook details
upatre details
antivm_vmware_in_instruction details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

de055a89de246e62_symsrv.dll

Mondiale payment invoice.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Program Files\Common Files\System\symsrv.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Mondiale payment invoice.exe
File-Written
  • C:\Program Files\Common Files\System\symsrv.dll
File-Opened
  • C:\Program Files\Common Files\System\symsrv.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Mondiale payment invoice.exe
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
Registry Key-Written
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\RequireSignedAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\Mondiale payment invoice.exe" PID: 2476, Parent PID: 2396

Volatility

Nothing to display.