'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-09-18 11:59:58.365655 2018-09-18 12:02:10.601639 132 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2018-09-18 11:59:59 2018-09-18 12:02:10

File Details

File name 4957546984d0fcf3e14cb6bd0b848bf59445e36d.zip
File size 2679770 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 AD9401BE
MD5 928652a2bf4985bfd821b93d6daa6e1e
SHA1 4957546984d0fcf3e14cb6bd0b848bf59445e36d
SHA256 2ca2e108159c6a93f8d152a3c9eca83948e7d6749bfc7ba856bf80061d94c2ef
SHA512 9f0aa7e9870cdf26d3f13c76ddcaa1436af3ed2259c2cb2300d37f2b56790df946aca81ab3a453950dec66c43279d8378f88a134a44884692f5975f6f17ab65f
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2018-08-25 00:24:44
Detection Rate: 1/61 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1537286595]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
Rw.exe: vmdetect

Signatures

allocates_rwx details
creates_service details
nolookup_communication details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

d969845ef6acc8e5_RwDrv.sys

Rw.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\Win32\Portable\Rw.ini
File-Written
  • C:\Windows\SysWOW64\drivers\RwDrv.sys
File-Deleted
  • C:\Windows\SysWOW64\drivers\RwDrv.sys
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\Win32\Portable\Rw.ini
  • C:\Windows\Globalization\Sorting\sortdefault.nls
Directory-Enumerated
  • C:\Users\Harry Dresden\AppData\Local\Temp\Win32\Portable\Rw.en
  • C:\Users\Harry Dresden\AppData\Local\Temp\Win32\Portable\Rw.ENU
  • C:\Users\Harry Dresden\AppData\Local\Temp\Win32\Portable\Rw.en-US
  • C:\Users\Harry Dresden\AppData\Local\Temp\Win32\Portable\Rw.EN
Registry Key-Opened
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\CpuMsrForm
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\E820Form
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\OptionRomForm
  • HKEY_CURRENT_USER\Software\Borland\Locales
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\SmbiosForm
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\IoIndexDataForm0
  • HKEY_CURRENT_USER\Software\Rw.exe
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\AcpiDumpForm
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\UsbInfoForm
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\MmioForm
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\DiskForm
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\PciForm0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\MemoryForm0
  • HKEY_LOCAL_MACHINE\Software\CodeGear\Locales
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\CommandForm
  • HKEY_CURRENT_USER\Software\CodeGear\Locales
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\SuperIoForm
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\Config
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\AtaAtapiForm
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\PciIndexDataForm0
  • HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\MemoryIndexDataForm0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Rw.exe
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\IoSpaceForm0
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\EdidForm
  • HKEY_CURRENT_USER\Software\Embarcadero\Locales
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\ClockGenForm
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\SIOConfigKey
  • HKEY_CURRENT_USER\Software\RW-Everything\Rw.ini\MpsForm
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Rw.exe\RegisterMessage
Mutex-Accessed
  • Rw.exe

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 484, Parent PID: 388

"C:\Users\Harry Dresden\AppData\Local\Temp\Win32\Portable\Rw.exe" PID: 4920, Parent PID: 4848

Volatility

Nothing to display.