'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-09-26 05:35:22.896387 2018-09-26 05:37:25.965520 123 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2018-09-26 05:35:23 2018-09-26 05:37:25

File Details

File name a3d606207e1bab63e2e95e1e91e0896c8d38d4ba.zip
File size 5141 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 DE1C5119
MD5 4133b82937ec8bbb3d6d5b205a2d9cda
SHA1 a3d606207e1bab63e2e95e1e91e0896c8d38d4ba
SHA256 5ef70710f1815ff65cba6a2a5b48ed4427a84087eac5a1263a2eddd011e5ac7b
SHA512 174e95eccdc308c9dd9e67321ca72aee7c4aa82f417925136cdf0ff1970ef7d9f6cad55ca93e1cf053d40a31ce5a56a3ca6302020b747e105bab799c4e05817a
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1537954653]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
ups_shut.bat: vmdetect

Signatures

console_output details
nolookup_communication details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

ups_shut.bat

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Opened
  • C:\Windows\Branding\Basebrd\basebrd.dll
  • C:\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 484, Parent PID: 388

"C:\Windows\System32\cmd.exe" / c " " C : \ U s e r s \ H A R R Y D ~ 1 \ A p p D a t a \ L o c a l \ T e m p \ u p s _ s h u t . b a t PID: 4980, Parent PID: 4952

Volatility

Nothing to display.