Analysis Date2018-04-07 05:14:48
MD5dd544f35e70b99abc9a3ba00b118300d
SHA103ca01271c4b74531af92f6d9bb63cea4e5d072d

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Generic.Malware.SMP!Pkg.B8D96178
AVAuthentiumW32/Trojan.BDD.gen!Eldorado
AVGrisoft (avg)Win32/DH{gVKBUYFP?}
AVAvira (antivir)TR/BAS.Samca.oikyt
AVAlwil (avast)Emotet-AI [Trj]
AVAd-AwareGeneric.Malware.SMP!Pkg.B8D96178
AVBitDefenderGeneric.Malware.SMP!Pkg.B8D96178
AVBullGuardGeneric.Malware.SMP!Pkg.B8D96178
AVClamAVWin.Worm.Untukmu-5949608-0
AVDr. WebTrojan.DownLoader7.3730
AVEmsisoftGeneric.Malware.SMP!Pkg.B8D96178
AVMicroWorld (escan)Generic.Malware.SMP!Pkg.B8D96178
AVCA (E-Trust Ino)Generic.Malware.SMP!Pkg.B8D96178
AVFortinetW32/Regrun.PKE!tr
AVFrisk (f-prot)No Virus
AVF-SecureGeneric.Malware.SMP!Pkg.B8D96178
AVIkarusTrojan.Win32.Patched
AVK7Error Scanning File
AVKasperskyTrojan-Ransom.Win32.Blocker.kpuo
AVMalwareBytesTrojan.AVDis.CS
AVMcafeeW32/Rontokbro.gen@MM
AVMicrosoft Security EssentialsWorm:Win32/Ludbaruma.A
AVNANOTrojan.Win32.Regrun.dxtouo
AVEset (nod32)Win32/VB.ORD worm
AVPadvishTrojan.Win32.Regrun.pke
AVCAT (quickheal)Worm.Ludbaruma.A3
AVRisingWorm.Win32.VBInjectEx.a
AV360 SafeNo Virus
AVSUPERAntiSpywareWorm.Ludbaruma/Variant
AVSymantecSMG.Heur!gen
AVTrend MicroTSPY_LU.85367EC1
AVTwisterSuspicious.851E5F9BB35FB8DC
AVVirusBlokAda (vba32)Trojan.Downloader
AVWindows DefenderWorm:Win32/Ludbaruma.A
AVZillya!Trojan.RegrunGen.Win32.1

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\03ca01271c4b74531af92f6d9bb63cea4e5d072d.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB42E2D60AAA7F53E.TMP
Creates FileC:\
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\Phil
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE ➝
C:\Windows\system32\Mig~mig.SCR
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure ➝
0
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut ➝
600
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xk ➝
C:\Windows\xk.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ServicePhil ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\SERVICES.EXE
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonPhil ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\CSRSS.EXE
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\LSASS.EXE
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell ➝
C:\Windows\xk.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
Explorer.exe "C:\Windows\system32\IExplorer.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\Windows\system32\userinit.exe,C:\Windows\system32\IExplorer.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger ➝
"C:\Windows\system32\Shell.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\(Default) ➝
File Folder
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\FullPathAddress ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
0
Creates Mutex
Creates Mutex

Network Details:


Raw Pcap

Strings