Analysis Date2015-10-11 14:48:51
MD50a7f0eef39e3ba89ee2454afe453aa69
SHA107b804c15f65a7333903b636c6092978028c5652

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3888d4a585988668774ef481af497e27 sha1: 2d1148469cc6909b84d9da4c2f53419523e0ded3 size: 108032
Section.rdata md5: 910735be8ba00ed1075366dc91ffcb00 sha1: d76a0051711e34740f21e4a2020c3eacd2e6947e size: 8704
Section.data md5: 3939bc0577a95f1d0362c4273711bdf2 sha1: c27a3bebba2534909ab8a8a5678a8188ee0f7fd1 size: 18944
Section.rsrc md5: c4ba90a5da0000a66db49b478fbbf909 sha1: c241f69c03e8a2d797aba7dae0ecc124676c6402 size: 12288
Timestamp2014-07-23 11:23:17
VersionCompanyName: Sec Corp.
FileVersion: 1.0.2.2
ProductVersion: 1.0.2.2
PackerMicrosoft Visual C++ 5.0
PEhash903cdf4852c49d6cbf42b9d22074b1bb14f9224f
IMPhash73f25a5b9dc30797a471c69937f0c64c
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Rogue.148992.8
AVTwisterTrojanRansom.Blocker.fcwr.fzca
AVAd-AwareGen:Variant.Dyreza.4
AVAlwil (avast)Agent-AUIN [Trj]
AVEset (nod32)Win32/Filecoder.CO
AVGrisoft (avg)FileCryptor.EI
AVSymantecno_virus
AVFortinetW32/Kryptik.GKA!tr
AVBitDefenderGen:Variant.Dyreza.4
AVK7Trojan ( 00498ab51 )
AVMicrosoft Security EssentialsRansom:Win32/Crowti.A
AVMicroWorld (escan)Gen:Variant.Dyreza.4
AVMalwareBytesTrojan.Agent.DZ
AVAuthentiumW32/Trojan.OSHH-6982
AVFrisk (f-prot)W32/Trojan2.OKUO
AVIkarusTrojan.Win32.Filecoder
AVEmsisoftGen:Variant.Dyreza.4
AVZillya!Trojan.Blocker.Win32.20406
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_CROWTI.SMN2
AVCAT (quickheal)Ransom.Crowti.C4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Dyreza.4
AVArcabit (arcavir)Gen:Variant.Dyreza.4
AVClamAVno_virus
AVDr. WebTrojan.Encoder.514
AVF-SecureGen:Variant.Dyreza.4
AVCA (E-Trust Ino)Win32/Ransom.eYLFbKC

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\a1a0cab\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\a1a0cab.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdrhoffman.com
Winsock DNScovil.org
Winsock DNSitnews001.com
Winsock DNSdelices-au-chateau.fr
Winsock DNSciltbakim.org
Winsock DNSkuchar24.cz
Winsock DNSr-mix-house.com
Winsock DNSsanshu.mamgou.net
Winsock DNSpapillon-northwan.com
Winsock DNSpannanawydaniu.com.pl
Winsock DNSmarioburgos.com
Winsock DNSgsxf119.com
Winsock DNSarsenalromania.ro
Winsock DNSycntransportation.com
Winsock DNSamedsehri.com
Winsock DNSvifafair.com
Winsock DNSlsct.lviv.ua
Winsock DNShuashanlunming.com
Winsock DNSstephanelouis.com

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSr-mix-house.com
Type: A
59.106.13.106
DNSweb5415465.freegousx1.badudns.cc
Type: A
223.244.227.135
DNSciltbakim.org
Type: A
94.138.196.4
DNSlsct.lviv.ua
Type: A
178.20.158.49
DNSpapillon-northwan.com
Type: A
112.78.112.155
DNSitnews001.com
Type: A
115.28.164.33
DNSvifafair.com
Type: A
103.254.12.53
DNSgsxf119.com
Type: A
162.246.56.83
DNSstephanelouis.com
Type: A
213.186.33.87
DNSpannanawydaniu.com.pl
Type: A
109.95.159.1
DNSarsenalromania.ro
Type: A
89.38.143.220
DNSdrhoffman.com
Type: A
38.111.52.104
DNSycntransportation.com
Type: A
50.63.202.46
DNSmarioburgos.com
Type: A
192.124.249.7
DNSsanshu.mamgou.net
Type: A
DNSamedsehri.com
Type: A
DNScovil.org
Type: A
DNShuashanlunming.com
Type: A
DNSkuchar24.cz
Type: A
DNSdelices-au-chateau.fr
Type: A
HTTP GEThttp://r-mix-house.com/wp-content/themes/r-mix/ui6n5ss5n1e
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://sanshu.mamgou.net/wp-content/themes/xs/iiaoeoix7c
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ciltbakim.org/wp-content/themes/baywomen/0ebac31z
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://lsct.lviv.ua/wp-content/themes/twentythirteen/fl4fbvn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://papillon-northwan.com/wp-content/themes/dog02_l/3sab5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://itnews001.com/wp-content/themes/HotNewspro/dx3ae
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://vifafair.com/wp-content/themes/twentytwelve-vifafair/8n6if5k
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://gsxf119.com/wp-content/themes/live-color/k7eh5zug5vq7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://stephanelouis.com/wp-content/themes/gather/9a6ct47znvpi
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://pannanawydaniu.com.pl/wp-content/themes/marriage/w8z0ana
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://arsenalromania.ro/wp-content/languages/7kyy5592iu
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://drhoffman.com/wp-content/themes/drhoffman/t3w5rk9ld
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ycntransportation.com/wp-content/themes/ycn/9djlap0dh0m
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://marioburgos.com/wp-content/themes/esther/6l7de
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 59.106.13.106:80
Flows TCP192.168.1.1:1032 ➝ 223.244.227.135:80
Flows TCP192.168.1.1:1033 ➝ 94.138.196.4:80
Flows TCP192.168.1.1:1034 ➝ 178.20.158.49:80
Flows TCP192.168.1.1:1035 ➝ 112.78.112.155:80
Flows TCP192.168.1.1:1036 ➝ 115.28.164.33:80
Flows TCP192.168.1.1:1037 ➝ 103.254.12.53:80
Flows TCP192.168.1.1:1038 ➝ 162.246.56.83:80
Flows TCP192.168.1.1:1039 ➝ 213.186.33.87:80
Flows TCP192.168.1.1:1040 ➝ 109.95.159.1:80
Flows TCP192.168.1.1:1041 ➝ 89.38.143.220:80
Flows TCP192.168.1.1:1042 ➝ 38.111.52.104:80
Flows TCP192.168.1.1:1043 ➝ 50.63.202.46:80
Flows TCP192.168.1.1:1044 ➝ 192.124.249.7:80

Raw Pcap

Strings