Analysis Date2017-07-14 22:46:11
MD5c51e476746b374e7fcf75bc2ebb1a57d
SHA10c9387e72eb33f79d352e96b0a5737bcc8c18985

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b6123127c5791198e3e174f1f911d5d6 sha1: cff50ffa442f2adafa154dc1caacc920628441b3 size: 2560
Section.data md5: d447e459653b50488035fa0eeb73205e sha1: 247a07d59dfdeacbc7632ff820aeb5d980df6839 size: 512
Section.xcpad md5: sha1: size:
Section.idata md5: 41e0574f20f21f653aa920261dd7710c sha1: 63a97f03e700c27b1faeb452a2c26c9a4e22c0f2 size: 1536
Section.reloc md5: sha1: size:
Section.rsrc md5: c2534a75b741fe53c4fa27ffe7ed3dc3 sha1: e09a38e8a3c2d581125ce1c1908ef738fdd7d875 size: 7680
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhash2882965f02737a1b501e426c9c6b57a3
AV360 SafeNo Virus
AVAd-AwareTrojan.GenericKD.1416344
AVAlwil (avast)Crypt-QFY [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1416344
AVAuthentiumW32/Trojan.YYFI-6519
AVAvira (antivir)TR/Rogue.AI.11225
AVBitDefenderTrojan.GenericKD.1416344
AVBullGuardTrojan.GenericKD.1416344
AVCA (E-Trust Ino)Trojan.GenericKD.1416344
AVCAT (quickheal)TrojanDownloader.Upatre.A5
AVClamAVWin.Trojan.Zbot-63693
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1416344
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVF-SecureTrojan.GenericKD.1416344
AVFortinetW32/Zbot.HFQ!tr
AVFrisk (f-prot)W32/Trojan3.GOZ
AVGrisoft (avg)PSW.Generic12.NEU
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Trojan ( 0001140e1 )
AVKasperskyTrojan-Spy.Win32.Zbot.qsqd
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeePWSZbot-FMO!C51E476746B3
AVMicroWorld (escan)Trojan.GenericKD.1416344
AVMicrosoft Security EssentialsNo Virus
AVNANOTrojan.Win32.Zbot.cqjldv
AVPadvishNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Bublik
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_UPATRE.SMJ8
AVTwisterSuspicious.B830000000648.mg
AVVirusBlokAda (vba32)TrojanSpy.Zbot
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!Trojan.Zbot.Win32.142446

Runtime Details:

Screenshot

Process
↳ Pid 1284

Process
↳ C:\0c9387e72eb33f79d352e96b0a5737bcc8c18985.exe

Creates Filemciwave.dll
Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\0c9387e72eb33f79d352e96b0a5737bcc8c18985.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\WINDOWS\Registration\R000000000007.clb
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates Mutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass ➝
Drive\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass ➝
Drive\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ➝
C:\Documents and Settings\All Users\Documents\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ➝
C:\Documents and Settings\All Users\Desktop\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe ➝
budha\\x00

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe

Creates FileC:\WINDOWS\system32\dssenh.dll
Creates FileC:\WINDOWS\system32\dssenh.dll
Creates Filec:\autoexec.bat

Network Details:


Raw Pcap
0x00000000 (00000)   804c0103                              .L..


Strings
 s`K
s<+K
@&+K
JRQQQ[
 7`K
 s`K
s.+K
sQ+K
 g`K
H%+K
#jif
 W^K
 ?^K
 /^K
 +^K
 O^K
 S^K
 +^K
 K^K
 [^K
 _^@
5B @
Ph% @
PRFT
SSCL
CreateWindowExA
LoadCursorA
TranslateMessage
set waveaudio door open
LoadLibraryExA
user32.dll
mciSendStringA
Winmm.dll
q*PV
YK9&
["(u
|3kU
LS<N
user32.dll
GDI32.dll
Msacm32.dll
ADVAPI32.dll
IMM32.dll
kernel32.dll
GetModuleHandleA
GetProcAddress
HeapCreate
HeapAlloc
ExitProcess
FreeLibrary
GetMessageA
DefWindowProcA
PostQuitMessage
GetForegroundWindow
SetForegroundWindow
GetDoubleClickTime
GetQueueStatus
LoadIconA
RegisterClassA
RegQueryValueExA
RegOpenKeyA
GetUserNameA
CopySid
GetLengthSid
IntersectClipRect
ExcludeClipRect
UpdateColors
GetTextExtentPoint32A
CreateCompatibleDC
DeleteObject
TextOutA
SetBkColor
SetTextColor
Rectangle
CreateSolidBrush
GetStockObject
CreateFontIndirectA
GetTextExtentExPointA
GetTextMetricsA
CreateFontA
RealizePalette
ImmGetCompositionStringW
ImmSetCompositionFontA
ImmGetContext
ImmSetCompositionWindow
acmStreamOpen
acmDriverPriority
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
TTTTT
BBBBBBBBBBBBBBBBBBBBB
BBBB
TTBTBBBBBBBBBBBBBBB
?????rWW??WWWWWWWW
UVUUUUV
YYYYZZZ|||R
R?rRRr
UUUUUUVVVVV
YZYZYZk
RR?`W
pppp
yUVUV
ZZ|Z
kRRrl``
pppppp
yUUVVYYZZZZ
RRRrW
xxxxx
yyVV
kRkkR
`l`ll
||kRRRR
ooooo
dddd
vvvew
jjjjj
dveeeeeee
IBBK
XXnBBK
XMMXX
nBBK
HHHHM
nBBK
EHEHH
HHHEEHHHHHMM
iiEEEEHHEEEEEEEEEEEEEHHH
fff{
AEiD
DDDDDDEMEiEEDDDEEEEEEEEHXnBBK
JJJF
FFFDDHEDDDDDDDDDDDDDDEMnBBK
DFDDFJJJJJJDEHMHHDFJFFFDDFFDDDMnBBK
FFDDDDFJOmJFFcDDFDEFJJDDF[HDDD[M
mmJFD[E[[DJSSSSbOO
OmF[DMHDMXXXMMD
cDcFObOSJD[[[[FSF
aaaQQQQFDFS
FcDDcS
QScFSQQSFFFFSb
hQJJDFOQOSJQaa_aQ
^aQOJFFF[Dba
haahsssshhOFFF[D[[D[
aaah_
SSQs^^~ss~~~~~saQQOODX[OOEDa
^^]]]]]
^ha__tbFDFQQbh
PgNNNgNNNNggggg]]]]]]^aa
_OmDHOOa}^
zNNNNNNNNNNNNNNgggNNNgaFmttmEMm_t_^}__t
\PPPPPPPPPPzPPPNNPPPNghScDmJDMJmO}__}}_
^_QOFD__FOmFmQ_
\\\\\\\\\\\\\\\\
\\\\N
GGGGGGGGGGGGGGGGGGGGGGGGGGGGn
nGGTTTT
uuuuII
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
4AWb
HXKt
h$$Y
~ ?x
&y!G
@-FV