Analysis Date2015-09-10 14:43:41
MD5d83d4528261cc71aec3161394d177dc4
SHA11259e02f7457e7d5802dd1e074abac31685db96d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 75c12fd8ce974793b52fbe647f31faa6 sha1: 2b01f655caed10e49593b33fe5514cf8f181d8b2 size: 79360
Section.rdata md5: 9801eb08e41d66b346cd2bbd796ae122 sha1: b1507c60edbe7425b415ec0b8dc592db27934cb6 size: 25088
Section.data md5: 55fde0cd90178dff413edd83bf276869 sha1: 9b049d8dbb8f59f1a026064d08e303c92c050b72 size: 6144
Section.san md5: 3f3ff8aa37d4e464ee256784f33a5782 sha1: aced1ac8b4765a1268304bb55c990cadde4d2758 size: 203776
Section.kada md5: 3a24bdd59bf0fec263c90177c30671b0 sha1: bfe6360a948960a732a638e2f274b468a0660407 size: 10240
Section.grd md5: 0a795d2b188f80f3cf50df2aa8bde889 sha1: 143613b18815759131494697611f6a98000167d1 size: 76288
Section.rela md5: 064198b05142a31b72d97813463fcf9d sha1: 28c03d2d1ce4d1ea0170a689631eb832dca4d082 size: 11776
Section.rsrc md5: b940ae479c69d5533392568f1326e22b sha1: 77044d17f35a7bfdf6696f45bbca41b1c41b3cef size: 32256
Section.reloc md5: 232a1e03aa4f96816a272adf696ffc31 sha1: ca9a1bb08c985a8dd932a4dc7e45c6715cdd43c8 size: 11264
Timestamp2015-08-23 12:23:40
Pdb pathZ:\this\animations\analysis\Thoses.pdb
VersionLegalCopyright: Copyright © 2002-2008 Canneverbe Limited
Assembly Version: 4.5.5.5571
InternalName: cdbxpp.exe
FileVersion: 4.5.5.5571
CompanyName: Canneverbe Limited
Comments: An application to burn audio and data discs
ProductName: CDBurnerXP
ProductVersion: 4.5.5.5571
FileDescription: CDBurnerXP
OriginalFilename: cdbxpp.exe
PackerMicrosoft Visual C++ ?.?
PEhash03f139fd6c774214a1a3e7019fab410dfe023782
IMPhash1e547c03995c1562ea9c03288db132b9
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Gen:Variant.Symmi.53786
AVBitDefenderGen:Variant.Symmi.53786
AVAuthentiumW32/S-9611e276!Eldorado
AVKasperskyno_virus
AVEmsisoftGen:Variant.Symmi.53786
AVBullGuardGen:Variant.Symmi.53786
AVDr. WebTrojan.MulDrop6.3201
AVTrend Microno_virus
AVEset (nod32)Win32/Kovter.D
AVCAT (quickheal)no_virus
AVZillya!Downloader.Upatre.Win32.51352
AVTwisterW32.Kovter.D.qilj
AVArcabit (arcavir)Gen:Variant.Symmi.53786
AVMcafeeGenericR-EIE!D83D4528261C
AVFortinetW32/Kovter.D!tr
AVRisingno_virus
AVAd-AwareGen:Variant.Symmi.53786
AVAvira (antivir)TR/Crypt.Xpack.276696
AVPadvishno_virus
AVMicrosoft Security Essentialsno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Kovter
AVK7Trojan ( 004c61ee1 )
AVClamAVWin.Trojan.Symmi-1432
AVGrisoft (avg)Pakes.RCV
AVVirusBlokAda (vba32)no_virus
AVSymantecno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVF-SecureGen:Variant.Symmi.53786
AVMalwareBytesTrojan.Fileless.DR

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\7bf7927d ➝
864\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\7bf7927d ➝
864\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\168.233.44[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\ezumo\ezumo.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\168.233.44[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes Filec:\malware.exe
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS168.233.44.21

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\378B6FC7F08B60DE50F\71887791EC5B2933F ➝
71887791EC5B2933F\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\DCD900AB3CD84ABC\38E4B108718BAB753D ➝
38E4B108718BAB753D\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSa767.dscms.akamai.net
Type: A
23.3.98.32
DNSa767.dscms.akamai.net
Type: A
23.3.98.10
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://168.233.44.21/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 168.233.44.21:80
Flows TCP192.168.1.1:1032 ➝ 168.233.44.21:80
Flows TCP192.168.1.1:1034 ➝ 134.170.188.221:80
Flows TCP192.168.1.1:1035 ➝ 13.135.205.204:80
Flows TCP192.168.1.1:1036 ➝ 101.111.81.204:443
Flows TCP192.168.1.1:1037 ➝ 117.177.143.236:80
Flows TCP192.168.1.1:1038 ➝ 168.233.44.21:80
Flows TCP192.168.1.1:1039 ➝ 65.217.217.198:80
Flows TCP192.168.1.1:1041 ➝ 2.96.108.82:80
Flows TCP192.168.1.1:1042 ➝ 195.20.72.229:443
Flows TCP192.168.1.1:1043 ➝ 189.104.254.249:80
Flows TCP192.168.1.1:1044 ➝ 13.31.129.174:80
Flows TCP192.168.1.1:1045 ➝ 208.138.164.180:80
Flows TCP192.168.1.1:1046 ➝ 23.3.98.32:80
Flows TCP192.168.1.1:1047 ➝ 62.94.9.159:80
Flows TCP192.168.1.1:1048 ➝ 167.218.179.33:80
Flows TCP192.168.1.1:1049 ➝ 4.131.16.157:80
Flows TCP192.168.1.1:1050 ➝ 51.112.157.220:80
Flows TCP192.168.1.1:1051 ➝ 92.60.230.240:80
Flows TCP192.168.1.1:1053 ➝ 160.252.226.179:443
Flows TCP192.168.1.1:1054 ➝ 138.255.227.21:80
Flows TCP192.168.1.1:1055 ➝ 17.81.245.197:80
Flows TCP192.168.1.1:1056 ➝ 204.127.53.120:80
Flows TCP192.168.1.1:1058 ➝ 17.55.27.154:80
Flows TCP192.168.1.1:1059 ➝ 84.174.23.2:80
Flows TCP192.168.1.1:1060 ➝ 43.71.87.97:80
Flows TCP192.168.1.1:1061 ➝ 163.116.215.254:80
Flows TCP192.168.1.1:1062 ➝ 88.241.23.8:80
Flows TCP192.168.1.1:1063 ➝ 14.117.248.12:80

Raw Pcap

Strings