Analysis Date2018-02-02 08:00:29
MD5d7672bf72886bc3e4231c4a37a900932
SHA119c933fd23baec0c0c9d670ca91b185679063a59

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Generic.Malware.SMP!Pk!g.B8D96178
AVArcabit (arcavir)Gen:Variant.Razy.232982
AVAuthentiumW32/Trojan.BDD.gen!Eldorado
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/BAS.Samca.jftit
AVAlwil (avast)Emotet-AI [Trj]
AVAlwil (avast)GenMalicious-EUW [Trj]
AVAd-AwareGeneric.Malware.SMP!Pk!g.B8D96178
AVBitDefenderGeneric.Malware.SMP!Pk!g.B8D96178
AVBullGuardGeneric.Malware.SMP!Pk!g.B8D96178
AVClamAVWin.Worm.Untukmu-5949608-0
AVDr. WebTrojan.DownLoader7.3730
AVEmsisoftGeneric.Malware.SMP!Pk!g.B8D96178
AVMicroWorld (escan)Generic.Malware.SMP!Pk!g.B8D96178
AVCA (E-Trust Ino)Generic.Malware.SMP!Pk!g.B8D96178
AVFortinetW32/Regrun.PKE!tr
AVFrisk (f-prot)W32/Kovtex.B!Generic
AVF-SecureGeneric.Malware.SMP!Pk!g.B8D96178
AVIkarusTrojan.Win32.Patched
AVK7Trojan ( 0040f6141 )
AVKasperskyTrojan-Ransom.Win32.Blocker.kpuo
AVMalwareBytesError Scanning File
AVMcafeeW32/Rontokbro.gen@MM
AVMicrosoft Security EssentialsNo Virus
AVNANOTrojan.Win32.Regrun.dxtouo
AVEset (nod32)Win32/VB.ORD worm
AVPadvishTrojan.Win32.Regrun.pke
AVCAT (quickheal)Worm.Ludbaruma.A3
AVRisingWorm.Win32.VBInjectEx.a
AV360 SafeNo Virus
AVSUPERAntiSpywareError Scanning File
AVSymantecSMG.Heur!gen
AVTrend MicroTSPY_LU.85367EC1
AVTwisterW32.VB.ET.kide.arc
AVVirusBlokAda (vba32)Trojan.Regrun
AVWindows DefenderWorm:Win32/Ludbaruma.A
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\19c933fd23baec0c0c9d670ca91b185679063a59.exe

Creates FileC:\Users\THX1138\AppData\Local\Temp\~DF8A293126D35FB090.TMP
Creates FileC:\
Creates FileC:\Users\THX1138\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\THX1138\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\THX1138
Creates FileC:\Users\THX1138\Documents\desktop.ini
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE ➝
C:\Windows\system32\Mig~mig.SCR
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure ➝
0
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut ➝
600
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xk ➝
C:\Windows\xk.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS ➝
C:\Users\THX1138\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ServiceTHX1138 ➝
C:\Users\THX1138\Local Settings\Application Data\WINDOWS\SERVICES.EXE
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonTHX1138 ➝
C:\Users\THX1138\Local Settings\Application Data\WINDOWS\CSRSS.EXE
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring ➝
C:\Users\THX1138\Local Settings\Application Data\WINDOWS\LSASS.EXE
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell ➝
C:\Windows\xk.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
Explorer.exe "C:\Windows\system32\IExplorer.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\Windows\system32\userinit.exe,C:\Windows\system32\IExplorer.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger ➝
"C:\Windows\system32\Shell.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\(Default) ➝
File Folder
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\FullPathAddress ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
0
Creates Mutex
Creates Mutex

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings