Analysis Date2015-10-13 13:59:30
MD56c3472d17f5c724a264a82c34f6329ea
SHA1200fe8254f6a1594d000150b4f6299c7824fec4d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a57780e03d09802c7bb4df83e7902f9d sha1: 07dfad5e1570eaf3e4d66e68d082d4ff6d1f1103 size: 228352
Section.data md5: 9fa34b80c8b51266e87279c17ef106b0 sha1: e406d6a6d5c617a3a724bb726f999a7f4a691679 size: 20480
Section.rdata md5: 862b1c34bcfcf458e332c403f6f15a1f sha1: 4a2f5f559f5998cae8f0a5a60eb943faa94f1cac size: 40448
Section.eh_fram md5: 2b67fcd311a590f23f39d8f8c9086790 sha1: bcc0dbd533e940f68de089aa807ba6c4f2b0d578 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 848d8e576094fdf1968b512c31361f25 sha1: 9b63d319df6a7271c9b4ce75a71ed3331ecb6854 size: 6656
Section.CRT md5: 4cf4854f3f9d39d57380f86e6c04b452 sha1: d78a7e84270d482b4289d7f20c0aa4e78346c29b size: 512
Section.tls md5: bb26d9c5aefc6c61ade45477c4a18756 sha1: a12bdb7979d4d623e99c865ceac89938b586550d size: 512
Timestamp2015-03-05 05:59:47
PEhash7ee3b384bcd99b546a1b02f26b355eae405c4017
IMPhashc73fa031b104a8a2c62401f19fc2fd56
AVCA (E-Trust Ino)no_virus
AVMalwareBytesno_virus
AVRisingno_virus
AVMcafeeTrojan-FGOJ!6C3472D17F5C
AVAvira (antivir)TR/ATRAPS.A.8930
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.51758
AVAlwil (avast)Agent-AZPC [Trj]
AVEset (nod32)Win32/Agent.XDQ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g16
AVFortinetW32/Agent.XDQ!tr
AVBitDefenderGen:Variant.Symmi.51758
AVK7Trojan ( 004c988e1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!acf
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVAuthentiumW32/S-6a8c3109!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Staser
AVEmsisoftGen:Variant.Symmi.51758
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.51758
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.44882
AVF-SecureGen:Variant.Symmi.51758

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vj2i9nmf\spnbrjswmm
Creates FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Creates FileC:\vj2i9nmf\kj2xtawlcgk0twpovfce8.exe
Deletes FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Creates ProcessC:\vj2i9nmf\kj2xtawlcgk0twpovfce8.exe

Process
↳ C:\vj2i9nmf\kj2xtawlcgk0twpovfce8.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\BitLocker System Office Security Health ➝
C:\vj2i9nmf\tatswwzphjkc6.exe
Creates FileC:\vj2i9nmf\tatswwzphjkc6.exe
Creates FileC:\vj2i9nmf\spnbrjswmm
Creates FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Creates FilePIPE\lsarpc
Creates FileC:\vj2i9nmf\i3iwmqnjj
Deletes FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Creates ProcessC:\vj2i9nmf\tatswwzphjkc6.exe
Creates ServiceClass Security Tools Protected Adaptive - C:\vj2i9nmf\tatswwzphjkc6.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\TATSWWZPHJKC6.EXE-314EE332.pf
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\200FE8254F6A1594D000150B4F629-3649988E.pf
Creates FileC:\WINDOWS\Prefetch\KJ2XTAWLCGK0TWPOVFCE8.EXE-0920A95E.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\JXRJINU6.EXE-0E75B8D1.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1220

Process
↳ Pid 1308

Process
↳ Pid 1872

Process
↳ Pid 1560

Process
↳ C:\vj2i9nmf\tatswwzphjkc6.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\vj2i9nmf\jxrjinu6.exe
Creates FileC:\vj2i9nmf\spnbrjswmm
Creates FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Creates FileC:\vj2i9nmf\oxecnpo
Creates FileC:\vj2i9nmf\i3iwmqnjj
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Creates Processsoahoslls4i7 "c:\vj2i9nmf\tatswwzphjkc6.exe"

Process
↳ C:\vj2i9nmf\tatswwzphjkc6.exe

Creates FileC:\vj2i9nmf\spnbrjswmm
Creates FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Deletes FileC:\WINDOWS\vj2i9nmf\spnbrjswmm

Process
↳ soahoslls4i7 "c:\vj2i9nmf\tatswwzphjkc6.exe"

Creates FileC:\vj2i9nmf\spnbrjswmm
Creates FileC:\WINDOWS\vj2i9nmf\spnbrjswmm
Deletes FileC:\WINDOWS\vj2i9nmf\spnbrjswmm

Network Details:

DNSgenevieveanthonyson.net
Type: A
195.22.26.252
DNSgenevieveanthonyson.net
Type: A
195.22.26.253
DNSgenevieveanthonyson.net
Type: A
195.22.26.254
DNSgenevieveanthonyson.net
Type: A
195.22.26.231
DNScatherinewilliamson.net
Type: A
184.168.221.63
DNSstephaniebrassington.net
Type: A
DNScharlotteecclestone.net
Type: A
DNSstephanieecclestone.net
Type: A
DNScharlottechamberlain.net
Type: A
DNSstephaniechamberlain.net
Type: A
DNScharlotteanthonyson.net
Type: A
DNSstephanieanthonyson.net
Type: A
DNSkimberlynbrassington.net
Type: A
DNSglanvillebrassington.net
Type: A
DNSkimberlynecclestone.net
Type: A
DNSglanvilleecclestone.net
Type: A
DNSkimberlynchamberlain.net
Type: A
DNSglanvillechamberlain.net
Type: A
DNSkimberlynanthonyson.net
Type: A
DNSglanvilleanthonyson.net
Type: A
DNSjessaminebrassington.net
Type: A
DNSgenevievebrassington.net
Type: A
DNSjessamineecclestone.net
Type: A
DNSgenevieveecclestone.net
Type: A
DNSjessaminechamberlain.net
Type: A
DNSgenevievechamberlain.net
Type: A
DNSjessamineanthonyson.net
Type: A
DNSzechariahbrassington.net
Type: A
DNSmarmadukebrassington.net
Type: A
DNSzechariahecclestone.net
Type: A
DNSmarmadukeecclestone.net
Type: A
DNSzechariahchamberlain.net
Type: A
DNSmarmadukechamberlain.net
Type: A
DNSzechariahanthonyson.net
Type: A
DNSmarmadukeanthonyson.net
Type: A
DNSkristopherwilliamson.net
Type: A
DNScassandrawilliamson.net
Type: A
DNSkristopherherbertson.net
Type: A
DNScassandraherbertson.net
Type: A
DNSkristopherwhittemore.net
Type: A
DNScassandrawhittemore.net
Type: A
DNSkristopherderrickson.net
Type: A
DNScassandraderrickson.net
Type: A
DNSmaximilianwilliamson.net
Type: A
DNSkimberleewilliamson.net
Type: A
DNSmaximilianherbertson.net
Type: A
DNSkimberleeherbertson.net
Type: A
DNSmaximilianwhittemore.net
Type: A
DNSkimberleewhittemore.net
Type: A
DNSmaximilianderrickson.net
Type: A
DNSkimberleederrickson.net
Type: A
DNScatherinawilliamson.net
Type: A
DNScatherinaherbertson.net
Type: A
DNScatherineherbertson.net
Type: A
DNScatherinawhittemore.net
Type: A
DNScatherinewhittemore.net
Type: A
DNScatherinaderrickson.net
Type: A
DNScatherinederrickson.net
Type: A
DNSantonettewilliamson.net
Type: A
DNSmadeleinewilliamson.net
Type: A
DNSantonetteherbertson.net
Type: A
DNSmadeleineherbertson.net
Type: A
DNSantonettewhittemore.net
Type: A
DNSmadeleinewhittemore.net
Type: A
DNSantonettederrickson.net
Type: A
DNSmadeleinederrickson.net
Type: A
DNScharlottewilliamson.net
Type: A
DNSstephaniewilliamson.net
Type: A
DNScharlotteherbertson.net
Type: A
DNSstephanieherbertson.net
Type: A
DNScharlottewhittemore.net
Type: A
DNSstephaniewhittemore.net
Type: A
DNScharlottederrickson.net
Type: A
DNSstephaniederrickson.net
Type: A
DNSkimberlynwilliamson.net
Type: A
DNSglanvillewilliamson.net
Type: A
DNSkimberlynherbertson.net
Type: A
DNSglanvilleherbertson.net
Type: A
DNSkimberlynwhittemore.net
Type: A
DNSglanvillewhittemore.net
Type: A
DNSkimberlynderrickson.net
Type: A
DNSglanvillederrickson.net
Type: A
DNSjessaminewilliamson.net
Type: A
DNSgenevievewilliamson.net
Type: A
DNSjessamineherbertson.net
Type: A
DNSgenevieveherbertson.net
Type: A
DNSjessaminewhittemore.net
Type: A
DNSgenevievewhittemore.net
Type: A
HTTP GEThttp://genevieveanthonyson.net/index.php
User-Agent:
HTTP GEThttp://catherinewilliamson.net/index.php
User-Agent:
Flows TCP192.168.1.1:1033 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.63:80

Raw Pcap

Strings