Analysis Date2014-10-09 07:14:49
MD58b6fcf7135e8190b9cb0c4e429601c49
SHA12229a2ce9b1e70c76fcfd6ff53593bb8c8ee54b4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 3243870635f70c53b35d882af8bd2109 sha1: f7491d8d8841cc89199f2d5682baabfef12b5681 size: 65024
SectionDATA md5: 031feb471537cd10c2dc3605fa3f3455 sha1: 519d9ef2a7e201d56eb64041fdb9e947fc280795 size: 151552
SectionRSRC4 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
SectionRSRC9 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
SectionRSRC1 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
SectionRSRC3 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
SectionRSRC0 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
SectionRSRC7 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
SectionRSRC2 md5: 28a90b2ace8accafe37e69c0d7c0a33f sha1: 9dee1462f30a55a29c4bc270d7aa1c2e2508f79c size: 3584
Section.rsrc md5: 184dfc77ccd6da452bf7493377a6babe sha1: 2c4b0e8799e34b401178ddff84efe1e389908339 size: 1024
Timestamp2009-07-22 16:53:07
VersionLegalCopyright: Copyright© Extra Edition Windows Version 2011
InternalName: Extrim Edition.exe
FileVersion: 1.0.706.3172
CompanyName: Avira GmbH
ProductName: Extra Edition Version 2011
ProductVersion: 1.0.706.3172
FileDescription: Windows Setup API
OriginalFilename: Extrim Edition.exe
PackerFSG v1.10 (Eng) -> dulek/xt
PEhash79447edc66056289ed8cfd009cbfe01783ddece0
IMPhash51ce6716877feda26ba5e1557ae8749a
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-EA [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.IV.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LX
AVClamAVTrojan.Crypt-362
AVDr. WebTrojan.PWS.Banker.53807
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/Kryptik.JRD
AVFortinetW32/CodePack.CX!tr
AVFrisk (f-prot)W32/FakeAlert.IV.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.FakeAV
AVK7Trojan ( 002056d81 )
AVKasperskyPacked.Win32.Krap.ih
AVMalwareBytesTrojan.FraudPack.Gen
AVMcafeeDownloader-CEW.q
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.FKP.1
AVNormanwinpe/Troj_Generic.WBDQY
AVRisingTrojan.Win32.Generic.126F185A
AVSophosMal/EncPk-NS
AVSymantecTrojan.FakeAV!gen29
AVTrend MicroTROJ_FAKEAV.SM2
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Trojan.Kryptik.Win32.102851

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexO5EAZCO1OX9RTKDO

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\Z30KYPG3WS\OluE5 ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexO5EAZCO1OX9RTKDO

Network Details:

DNSuol.com.br
Type: A
200.147.67.142
DNSuol.com.br
Type: A
200.221.2.45
DNSimageshack.us
Type: A
208.94.1.8
DNSimageshack.us
Type: A
208.94.0.193

Raw Pcap

Strings
.
.fP
m
`.>
X..;
.

040904B0
0bzg
0VA9
1.0.706.3172
2Pd9
5UXb
8NLV
aqn3
Avira GmbH
BAxq
CompanyName
Copyright
eqbh
Extra Edition Version 2011
 Extra Edition Windows Version 2011
Extrim Edition.exe
FileDescription
FileVersion
g6qv
Ha27
InternalName
ItDL
LegalCopyright
Neuk
NZL	
OriginalFilename
OtopOE
oVak
ProductName
ProductVersion
rJy+
sifU
StringFileInfo
t1Hx
Translation
UsfS
VarFileInfo
VS_VERSION_INFO
Windows Setup API
0Ap}O>
0mbTxW
1NP3Oy
20qV\?R
2AHnsF
2aq^@~
2lXMe8
3MoV0N
3u%*cO
43Qmho
4c1o7_
4M4bCf
4nKXZ*
579':*
5MKrID'j
5UYF}/
5XP7Lm
]$5(@y
6VSblx
6ZIQn3
!79HUu
7gdi32.dll
 7M`Ma\
`7!w1B
7X BcS
8MXerK7
8nslQY
~^8'TA
8Uj7qp
97tKN2
9G9W6Jom
A6dYwG5
aeLGXg
&"AITJl
a-KM5k
A^Q8mTr
arcSplpCWzf
arpLMFrvy
ARXYBv
aU2G4W
AzhdOp9T
B45BY\
Bb2ylPUds
Bc	!q_
BiR36A
BitBlt
b.]P7{
bxqILs
CiT"D,
CopyEnhMetaFileA
cr[7.N=#*
CreateBitmap
cSaBSZ
CUHyQx
C)Z'RV
d5Il7k
~D,dg`
DG%2rD]
\D+hi`
dI&8vy;+@
dKb6ol
&`e9a^
eCLKyDb
E@I ox
eoY7xDG
ExitProcess
ExitThread
fJHdrSNV
FoaDnny
fwlOmF
g8NHzwWtMF
=G!}9rA[
gb9fDWvhfTmU
gdi32.dll
gE5OsB2
GetACP
GetCommandLineA
GetModuleHandleA
GetOEMCP
GetPixel
GetProcAddress
=Gkn7YD
GlobalAlloc
>gP38]
"G!&'U9
gXf124
h8kxCxG5lY
H8@SZ	
I11stv
i8SPhxk
IbI0ds
if~ZKq
ip!)FK#DO
IsBadHugeReadPtr
iwtiyG
iY5ngn
iyh2MqY
J52-Ul
JAoAOU8
JbpVGD
jcO7maL
jD-yvtf
j	i(	\
jiweQrT
j?j{j\V
Jll624Va3dnCu
<;jL=Z2
JOoSj]3"z
JqyjZzQA
jrNelG
jTj<jqQ
jU6TaZQ
jzj9jg
_.ka1&@J
KERNEL32.dll
K=FQx@
)Kt[F%
K}Vb[`
KV cNXk#
KYH"F(
l00TH2
l3}{H[
LgC0Ofvi
LI8nfU
LlQScg$
LoadLibraryA
LoadLibraryExA
lrh3BJC
lstrlenA
'LtYv_
LZGsX2RJrp6
m2gLOEb1WW
MapVirtualKeyA
MessageBeep
mFyChpW
Mkernel32.DLL
MSVCRT.dll
;@NcD,
nOf6hGS
)no"ii
 ,`Np&
O1L9sA
o5tBSuRibq
o	5T"i
oE4sO]
OffsetRect
OL_FZ8
/P)0</
p92iTBT
PA^ik4
piCbZkx
Pj9ewuA
pjRStvD
PostMessageA
PQ77PE
PRN0vK
`(pUUcx53
Q0neakaS
q5uuy-
Q6RgUQ
]]qJP[
QkZQIH.b{
QUS=(^=
rA:HuF
`RB4y4
?[r c__
r:-da[
rE]+79
RedrawWindow
RegisterClassA
RegisterClipboardFormatA
ReleaseDC
RemoveMenu
rfRzAvp
Rich+D
@RSRC0
@RSRC1
@RSRC2
@RSRC4
S1oPW5
sBmQkVq
ScreenToClient
SetBkColor
SetTextColor
SfqUFtrOw
*SjAjbh
&^Sjwo
s`[_[x
t2Kjjq
#Tg'@L
!This program cannot be run in DOS mode.
.)\T[i"
TjFpVs
TLP[}z'<
^Tr*Nz
	;)?tx
u{Ea[=A
u`+K1A[%
uoVVmI
uqXU\7
USER32.dll
^V	bPR	
VerQueryValueA
VERSION.dll
VirtualAllocEx
V`K6Uhv!4
vRoXTMv
wA|"%/ &
WcJdGr
wcschr
wIC)apMxK
WJbxgkp
	wm^z|
!w]QbU/H
?WYwy#o
`^@X},
XizdWbWV
XKHoy`
X/'nQB
XqkNOh
'+.;XY9,
*YH<_9,
Yh	c^z
y%_lrM
-.Y}N{
yqgJ7E
;Y_!u/
^}Y#ux
Z1]8'95
zAmN2G
ZBr<|o
(Z%FU~-S
ZJLEPJ
ZTrzAaU