Analysis Date2015-11-18 23:57:03
MD578a6ef16b67cef7f6d1a81fd238a9ae1
SHA133a6ef04819277017ea42fb32f3692491468ecd7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 7a4f03646b2b10c39f4c43784e0eb9a2 sha1: d4ef20e0673c6fba9b800ec154c6cb8fed70d457 size: 15360
Section.rsrc md5: ab1f7ffa34a0b8c7e1d95b842d88ed12 sha1: 06ad811c3a0c5a96bdaac701652200f75aa09b29 size: 24576
Timestamp2015-10-16 15:27:15
VersionInternalName: DiplomWork3
FileVersion: 3.07.0237
CompanyName:
LegalTrademarks: This is the PIL handbook. This edition covers release 1.1.6 of the Python Imaging Library.
Comments: This is the PIL handbook. This edition covers release 1.1.6 of the Python Imaging Library.
ProductName: DiplomWork3
ProductVersion: 3.07.0237
FileDescription: This is the PIL handbook. This edition covers release 1.1.6 of the Python Imaging Library.
OriginalFilename: DiplomWork3.exe
PackerUPX -> www.upx.sourceforge.net
PEhash606d0f554852f3804b431ff0af9a092937ed0c77
IMPhash369f3d28138a96673521f3ed260e22c6
AVDr. Webno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVRisingno_virus
AVEset (nod32)Win32/Kovter.D
AVAvira (antivir)no_virus
AVAd-AwareTrojan.Agent.BNOT
AVIkarusTrojan.Win32.Kovter
AVMicroWorld (escan)Trojan.Agent.BNOT
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVArcabit (arcavir)Trojan.Agent.BNOT
AVTrend Microno_virus
AVMalwareBytesTrojan.Kovter
AVF-SecureTrojan.Agent.BNOT
AVCAT (quickheal)TrojanDownloader.Upatre.r3
AVGrisoft (avg)Generic_vb.JUB
AVKasperskyTrojan-Downloader.Win32.Upatre.fcna
AVMicrosoft Security EssentialsTrojan:Win32/Kovter
AVSymantecTrojan.Ransomlock.AK
AVTwisterW32.Kovter.D.iomr
AVZillya!Trojan.Virlock.Win32.30743
AVBitDefenderTrojan.Agent.BNOT
AVBullGuardTrojan.Agent.BNOT
AVCA (E-Trust Ino)no_virus
AVFortinetW32/VB.UTPE!tr
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.Agent.BNOT
AVMcafeeRDN/Generic Downloader.x
AVClamAVno_virus
AVK7Trojan ( 004c61ee1 )
AVAuthentiumW32/Ransom.LJEP-7211

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates ProcessC:\malware.exe
Creates ProcessC:\malware.exe
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ C:\malware.exe

Process
↳ C:\malware.exe

Process
↳ C:\malware.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\7bf7927d ➝
875\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\7bf7927d ➝
875\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\udez\udez.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\204.32.215[1].htm
Creates File\Device\Afd\Endpoint
Deletes Filec:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\204.32.215[1].htm
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS204.32.215.40

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\A40C3D5AF3298846851\0A2E4A2529F08705 ➝
0A2E4A2529F08705\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\138B584705EEAB990\27769F74168FCF2C ➝
27769F74168FCF2C\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs3.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs3.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\TEMP\scs4.tmp
Creates FileC:\WINDOWS\TEMP\scs5.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs4.tmp
Deletes FileC:\WINDOWS\TEMP\scs5.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSe3673.dspg.akamaiedge.net
Type: A
23.201.56.194
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://204.32.215.40/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1032 ➝ 89.177.75.83:80
Flows TCP192.168.1.1:1034 ➝ 204.32.215.40:80
Flows TCP192.168.1.1:1033 ➝ 76.60.93.36:80
Flows TCP192.168.1.1:1035 ➝ 204.32.215.40:80
Flows TCP192.168.1.1:1036 ➝ 153.153.206.68:443
Flows TCP192.168.1.1:1037 ➝ 23.201.56.194:80
Flows TCP192.168.1.1:1038 ➝ 100.182.57.200:80
Flows TCP192.168.1.1:1039 ➝ 134.231.69.191:80
Flows TCP192.168.1.1:1040 ➝ 203.6.123.161:80
Flows TCP192.168.1.1:1041 ➝ 23.201.56.194:80
Flows TCP192.168.1.1:1042 ➝ 11.75.179.84:80
Flows TCP192.168.1.1:1043 ➝ 163.189.254.46:8080
Flows TCP192.168.1.1:1045 ➝ 64.58.16.227:80
Flows TCP192.168.1.1:1046 ➝ 80.66.219.141:80
Flows TCP192.168.1.1:1047 ➝ 119.231.46.138:80
Flows TCP192.168.1.1:1048 ➝ 64.101.83.39:80
Flows TCP192.168.1.1:1049 ➝ 75.31.119.174:80
Flows TCP192.168.1.1:1050 ➝ 157.171.182.100:80
Flows TCP192.168.1.1:1051 ➝ 178.157.119.69:80
Flows TCP192.168.1.1:1052 ➝ 126.189.88.73:80
Flows TCP192.168.1.1:1053 ➝ 108.108.67.183:80
Flows TCP192.168.1.1:1054 ➝ 200.58.187.162:443
Flows TCP192.168.1.1:1055 ➝ 76.209.26.96:80
Flows TCP192.168.1.1:1056 ➝ 50.238.105.113:80
Flows TCP192.168.1.1:1058 ➝ 38.119.18.252:80
Flows TCP192.168.1.1:1059 ➝ 186.53.173.86:443
Flows TCP192.168.1.1:1060 ➝ 203.64.135.89:80
Flows TCP192.168.1.1:1061 ➝ 81.247.217.68:80
Flows TCP192.168.1.1:1063 ➝ 40.231.198.139:80
Flows TCP192.168.1.1:1064 ➝ 185.196.232.8:80
Flows TCP192.168.1.1:1065 ➝ 160.56.211.130:443
Flows TCP192.168.1.1:1066 ➝ 37.61.251.253:80
Flows TCP192.168.1.1:1067 ➝ 7.59.84.79:80
Flows TCP192.168.1.1:1068 ➝ 163.191.239.55:80
Flows TCP192.168.1.1:1069 ➝ 175.42.116.228:80

Raw Pcap

Strings