Analysis Date2016-01-28 04:07:27
MD59aaf73d6753d2fba2c17986012ff3e97
SHA13408642732fde1d066ec4d2e1ab8ff61de29f37a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: af7084527254995e1e5ef5801ba95c80 sha1: 03c178e0fafdccaa4055c3acb5ba78d8d1b9d627 size: 545280
Section.rdata md5: d2544a420ea4b1f42b503683ba63d35f sha1: 88ab5d48bc939c9747bba9171fcddc82aae4b95c size: 512
Section.data md5: 76716d43af43232d895289111bd3e868 sha1: c5927b3666b9f38cdc4266cf35aea49713d35e16 size: 512
Section.rsrc md5: 3d4a4eff8dde4584b58cbd065d2e1a1e sha1: 26ae33ceaf826161365a0dfa03c71f1af3d06959 size: 4608
Timestamp2015-01-06 00:36:08
PEhasha29bc0c5c6482831ace2433711d4ade255f58cae
IMPhash7e637b038550f864d146ae4707b5e1de
AVAd-AwareWin32.Virlock.Gen.1
AVGrisoft (avg)Generic_r.EKW
AVCAT (quickheal)Ransom.VirLock.A2
AVIkarusTrojan-PWS.Win32.QQPass
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVK7Trojan ( 0040f9f31 )
AVClamAVWin.Trojan.Virlock-8887
AVKasperskyVirus.Win32.PolyRansom.b
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVMalwareBytesTrojan.VirLock
AVDr. WebWin32.VirLock.10
AVMcafeeW32/VirRansom.b
AVBitDefenderWin32.Virlock.Gen.1
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVEmsisoftWin32.Virlock.Gen.1
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVAlwil (avast)MalOb-FE [Cryp]
AVEset (nod32)Win32/Virlock.D virus
AVRisingTrojan.Win32.PolyRansom.a
AVBullGuardWin32.Virlock.Gen.1
AVFortinetW32/Zegost.ATDB!tr
AVSymantecW32.Ransomlock.AO!inf4
AVAuthentiumW32/S-b256b4b7!Eldorado
AVTrend MicroPE_VIRLOCK.D
AVFrisk (f-prot)No Virus
AVTwisterW32.PolyRansom.b.brnk.mg
AVCA (E-Trust Ino)Win32/Nabucur.C
AVVirusBlokAda (vba32)Virus.VirLock
AVF-SecureWin32.Virlock.Gen.1
AVZillya!Virus.Virlock.Win32.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\HAIIYoQg.bat
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\3408642732fde1d066ec4d2e1ab8ff61de29f37a
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lkwMEkwM.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\lkwMEkwM.bat
Creates Process"C:\3408642732fde1d066ec4d2e1ab8ff61de29f37a"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\HAIIYoQg.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

Process
↳ C:\3408642732fde1d066ec4d2e1ab8ff61de29f37a

Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCIgUkME.bat
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wGYcsYww.bat
Creates FileC:\3408642732fde1d066ec4d2e1ab8ff61de29f37a
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\yCIgUkME.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\wGYcsYww.bat" "C:\malware.exe""
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\3408642732fde1d066ec4d2e1ab8ff61de29f37a"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ "C:\3408642732fde1d066ec4d2e1ab8ff61de29f37a"

Creates ProcessC:\3408642732fde1d066ec4d2e1ab8ff61de29f37a

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ "C:\3408642732fde1d066ec4d2e1ab8ff61de29f37a"

Creates ProcessC:\3408642732fde1d066ec4d2e1ab8ff61de29f37a

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileSwgc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileIMQs.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileVgwM.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileWcYS.exe
Creates FileC:\RCX5.tmp
Creates FilemIMU.exe
Creates FileC:\RCX3.tmp
Creates FileC:\RCX10.tmp
Creates FileykYY.exe
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates Filebikc.ico
Creates FileGQQq.exe
Creates FileSQIU.exe
Creates FileOUAW.exe
Creates FilemUQQ.ico
Creates FileaEEw.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileewUM.ico
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX6.tmp
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileuGgE.ico
Creates FileRcYu.exe
Creates FileC:\RCX11.tmp
Creates FilegwQY.ico
Creates Fileeoky.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileUQgQ.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileKwky.exe
Creates FileC:\RCX9.tmp
Creates FileSUAQ.ico
Creates FileyoMw.exe
Creates FilegWEY.ico
Creates FilekeYc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileOAIs.exe
Creates FileC:\RCX8.tmp
Creates FileNUcI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileOKwM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileCoQw.ico
Creates FileYGQs.ico
Creates FileueQE.ico
Creates FileC:\RCX7.tmp
Creates FileyKQk.ico
Creates FileC:\RCX4.tmp
Creates FileaAMo.exe
Creates FileKWoA.ico
Creates FileKcsY.ico
Creates FileiwUi.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileSwgc.exe
Deletes FileKwky.exe
Deletes FileSUAQ.ico
Deletes FileIMQs.exe
Deletes FilegWEY.ico
Deletes FileyoMw.exe
Deletes FilekeYc.ico
Deletes FileVgwM.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileWcYS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileOAIs.exe
Deletes FileNUcI.ico
Deletes FileykYY.exe
Deletes FileOKwM.ico
Deletes Filebikc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileGQQq.exe
Deletes FileSQIU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileOUAW.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileaEEw.exe
Deletes FileCoQw.ico
Deletes FilemUQQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileYGQs.ico
Deletes FileueQE.ico
Deletes FileewUM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileyKQk.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileaAMo.exe
Deletes FileRcYu.exe
Deletes FileKWoA.ico
Deletes FileKcsY.ico
Deletes FilegwQY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes Fileeoky.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileiwUi.exe
Deletes FileUQgQ.ico
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1208

Process
↳ Pid 1300

Process
↳ Pid 1848

Process
↳ Pid 1056

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\HAIIYoQg.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\wGYcsYww.bat" "C:\malware.exe""

Process
↳ C:\3408642732fde1d066ec4d2e1ab8ff61de29f37a

Network Details:

DNSgoogle.com
Type: A
216.58.219.142
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.142:80

Raw Pcap

Strings