Analysis Date2015-07-05 22:31:22
MD5b50c24bff7597c7f503f6319c098d156
SHA13464770ed7bb65f1663ce05c0ea140869a531791

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 771e81b77e3bc3a726dd011a31947b8c sha1: eead2459f047388043a75ffe43def4821254c31a size: 39424
Section.data md5: 99858e86526942a66950c7139f78a725 sha1: 4031ea1fec36456937a750320b5b44764cfea07e size: 1024
Section.rsrc md5: b457c55768ccdd78f986bb7e3811b48e sha1: 8115b55b93297b79ec4b6dc1f379cb752dc76fd8 size: 50688
Timestamp2008-04-13 18:32:45
Pdb pathwextract.pdb
VersionLegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: Wextract
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 6.00.2900.5512
FileDescription: Win32 Cabinet Self-Extractor
OriginalFilename: WEXTRACT.EXE
PackerMicrosoft CAB SFX
PEhashb851958a94f309d4eaa2b44726f4c2447300bc0b
IMPhash0ebb3c09b06b1666d307952e824c8697
AVCA (E-Trust Ino)no_virus
AVF-SecureDeepScan:Generic.Malware.SYBd.EC830C0F
AVDr. WebTrojan.DownLoader10.13256
AVClamAVTrojan.Delf-9628
AVArcabit (arcavir)DeepScan:Generic.Malware.SYBd.EC830C0F:DeepScan:Generic.Malware.SYBddld.E4A8A3F1
AVBullGuardDeepScan:Generic.Malware.SYBd.EC830C0F
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyBackdoor.Win32.Zegost.mswws
AVZillya!no_virus
AVEmsisoftDeepScan:Generic.Malware.SYBd.EC830C0F
AVIkarusWin32.SuspectCrc
AVFrisk (f-prot)W32/Dropper.AHIP
AVAuthentiumW32/Risk.KRZM-0127
AVMalwareBytesno_virus
AVMicroWorld (escan)DeepScan:Generic.Malware.SYBd.EC830C0F
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004abf9e1 )
AVBitDefenderDeepScan:Generic.Malware.SYBd.EC830C0F
AVFortinetno_virus
AVSymantecno_virus
AVGrisoft (avg)Win32/DH{gQwBCTY6KTkP}
AVEset (nod32)no_virus
AVAlwil (avast)Downloader-E [Trj]
AVAd-AwareDeepScan:Generic.Malware.SYBd.EC830C0F
AVTwisterTrojan.9B76DC5E97B82F08
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeno_virus
AVRisingTrojan.Win32.Generic.136E0A1B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 ➝
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\"\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\vchotte.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\vchotte.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ cmd.exe /c C:\Documents and Settings\Administrator\Local Settings\Temp\~1.bat C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\vchotte.exe

Creates Processnet stop sharedaccess

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\vchotte.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~1.bat
Creates Processcmd.exe /c C:\Documents and Settings\Administrator\Local Settings\Temp\~1.bat C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\vchotte.exe

Process
↳ net stop sharedaccess

Creates Processnet1 stop sharedaccess

Process
↳ net1 stop sharedaccess

Network Details:


Raw Pcap

Strings