Analysis Date2013-08-05 15:50:00
MD5801c751d08f5df3af830af0007574c11
SHA137a9f1320abccaa59ea92574483c91af756ab30e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.pdata md5: 28e5b5e5a2262119447c94e2918748b0 sha1: cbcc808582e4adbad530ea0c3509f78666a6e9fe size: 43399
Section.ex_cod md5: ba4f5e9b101e0f4ceb73b3717d7671a7 sha1: 6da4bfd6f9f9bb99fdf1c8776e637c934c06f24d size: 33295
Sectionlqexxwh md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.epdata md5: b5b9bc0efcde012902c398b5f382ca78 sha1: 785d56d751c862ecaf7c8dfd35161390b442d5cd size: 61440
Timestamp2003-11-19 14:00:18
PEhash716430b536ff41ac5d59bb100f0d78c1df730262
AVmsseVirus:Win32/Sality.AM
AVclamavW32.Sality-27

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Administrator914\-993627007\1768776769 ➝
242
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\systemdates ➝
C:\malware.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Administrator914\A1_0 ➝
316296286
Creates FileC:\12769
Creates Filec:\sdfeww.bat
Creates FileC:\WINDOWS\system32\smsc.exe
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FilePIPE\SfcApi
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\12fe4
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\12769
Deletes FileC:\12fe4
Creates Processcmd /c net start SharedAccess
Creates Processcmd /c net stop "Security Center"
Creates Processc:\sdfeww.bat
Creates ProcessC:\WINDOWS\system32\NOTEPAD.EXE
Creates ProcessC:\WINDOWS\system32\TELNET.EXE
Creates Processcmd /c net stop SharedAccess
Creates Mutexnotepad.exeM_1848_
Creates Mutexuserinit.exeM_208_
Creates MutexOp1mutx9
Creates Mutexalg.exeM_1852_
Creates Mutexcmd.exeM_2080_
Creates Mutexnet.exeM_2360_
Creates Mutexsvchost.exeM_1076_
Creates Mutexcmd.exeM_2040_
Creates Mutexcmd.exeM_1500_
Creates Mutexnet1.exeM_1520_
Creates Mutexservices.exeM_612_
Creates Mutexsvchost.exeM_1004_
Creates Mutexsmss.exeM_320_
Creates Mutexcsrss.exeM_544_
Creates Mutexnet1.exeM_2940_
Creates Mutexsvchost.exeM_780_
Creates Mutexmalware.exeM_1176_
Creates Mutexsvchost.exeM_1052_
Creates Mutextelnet.exeM_2060_
Creates Mutexcmd.exeM_1912_
Creates Mutexnet.exeM_2268_
Creates Mutexreader_sl.exeM_444_
Creates Mutexsvchost.exeM_840_
Creates Mutexsvchost.exeM_1088_
Creates Mutexcmd.exeM_3296_
Creates Mutexnet.exeM_1896_
Creates Mutexcmd.exeM_1740_
Creates Mutexsmsc.exeM_2168_
Creates Mutexmonitor.exeM_1104_
Creates Mutexexplorer.exeM_244_
Creates Mutexspoolsv.exeM_1348_
Creates Mutexwinlogon.exeM_568_
Creates Mutexlsass.exeM_624_
Creates ServicePrint Spooler Monitor - C:\WINDOWS\system32\smsc.exe
Starts ServicePrtSmanm

Process
↳ cmd /c net stop "Security Center"

Creates Processnet stop "Security Center"
Creates Mutexcmd.exeM_1500_
Creates MutexOp1mutx9

Process
↳ c:\sdfeww.bat

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\7684d.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\7684d.reg
Deletes Filec:\sdfeww.bat
Creates ProcessREGEDIT /S C:\Documents and Settings\Administrator\Local Settings\Temp\7684d.reg

Process
↳ cmd /c net start SharedAccess

Creates Processnet start SharedAccess
Creates Mutexcmd.exeM_1912_
Creates MutexOp1mutx9

Process
↳ cmd /c net start SharedAccess

Creates Processnet start SharedAccess

Process
↳ c:\sdfeww.bat

Creates FileC:\WINDOWS\TEMP\7684d.reg
Deletes FileC:\WINDOWS\TEMP\7684d.reg
Deletes Filec:\sdfeww.bat
Creates ProcessREGEDIT /S C:\WINDOWS\TEMP\7684d.reg

Process
↳ cmd /c net stop "Security Center"

Process
↳ cmd /c net stop SharedAccess

Creates Processnet stop SharedAccess

Process
↳ cmd /c net stop SharedAccess

Creates Processnet stop SharedAccess

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates Mutexuserinit.exeM_208_
Creates MutexOp1mutx9

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
Creates Mutexexplorer.exeM_244_
Creates MutexOp1mutx9

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates Mutexreader_sl.exeM_444_
Creates MutexOp1mutx9

Process
↳ C:\WINDOWS\system32\NOTEPAD.EXE

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\smsc.exe

Creates Filepipe\net\NtControlPipe10
Creates Filec:\sdfeww.bat
Deletes FileC:\malware.exe
Creates Processcmd /c net start SharedAccess
Creates Processcmd /c net stop "Security Center"
Creates Processc:\sdfeww.bat
Creates Processcmd /c net stop SharedAccess
Creates Mutexdfgregrethgsnghjdg434grthgwer443we123
Creates MutexOp1mutx9

Process
↳ net stop "Security Center"

Creates Processnet1 stop "Security Center"
Creates MutexOp1mutx9

Process
↳ net start SharedAccess

Creates Processnet1 start SharedAccess
Creates Mutexnet.exeM_2360_
Creates MutexOp1mutx9

Process
↳ C:\WINDOWS\system32\TELNET.EXE

Process
↳ net1 start SharedAccess

Creates Mutexnet1.exeM_2940_
Creates MutexOp1mutx9
Starts ServiceSHAREDACCESS

Process
↳ REGEDIT /S C:\Documents and Settings\Administrator\Local Settings\Temp\7684d.reg

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\W2KLpk ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxFreeTcbs ➝
2000
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start ➝
4
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start ➝
2

Process
↳ net start SharedAccess

Creates Processnet1 start SharedAccess

Process
↳ REGEDIT /S C:\WINDOWS\TEMP\7684d.reg

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\W2KLpk ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxFreeTcbs ➝
2000
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start ➝
4
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start ➝
2

Process
↳ net stop SharedAccess

Creates Process

Process
↳ net stop SharedAccess

Creates Processnet1 stop SharedAccess

Process
↳ net1 stop "Security Center"

Process
↳ net1 start SharedAccess

Process
↳ Pid 3736

Process
↳ net1 stop SharedAccess

Network Details:

Flows TCP192.168.1.1:1040 ➝ 60.165.98.198:8685
Flows TCP192.168.1.1:1040 ➝ 60.165.98.198:8685

Raw Pcap
0x00000000 (00000)   4e49434b 20555341 7c58507c 5350337c   NICK USA|XP|SP3|
0x00000010 (00016)   317c3736 32323239 33390d0a 55534552   1|76222939..USER
0x00000020 (00032)   20535033 2d363434 202a2030 203a434f    SP3-644 * 0 :CO
0x00000030 (00048)   4d505554 45522d58 58585858 580d0a     MPUTER-XXXXXX..


Strings