Analysis Date2015-10-07 19:36:01
MD50105eba0c9a1a59b1e66b0514af46535
SHA137d395535d189fb002e4e4f5a61d0ba78b661825

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8889c926deccabd023b92847a454d2c6 sha1: ef6ddc1f4a5efe4bd56c2c94341756793d399c53 size: 801792
Section.rdata md5: 32a567f1209c0cce0d8f4fac2f44d36d sha1: 5ea2f501b8d7cd8fb08f786251c7cd6877c2f116 size: 60416
Section.data md5: bc926b91baa19825267c0a273ee03184 sha1: 5f07fa4c203dd6634773e0df6b0f04ba7f66bb7d size: 381952
Timestamp2014-09-05 10:53:52
PackerMicrosoft Visual C++ ?.?
PEhashc9c768608c9c4e061a4ef7e85e791cd2513aa2da
IMPhash8f70320e5d472710861ae31fc4a7fec8
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.280267
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.DXVJ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesno_virus
AVAuthentiumW32/Trojan.OYZL-9185
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. WebTrojan.KillFiles.29914
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\qcoziky1lfpuieexzyiwr.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\qcoziky1lfpuieexzyiwr.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\qcoziky1lfpuieexzyiwr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PC Player Detection User-mode Parental ➝
C:\WINDOWS\system32\yhjqhphyvx.exe
Creates FileC:\WINDOWS\system32\yhjqhphyvx.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\mlmhvthz\etc
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates FileC:\WINDOWS\system32\mlmhvthz\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yhjqhphyvx.exe
Creates ServiceClass Protected Debugger HomeGroup - C:\WINDOWS\system32\yhjqhphyvx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1108

Process
↳ C:\WINDOWS\system32\yhjqhphyvx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates FileC:\WINDOWS\system32\elimvbuxzgvr.exe
Creates FileC:\WINDOWS\system32\mlmhvthz\lck
Creates FileC:\WINDOWS\TEMP\qcoziky1rsfui.exe
Creates FileC:\WINDOWS\system32\mlmhvthz\run
Creates FileC:\WINDOWS\system32\mlmhvthz\rng
Creates FileC:\WINDOWS\system32\mlmhvthz\cfg
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\qcoziky1rsfui.exe -r 21000 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\yhjqhphyvx.exe"

Process
↳ C:\WINDOWS\system32\yhjqhphyvx.exe

Creates FileC:\WINDOWS\system32\mlmhvthz\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yhjqhphyvx.exe"

Creates FileC:\WINDOWS\system32\mlmhvthz\tst

Process
↳ C:\WINDOWS\TEMP\qcoziky1rsfui.exe -r 21000 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSdeadbuild.net
Type: A
195.22.26.254
DNSdeadbuild.net
Type: A
195.22.26.231
DNSdeadbuild.net
Type: A
195.22.26.252
DNSdeadbuild.net
Type: A
195.22.26.253
DNSrockbuild.net
Type: A
0.0.0.0
DNSrockroll.net
Type: A
216.21.224.199
DNSwrongroll.net
Type: A
208.100.26.234
DNSmusicmoon.net
Type: A
192.185.33.66
DNShangmoon.net
Type: A
211.234.63.232
DNSseptembermoon.net
Type: A
192.232.223.67
DNSdeadmoon.net
Type: A
87.231.114.36
DNSsouthblood.net
Type: A
DNSenemydont.net
Type: A
DNSsellsmall.net
Type: A
DNSwheelreply.net
Type: A
DNShangbuild.net
Type: A
DNSseptemberbuild.net
Type: A
DNShangroll.net
Type: A
DNSseptemberroll.net
Type: A
DNShangdeal.net
Type: A
DNSseptemberdeal.net
Type: A
DNSjoiniron.net
Type: A
DNSwishiron.net
Type: A
DNSjoinbuild.net
Type: A
DNSwishbuild.net
Type: A
DNSjoinroll.net
Type: A
DNSwishroll.net
Type: A
DNSjoindeal.net
Type: A
DNSwishdeal.net
Type: A
DNSdeadiron.net
Type: A
DNSrockiron.net
Type: A
DNSdeadroll.net
Type: A
DNSdeaddeal.net
Type: A
DNSrockdeal.net
Type: A
DNSwrongiron.net
Type: A
DNSmadeiron.net
Type: A
DNSwrongbuild.net
Type: A
DNSmadebuild.net
Type: A
DNSmaderoll.net
Type: A
DNSwrongdeal.net
Type: A
DNSmadedeal.net
Type: A
DNShumanshoe.net
Type: A
DNShairshoe.net
Type: A
DNShumanoctober.net
Type: A
DNShairoctober.net
Type: A
DNShumanmoon.net
Type: A
DNShairmoon.net
Type: A
DNShumanouter.net
Type: A
DNShairouter.net
Type: A
DNSyardshoe.net
Type: A
DNSmusicshoe.net
Type: A
DNSyardoctober.net
Type: A
DNSmusicoctober.net
Type: A
DNSyardmoon.net
Type: A
DNSyardouter.net
Type: A
DNSmusicouter.net
Type: A
DNSwentshoe.net
Type: A
DNSspendshoe.net
Type: A
DNSwentoctober.net
Type: A
DNSspendoctober.net
Type: A
DNSwentmoon.net
Type: A
DNSspendmoon.net
Type: A
DNSwentouter.net
Type: A
DNSspendouter.net
Type: A
DNSfrontshoe.net
Type: A
DNSoffershoe.net
Type: A
DNSfrontoctober.net
Type: A
DNSofferoctober.net
Type: A
DNSfrontmoon.net
Type: A
DNSoffermoon.net
Type: A
DNSfrontouter.net
Type: A
DNSofferouter.net
Type: A
DNShangshoe.net
Type: A
DNSseptembershoe.net
Type: A
DNShangoctober.net
Type: A
DNSseptemberoctober.net
Type: A
DNShangouter.net
Type: A
DNSseptemberouter.net
Type: A
DNSjoinshoe.net
Type: A
DNSwishshoe.net
Type: A
DNSjoinoctober.net
Type: A
DNSwishoctober.net
Type: A
DNSjoinmoon.net
Type: A
DNSwishmoon.net
Type: A
DNSjoinouter.net
Type: A
DNSwishouter.net
Type: A
DNSdeadshoe.net
Type: A
DNSrockshoe.net
Type: A
DNSdeadoctober.net
Type: A
DNSrockoctober.net
Type: A
DNSrockmoon.net
Type: A
DNSdeadouter.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://deadbuild.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://rockroll.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://wrongroll.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://musicmoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://hangmoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://septembermoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://deadmoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://deadbuild.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://rockroll.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://wrongroll.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://musicmoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://hangmoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://septembermoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
HTTP GEThttp://deadmoon.net/index.php?method=validate&mode=sox&v=031&sox=3e566c01
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1039 ➝ 216.21.224.199:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 192.185.33.66:80
Flows TCP192.168.1.1:1043 ➝ 211.234.63.232:80
Flows TCP192.168.1.1:1044 ➝ 192.232.223.67:80
Flows TCP192.168.1.1:1045 ➝ 87.231.114.36:80
Flows TCP192.168.1.1:1046 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1047 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1049 ➝ 216.21.224.199:80
Flows TCP192.168.1.1:1050 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1051 ➝ 192.185.33.66:80
Flows TCP192.168.1.1:1052 ➝ 211.234.63.232:80
Flows TCP192.168.1.1:1053 ➝ 192.232.223.67:80
Flows TCP192.168.1.1:1054 ➝ 87.231.114.36:80

Raw Pcap

Strings