Analysis Date2015-09-16 07:14:35
MD519a6a0c857af2573d67f741a06366f57
SHA13d5f3a72aa71f531ee1365507f5d5f37eb788efc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a328236186103e6950a0f1d753df73e5 sha1: 7b977ec0ea4d8156a7be76c1fbfc5002dd340fb5 size: 829952
Section.rdata md5: 117464873d06420376be5258ef025d12 sha1: fbb83a495f8161b705e314943bfc805e4e098eb0 size: 311296
Section.data md5: 1c84dc7b6ae582c2e5749a8a43d731e9 sha1: 1f3db30f5066abc6c48296f01ab0dffe908fd64b size: 8192
Timestamp2015-04-03 03:55:56
PackerMicrosoft Visual C++ ?.?
PEhash7538feaa07a7ff584fbfbd46f81d9306feb1f86a
IMPhash3e05be9ad1d67ec5f198c0943618164a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Zusy.133308
AVDr. WebTrojan.DownLoader16.7473
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVBullGuardGen:Variant.Zusy.133308
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Kryptik.Win32.787445
AVEmsisoftGen:Variant.Zusy.133308
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004cd0081 )
AVBitDefenderGen:Variant.Zusy.133308
AVFortinetW32/Kryptik.DDQD!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.DDQD
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Zusy.133308
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVMcafeeno_virus
AVRising0x5902a9db

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\xnwlhilcatg\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fwpcchhl1mltsjwkrqnw9ku.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\fwpcchhl1mltsjwkrqnw9ku.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fwpcchhl1mltsjwkrqnw9ku.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Biometric Program Browser Device Visual ➝
C:\WINDOWS\system32\kmlcrxzb.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\xnwlhilcatg\tst
Creates FileC:\WINDOWS\system32\xnwlhilcatg\etc
Creates FileC:\WINDOWS\system32\xnwlhilcatg\lck
Creates FileC:\WINDOWS\system32\kmlcrxzb.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\kmlcrxzb.exe
Creates ServiceSSDP DNS Themes Workstation Proxy DHCP - C:\WINDOWS\system32\kmlcrxzb.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\kmlcrxzb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\xnwlhilcatg\tst
Creates FileC:\WINDOWS\system32\xnwlhilcatg\rng
Creates FileC:\WINDOWS\TEMP\fwpcchhl1tl4sjwkr.exe
Creates FileC:\WINDOWS\system32\xnwlhilcatg\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\xnwlhilcatg\run
Creates FileC:\WINDOWS\system32\uvolbovpz.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\xnwlhilcatg\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\kmlcrxzb.exe"
Creates ProcessC:\WINDOWS\TEMP\fwpcchhl1tl4sjwkr.exe -r 50209 tcp

Process
↳ C:\WINDOWS\system32\kmlcrxzb.exe

Creates FileC:\WINDOWS\system32\xnwlhilcatg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\kmlcrxzb.exe"

Creates FileC:\WINDOWS\system32\xnwlhilcatg\tst

Process
↳ C:\WINDOWS\TEMP\fwpcchhl1tl4sjwkr.exe -r 50209 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSgroupgrain.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSdeeprush.net
Type: A
184.168.221.26
DNSpushhard.net
Type: A
66.96.147.159
DNSpushclock.net
Type: A
217.70.184.38
DNSpushmake.net
Type: A
37.59.4.217
DNSlongshine.net
Type: A
218.107.207.37
DNSfridayshine.net
Type: A
95.211.230.75
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSshallrush.net
Type: A
DNSfridayhard.net
Type: A
DNSfridayclock.net
Type: A
DNSfridaymake.net
Type: A
DNSpushrush.net
Type: A
DNSfridayrush.net
Type: A
DNSalonghard.net
Type: A
DNSdecemberhard.net
Type: A
DNSalongclock.net
Type: A
DNSdecemberclock.net
Type: A
DNSalongmake.net
Type: A
DNSdecembermake.net
Type: A
DNSalongrush.net
Type: A
DNSdecemberrush.net
Type: A
DNSlongfifth.net
Type: A
DNSsoilfifth.net
Type: A
DNSsoilshine.net
Type: A
DNSlongdone.net
Type: A
DNSsoildone.net
Type: A
DNSlongknew.net
Type: A
DNSsoilknew.net
Type: A
DNSwheelfifth.net
Type: A
DNSsaidfifth.net
Type: A
DNSwheelshine.net
Type: A
DNSsaidshine.net
Type: A
DNSwheeldone.net
Type: A
DNSsaiddone.net
Type: A
DNSwheelknew.net
Type: A
DNSsaidknew.net
Type: A
DNSstickfifth.net
Type: A
DNSballfifth.net
Type: A
DNSstickshine.net
Type: A
DNSballshine.net
Type: A
DNSstickdone.net
Type: A
DNSballdone.net
Type: A
DNSstickknew.net
Type: A
DNSballknew.net
Type: A
DNSenemyfifth.net
Type: A
DNSlifefifth.net
Type: A
DNSenemyshine.net
Type: A
DNSlifeshine.net
Type: A
DNSenemydone.net
Type: A
DNSlifedone.net
Type: A
DNSenemyknew.net
Type: A
DNSlifeknew.net
Type: A
DNSmouthfifth.net
Type: A
DNStillfifth.net
Type: A
DNSmouthshine.net
Type: A
DNStillshine.net
Type: A
DNSmouthdone.net
Type: A
DNStilldone.net
Type: A
DNSmouthknew.net
Type: A
DNStillknew.net
Type: A
DNSshallfifth.net
Type: A
DNSdeepfifth.net
Type: A
DNSshallshine.net
Type: A
DNSdeepshine.net
Type: A
DNSshalldone.net
Type: A
DNSdeepdone.net
Type: A
DNSshallknew.net
Type: A
DNSdeepknew.net
Type: A
DNSpushfifth.net
Type: A
DNSfridayfifth.net
Type: A
DNSpushshine.net
Type: A
DNSpushdone.net
Type: A
DNSfridaydone.net
Type: A
DNSpushknew.net
Type: A
DNSfridayknew.net
Type: A
DNSalongfifth.net
Type: A
DNSdecemberfifth.net
Type: A
DNSalongshine.net
Type: A
DNSdecembershine.net
Type: A
DNSalongdone.net
Type: A
DNSdecemberdone.net
Type: A
DNSalongknew.net
Type: A
DNSdecemberknew.net
Type: A
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://deeprush.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://pushhard.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://pushclock.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://pushmake.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://longshine.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
HTTP GEThttp://fridayshine.net/index.php?method=validate&mode=sox&v=044&sox=482fbe17&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1041 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1042 ➝ 66.96.147.159:80
Flows TCP192.168.1.1:1043 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1044 ➝ 37.59.4.217:80
Flows TCP192.168.1.1:1045 ➝ 218.107.207.37:80
Flows TCP192.168.1.1:1046 ➝ 95.211.230.75:80

Raw Pcap

Strings