Analysis Date2016-01-29 09:50:13
MD50c81521cee0eb4aa82889a2b57ed5298
SHA13fa0d191800f01abed95a4aa5847b1da4963d6e5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 18a418485bb95e986e09045f43e8c483 sha1: 93bd220dcc4f468126045ca3a7d9f7b5763005d9 size: 540160
Section.rdata md5: 5a751a2bca13be6809bc6315544ebb3e sha1: c8c20a7747f68732a536d4b54842bfd8d63bc73b size: 512
Section.data md5: d6ef15a5bb9fc6f96be11cf2a3574fa6 sha1: 755c2bad4a6a292d96b7a66469e8b2f215547148 size: 512
Section.rsrc md5: 49860d8fa88ca5e0bbee6ed81834cbd5 sha1: a9353fab164b2328172ef117362666bc6aacd112 size: 4608
Timestamp2015-01-06 00:36:08
PEhash59322bd43e8a7494acc29d7665198df441bfe3b9
IMPhashc64c9d733a384de6d917539f4597d333
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Trojan.Heur.UT.HqW@bmBNg7hi
AVDr. WebWin32.VirLock.10
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Trojan.Heur.UT.HqW@bmBNg7hi
AVBullGuardGen:Trojan.Heur.UT.HqW@bmBNg7hi
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)Virus.VirLock
AVTrend MicroNo Virus
AVKasperskyBackdoor.Win32.Zegost.mszmv
AVZillya!No Virus
AVIkarusVirus.PolyRansom
AVFrisk (f-prot)No Virus
AVEmsisoftGen:Trojan.Heur.UT.HqW@bmBNg7hi
AVAuthentiumW32/S-b256b4b7!Eldorado
AVMalwareBytesTrojan.VirLock
AVMicroWorld (escan)Gen:Trojan.Heur.UT.HqW@bmBNg7hi
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.A
AVK7Trojan ( 004b12aa1 )
AVBitDefenderGen:Trojan.Heur.UT.HqW@bmBNg7hi
AVFortinetNo Virus
AVSymantecNo Virus
AVGrisoft (avg)Generic_r.EKW
AVEset (nod32)Win32/Virlock.D virus
AVAlwil (avast)VirLock-B [Trj]
AVRisingNo Virus
AVAd-AwareGen:Trojan.Heur.UT.HqW@bmBNg7hi
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVMcafeeGeneric Obfuscated.g

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AewksEIg.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\python_icon.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\AewksEIg.bat
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\python_icon.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\python_icon.exe

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\python_icon.exe

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileDgoK.exe
Creates FilefAYg.exe
Creates FilejCwA.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileXAQA.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FilenEww.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileDUUC.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FilejsMk.exe
Creates FileLkYg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileNIEu.exe
Creates FileLUMY.exe
Creates FileHEAI.exe
Creates FileC:\RCX5.tmp
Creates FileDUYm.exe
Creates FiledQwq.exe
Creates FileC:\RCX3.tmp
Creates FileVaAI.ico
Creates FilevgEE.exe
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileDIoe.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FilePAwg.ico
Creates FilePgAM.exe
Creates FileLokM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileDkwE.ico
Creates FilerQIa.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX18.tmp
Creates FileC:\RCX1E.tmp
Creates FilerGkI.ico
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX6.tmp
Creates FilenoAQ.exe
Creates FilefUUw.ico
Creates FileLYYe.exe
Creates FileRAcI.ico
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FilerYsw.exe
Creates FilejEAS.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FilePAQk.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileC:\RCX19.tmp
Creates FilenYYI.ico
Creates FileXIsM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileFsEw.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileLSAc.ico
Creates Filebwwi.exe
Creates FileC:\RCX1C.tmp
Creates FilejIsm.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX9.tmp
Creates FileC:\RCX1A.tmp
Creates FilelGkg.ico
Creates FileTaoA.ico
Creates FilezAIy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileDmMg.ico
Creates FileXEUs.ico
Creates FileNCgs.ico
Creates FileC:\RCX8.tmp
Creates FileLwYS.exe
Creates FileTYwe.exe
Creates FilensQq.exe
Creates FilevwQY.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileXkUs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileHwAs.ico
Creates FilezIMi.exe
Creates FileTuQg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileC:\RCX1D.tmp
Creates FileXMIM.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilezeQA.ico
Creates FilePQMs.ico
Creates FilePsIk.exe
Creates FiledWok.ico
Creates Filefoso.ico
Creates FileC:\RCX16.tmp
Creates Filelggk.ico
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileC:\RCX17.tmp
Creates FileZUMw.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileC:\RCX4.tmp
Creates FilebgIG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Creates FileHEAw.ico
Creates FileDGEI.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FilezCIA.ico
Creates FilefskA.ico
Deletes FileDgoK.exe
Deletes FilefAYg.exe
Deletes FilejCwA.ico
Deletes FileXAQA.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FilenEww.ico
Deletes FileDUUC.exe
Deletes FilejsMk.exe
Deletes FileLkYg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileNIEu.exe
Deletes FileLUMY.exe
Deletes FileHEAI.exe
Deletes FileDUYm.exe
Deletes FiledQwq.exe
Deletes FileVaAI.ico
Deletes FilevgEE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileDIoe.exe
Deletes FilePAwg.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FilePgAM.exe
Deletes FileLokM.ico
Deletes FileDkwE.ico
Deletes FilerQIa.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FilerGkI.ico
Deletes FilenoAQ.exe
Deletes FileLYYe.exe
Deletes FilefUUw.ico
Deletes FileRAcI.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilerYsw.exe
Deletes FilejEAS.exe
Deletes FilePAQk.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FilenYYI.ico
Deletes FileXIsM.ico
Deletes FileFsEw.ico
Deletes FileLSAc.ico
Deletes Filebwwi.exe
Deletes FilejIsm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FilelGkg.ico
Deletes FileTaoA.ico
Deletes FilezAIy.exe
Deletes FileDmMg.ico
Deletes FileXEUs.ico
Deletes FileNCgs.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileLwYS.exe
Deletes FileTYwe.exe
Deletes FilensQq.exe
Deletes FilevwQY.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileXkUs.ico
Deletes FileHwAs.ico
Deletes FilezIMi.exe
Deletes FileTuQg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileXMIM.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FilezeQA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FilePQMs.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FilePsIk.exe
Deletes Filefoso.ico
Deletes FiledWok.ico
Deletes Filelggk.ico
Deletes FileZUMw.exe
Deletes FilebgIG.exe
Deletes FileHEAw.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileDGEI.ico
Deletes FilefskA.ico
Deletes FilezCIA.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1872

Process
↳ Pid 1144

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\python_icon.exe

Network Details:

DNSgoogle.com
Type: A
216.58.219.142
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.58.219.142:80
Flows TCP192.168.1.1:1032 ➝ 216.58.219.142:80

Raw Pcap

Strings