Analysis Date2015-08-13 04:04:35
MD5358311e6cda38e7a7084f2a89c7bec85
SHA14173d650cfb34f3304c38bf241b23ae5c27494df

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: de1bfd5fe885e662bb208c16fafd249e sha1: 303f22acc6f7294da7ee9e9e1d2e7565cfde674b size: 25600
Section.rdata md5: f421df8ad2260998d86660d39bc59136 sha1: 3c338ee33337091b66eb537655c2ded79cd7ba39 size: 74752
Section.data md5: ca7b626bdfb6fe55065afef8f607fb60 sha1: 73233c202b458c5fa12671cfd82fa814c418f7c3 size: 3584
Timestamp2014-04-21 07:48:07
PackerMicrosoft Visual C++ ?.?
PEhash099dab572592268bd93f487320c1c5984269316e
IMPhasha8a20d7db2ee7cd1a85074534adab9f4
AVIkarusTrojan-Ransom.Win32.PornoAsset
AVPadvishno_virus
AVBullGuardGen:Win32.ExplorerHijack.gmW@aSgkZtl
AVMcafeeRDN/Generic BackDoor
AVCA (E-Trust Ino)no_virus
AVTrend MicroBKDR_PLUGX.EO
AVCAT (quickheal)TrojanAPT.PlugX.E4
AVGrisoft (avg)BackDoor.Generic18.ADHP
AVEset (nod32)Win32/Korplug.DB
AVAvira (antivir)TR/Injector.104960.6
AVSymantecno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.L
AVFortinetW32/Hra.BX!tr
AVZillya!no_virus
AVMalwareBytesno_virus
AVBitDefenderGen:Win32.ExplorerHijack.gmW@aSgkZtl
AVEmsisoftGen:Win32.ExplorerHijack.gmW@aSgkZtl
AVClamAVno_virus
AVDr. Webno_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Win32.ExplorerHijack.gmW@aSgkZtl
AVArcabit (arcavir)Gen:Win32.ExplorerHijack.gmW@aSgkZtl
AVF-SecureGen:Win32.ExplorerHijack.gmW@aSgkZtl
AVTwisterTrojan.DOMG.jfsc
AVKasperskyno_virus
AVRisingno_virus
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.gmW@aSgkZtl
AVVirusBlokAda (vba32)no_virus
AVAuthentiumno_virus
AVK7Trojan ( 004b03c71 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates MutexGlobal\iruhvihxegnzgtwhd

Process
↳ C:\Documents and Settings\All Users\DRM\XXX\.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\aftaumxbdnqsjbpbv
Creates MutexGlobal\iruhvihxegnzgtwhd
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\kdiolmoexbmog
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\mschu
Creates MutexGlobal\aabhnqurdbfoh
Creates MutexGlobal\kdklk
Creates MutexGlobal\stuxkwabijxwwaxrh
Creates MutexGlobal\wubqw
Creates MutexGlobal\mwmwahssfgzhbdlaa
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\gwdgudoewykyd
Creates MutexGlobal\ykbchaeqgqtdt
Creates MutexGlobal\iqlpefsfveadljlia
Creates MutexGlobal\elubklhns
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\qclkvonpovvoztjdf

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\DRM\XXX\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexMMMM
Winsock DNS127.0.0.1

Network Details:


Raw Pcap

Strings