Analysis Date2018-04-13 02:01:22
MD5dc267cdca77618b319e88b3ef9ff036c
SHA14e6143c3525095c28c0e352137bbcaac49eb16de

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVCA (E-Trust Ino)Generic.Malware.SMP!Pkg.B8D96178
AVCAT (quickheal)Worm.Ludbaruma.A3
AVSUPERAntiSpywareWorm.Ludbaruma/Variant
AVFrisk (f-prot)No Virus
AVF-SecureGeneric.Malware.SMP!Pkg.B8D96178
AVAlwil (avast)Emotet-AI [Trj]
AVK7Trojan ( 0040f6141 )
AVBullGuardGeneric.Malware.SMP!Pkg.B8D96178
AVWindows DefenderWorm:Win32/Ludbaruma.A
AVAd-AwareGeneric.Malware.SMP!Pkg.B8D96178
AVMicroWorld (escan)Generic.Malware.SMP!Pkg.B8D96178
AVPadvishTrojan.Win32.Regrun.pke
AVFortinetW32/Regrun.PKE!tr
AVNANOTrojan.Win32.Regrun.dxtouo
AVRisingWorm.Win32.VBInjectEx.a
AVEmsisoftGeneric.Malware.SMP!Pkg.B8D96178
AVZillya!Trojan.RegrunGen.Win32.1
AVArcabit (arcavir)Generic.Malware.SMP!Pkg.B8D96178
AVTrend MicroTSPY_LU.85367EC1
AVEset (nod32)Win32/VB.ORD worm
AVBitDefenderGeneric.Malware.SMP!Pkg.B8D96178
AVIkarusTrojan.Win32.Patched
AVDr. WebTrojan.DownLoader7.3730
AVMcafeeW32/Rontokbro.gen@MM
AVVirusBlokAda (vba32)Trojan.Downloader
AVTwisterSuspicious.851E5F9BB35FB8DC
AVMalwareBytesTrojan.AVDis.CS
AVClamAVWin.Worm.Untukmu-5949608-0
AV360 SafeNo Virus
AVAuthentiumW32/Trojan.BDD.gen!Eldorado
AVKasperskyTrojan-Ransom.Win32.Blocker.kpuo
AVSymantecSMG.Heur!gen
AVGrisoft (avg)Win32/DH{gVKBUYFP?}
AVAvira (antivir)TR/BAS.Samca.oikyt
AVMicrosoft Security EssentialsWorm:Win32/Ludbaruma.A

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\4e6143c3525095c28c0e352137bbcaac49eb16de.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF30A5FE003ACB871F.TMP
Creates FileC:\
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\Phil
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE ➝
C:\Windows\system32\Mig~mig.SCR
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure ➝
0
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut ➝
600
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xk ➝
C:\Windows\xk.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ServicePhil ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\SERVICES.EXE
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonPhil ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\CSRSS.EXE
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring ➝
C:\Users\Phil\Local Settings\Application Data\WINDOWS\LSASS.EXE
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell ➝
C:\Windows\xk.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
Explorer.exe "C:\Windows\system32\IExplorer.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\Windows\system32\userinit.exe,C:\Windows\system32\IExplorer.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger ➝
"C:\Windows\system32\Shell.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command\(Default) ➝
"C:\Windows\system32\shell.exe" "%1" %*
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\(Default) ➝
File Folder
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\FullPathAddress ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
0
Creates Mutex
Creates Mutex

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings