Analysis Date2016-02-23 21:38:24
MD5953577261e837cc6d17456b937e0a0fd
SHA1503d6fa21e3896e25af3a53033ba29223d2ea308

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 48a50f77323ce9cf2508353f736d51a7 sha1: 959ed3cdc60097b44871973f20d5f68c6f5989e9 size: 1067008
Section.rdata md5: e1b27b3f0f7daf0806ede3955df77d41 sha1: 59f6a7957fd39af69e389f3b81a2fd54a49b8137 size: 299520
Section.data md5: 6655b9797a10b2ed31fecbb211028c1d sha1: a9e2e395e0baf215c3c901db04692f84ad23b63c size: 11264
Section.reloc md5: 7aad5edee231f261650d3096e736a0f5 sha1: 6707ffb247bf4709143fc29a53943450600351b7 size: 67584
Timestamp2015-04-30 21:13:54
PackerMicrosoft Visual C++ 8
PEhash9ad9efafeb16c0c6b6fc67a6b0c3ef50aa84f898
IMPhashcaf4545054f25c0793545d981b64abdd
AVCA (E-Trust Ino)Gen:Variant.Razy.5659
AVRisingNo Virus
AVMcafeeTrojan-FHOH!953577261E83
AVAvira (antivir)TR/Boryab.aiez
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.5659
AVAlwil (avast)Dropper-OJG [Drp]
AVEset (nod32)Win32/Bayrob.R
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptic.WU!tr
AVBitDefenderGen:Variant.Razy.5659
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CH
AVMicroWorld (escan)Gen:Variant.Razy.5659
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVEmsisoftGen:Variant.Razy.5659
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!Trojan.Bayrob.Win32.1010
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.5659
AVArcabit (arcavir)Gen:Variant.Razy.5659
AVClamAVNo Virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Razy.5659

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cwvvkv1mq5rganijwi.exe
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\cwvvkv1mq5rganijwi.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\cwvvkv1mq5rganijwi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UPnP Grouping HomeGroup Group Scheduler ➝
C:\WINDOWS\system32\phxpatgggm.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\etc
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\WINDOWS\system32\phxpatgggm.exe
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\phxpatgggm.exe
Creates ServiceConfiguration Host Authentication - C:\WINDOWS\system32\phxpatgggm.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERef23.dir00\svchost.exe.hdmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERef23.dir00\svchost.exe.mdmp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates Filepipe\PCHFaultRepExecPipe
Creates ProcessC:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERef23.dir00\svchost.exe.mdmp 16325836412030904

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1164

Process
↳ C:\WINDOWS\system32\phxpatgggm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\bzpyrhklbv.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\run
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\cwvvkv1u4nrg.exe
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\cfg
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\rng
Creates ProcessC:\WINDOWS\TEMP\cwvvkv1u4nrg.exe -r 49352 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\phxpatgggm.exe"

Process
↳ C:\WINDOWS\system32\phxpatgggm.exe

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst

Process
↳ C:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERef23.dir00\svchost.exe.mdmp 16325836412030904

Process
↳ WATCHDOGPROC "c:\windows\system32\phxpatgggm.exe"

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst

Process
↳ C:\WINDOWS\TEMP\cwvvkv1u4nrg.exe -r 49352 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
DNSrathersystem.net
Type: A
DNSstrangedistant.net
Type: A

Raw Pcap

Strings