Analysis Date2015-12-06 21:50:38
MD565cddf97d98050b9cea63d14201c14e0
SHA15d96bda66067e7429da3661b27b84e50ca6dc171

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 902671c1f769b420fe5f12232c2557bd sha1: 93bcae609eef382fa46862d9fe1dd150b3c38707 size: 103936
Section.rdata md5: a610d25b70a8f89cdc792c49a73d1341 sha1: 4dafb6a684dd7e131b2716201907df4c9ab097a3 size: 36864
Section.data md5: 5dcc3fdd460564449ab6e5df6cd5d945 sha1: 672d6fefe2dd86d6643e3a8ccd3133d654525038 size: 68608
Section.rsrc md5: 5721f6b0296b7b1722d33323f259cb6f sha1: 7d3217e1e0fc35137eccf3e95d18267ca6969d37 size: 132096
Timestamp2015-10-23 08:33:38
PackerMicrosoft Visual C++ ?.?
PEhash02641cd798b9b699e94c16fb9911bf84f27d4a95
IMPhash3b3a415ce0c845f1f8dbcced4147db46
AVVirusBlokAda (vba32)Trojan.Yakes
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVMicroWorld (escan)Trojan.Injector.BTM
AVZillya!no_virus
AVMalwareBytesno_virus
AVAlwil (avast)Androp [Drp]
AVIkarusTrojan.Win32.Crypt
AVMicrosoft Security EssentialsWorm:Win32/Dorkbot
AVSymantecTrojan.Gen
AVEmsisoftTrojan.Injector.BTM
AVArcabit (arcavir)Trojan.Injector.BTM
AVClamAVno_virus
AVKasperskyWorm.Win32.Ngrbot.aukf
AVFrisk (f-prot)no_virus
AVEset (nod32)Win32/Injector.BNHS
AVGrisoft (avg)Inject3.LOX
AVK7Trojan ( 004d4c2e1 )
AVMcafeeRDN/Sdbot.worm
AVFortinetW32/Kryptik.ECCZ!tr
AVTwisterTrojan.Injector.BNHS.qksj
AVBitDefenderTrojan.Injector.BTM
AVTrend Microno_virus
AVDr. WebTrojan.Dridex.234
AVRising0x594e2682
AVAvira (antivir)TR/Crypt.ZPACK.195847
AVBullGuardTrojan.Injector.BTM
AVF-SecureTrojan.Injector.BTM
AVAd-AwareTrojan.Injector.BTM
AVCAT (quickheal)Worm.Dorkbot.r4
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\calc.exe
Creates ProcessC:\malware.exe
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexSSLOADasdasc000900

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\9cb1_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 180

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman ➝
C:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Installer ➝
C:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\c731200
Creates FileC:\Documents and Settings\Administrator\Application Data\Update\Update.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\desktop.ini
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
Deletes FileC:\twnundtby\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\INFO2
Deletes FileC:\twnundtby\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Creates ProcessC:\WINDOWS\system32\mspaint.exe
Creates MutexSVCHOST_MUTEX_OBJECT_RELEASED_c0009X00GOAL

Process
↳ C:\WINDOWS\system32\calc.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\c731200

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 180

Process
↳ C:\WINDOWS\system32\mspaint.exe

Network Details:


Raw Pcap

Strings