Analysis Date2015-10-04 20:18:35
MD5c6f52e5d9c81bf2f7234f1da5f4e9956
SHA160f2edcd5cb346b76e1831228d39d9f25e6ced3d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4a25c0f241a86f18a53ec06c1590a508 sha1: a6cfdabc70d05cca7825a6799a3333e7650ca3d3 size: 512
Section.rdata md5: ab29002ea2e7c0d91a2bde1d817ca366 sha1: ced738602e81801744fe86d982895b06b7ce5a58 size: 104960
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: d8e444f61f8807b8b50ecd9c6efdb68f sha1: 2a25cc59a47133acb40ec3e96c18319ae89dab1e size: 512
Timestamp2014-04-25 13:50:12
PackerBorland Delphi 3.0 (???)
PEhash1a43470255bbd861b6601e7df35ca42f31b78ac6
IMPhash5d907e4f447d6c7f2275c3923df49f63
AVCA (E-Trust Ino)no_virus
AVF-Secureno_virus
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)no_virus
AVBullGuardno_virus
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend MicroBKDR_PLUGX.EO
AVKasperskyBackdoor.Win32.Gulpix.vks
AVZillya!Trojan.FakeAV.Win32.316300
AVEmsisoftno_virus
AVIkarusWin32.SuspectCrc
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.306055
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004967951 )
AVBitDefenderno_virus
AVFortinetW32/FakeAV.BVQC!tr
AVSymantecno_virus
AVGrisoft (avg)Crypt3.LML
AVEset (nod32)Win32/Kryptik.BVQC
AVAlwil (avast)MalOb-HP [Cryp]
AVAd-Awareno_virus
AVTwisterVirus.56576A406800100000.mg
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeRDN/Generic.bfr
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates MutexGlobal\afudrymmy

Process
↳ C:\Documents and Settings\All Users\DRM\XXX\.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\uecpg
Creates MutexGlobal\gbunwodqgillmltcd
Creates MutexGlobal\eknwzrskinjqgsrwl
Creates MutexGlobal\wylurrybkdlyonkut
Creates MutexGlobal\eklrhgdvaqrfzgugv
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\ufiggmvpeeiwv
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\mschu
Creates MutexGlobal\gxklm
Creates MutexGlobal\gxkrqsnwbuyet
Creates MutexGlobal\inkxsdwqbtist
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\iqlpefsfveadljlia
Creates MutexGlobal\aelyqgtun
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\oibsb
Creates MutexGlobal\afudrymmy

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182206.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182226.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182156.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182216.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX\nprqyjadoqkp
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182221.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182211.jpg
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182231.jpg
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004182201.jpg
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\000000010000000000000100
Creates MutexMMMM
Winsock DNS127.0.0.1

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings