Analysis Date2016-04-17 09:36:27
MD51c537f76be34a7df84f7c2b52c099277
SHA164456e3bfde7125178514ee53feacb27f64a158e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7f66260ab832ef89c43140a54c2ab73a sha1: 6011d774f4f1e5deb35e9ca670bdc295e48c10c9 size: 653824
Section.rdata md5: eab0e4f31ebda2c33f7bb4e6d612fa7e sha1: 7e2c9c1f2c5b3b822accabc42a091454627c9122 size: 254976
Section.data md5: dbd5e174df85de6c167a4c388edcefef sha1: 253c87b0e66b8f7d5308518991fcc84702aa4fd7 size: 5120
Section.reloc md5: 13f23fee362244e7670eb8a3a56f4c59 sha1: 50095d8766edbecbe6aa99f8d8b714f0a2e340e0 size: 89088
Timestamp2014-05-26 14:50:43
PackerMicrosoft Visual C++ ?.?
PEhashcea72c6812c723219555f0d6fc7cfc08ffe032f2
IMPhashb89b8ff2f8bb80f07fc398d6dbe86971
AVCA (E-Trust Ino)Gen:Variant.Razy.14896
AVF-SecureGen:Variant.Razy.14896
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.14896
AVBullGuardGen:Variant.Razy.14896
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.14896
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)No Virus
AVAuthentiumW32/BayRob.I.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.14896
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DU
AVK7Trojan ( 004da8bd1 )
AVBitDefenderGen:Variant.Razy.14896
AVFortinetW32/Bayrob.AT!tr
AVSymantecNo Virus
AVGrisoft (avg)No Virus
AVEset (nod32)Win32/Bayrob.BK
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Razy.14896
AVTwisterTrojan.558BEC@2FF5356@2F.mg
AVAvira (antivir)TR/Taranis.2074
AVMcafeeTrojan-FHSY!1C537F76BE34
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mtredywmyjbjdjnejqpv.exe
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\mtredywmyjbjdjnejqpv.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\mtredywmyjbjdjnejqpv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Offline Error Mapper Port Removal Propagation ➝
C:\WINDOWS\system32\mhdhlljp.exe
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\tst
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\lck
Creates FileC:\WINDOWS\system32\mhdhlljp.exe
Creates ProcessC:\WINDOWS\system32\mhdhlljp.exe
Creates ServiceInformation Device WebClient DHCP Health - C:\WINDOWS\system32\mhdhlljp.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\mhdhlljp.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\rng
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\run
Creates FileC:\WINDOWS\TEMP\mtredy9enqoejd.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\tst
Creates FileC:\WINDOWS\system32\pujrxyouw.exe
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\cfg
Creates ProcessC:\WINDOWS\TEMP\mtredy9enqoejd.exe -r 51321 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\mhdhlljp.exe"

Process
↳ C:\WINDOWS\system32\mhdhlljp.exe

Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\mhdhlljp.exe"

Creates FileC:\WINDOWS\system32\hqznvcsytmcdbxm\tst

Process
↳ C:\WINDOWS\TEMP\mtredy9enqoejd.exe -r 51321 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSwaitwing.net
Type: A
DNSgentleangry.net
Type: A
DNScasestep.net
Type: A
DNSwifeabout.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSmorningduring.net
Type: A
DNSresultneedle.net
Type: A
DNSstreetsquare.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 66.147.240.171:80

Raw Pcap

Strings