Analysis Date2015-09-30 06:44:02
MD5a74f8bb071de766f259fbbce20949429
SHA1647ac31144ee730bd94ee06a2dc9fba23efb90ae

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4335eb2a0fdb607d36491699e1813496 sha1: 6b0cd6f90a33b1b6289931384f18cd1ed67478cc size: 512
Section.rdata md5: ab29002ea2e7c0d91a2bde1d817ca366 sha1: ced738602e81801744fe86d982895b06b7ce5a58 size: 104960
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: b3555202f7072510d3326ebc139e0b32 sha1: 6e875aab431fa0e6319b47bc45e12bac978d3584 size: 512
Timestamp2014-04-25 13:53:08
PackerBorland Delphi 3.0 (???)
PEhash1a43470255bbd861b6601e7df35ca42f31b78ac6
IMPhash5d907e4f447d6c7f2275c3923df49f63
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeRDN/Generic FakeAlert
AVAvira (antivir)TR/Dropper.Gen
AVTwisterVirus.535657@24000FF@2FF.mg
AVAd-AwareGen:Variant.Kazy.306055
AVAlwil (avast)MalOb-HP [Cryp]
AVEset (nod32)Win32/Kryptik.BVQC
AVGrisoft (avg)Crypt3.LMM
AVSymantecTrojan.Gen.2
AVFortinetW32/FakeAV.BVQC!tr
AVBitDefenderGen:Variant.Kazy.306055
AVK7Trojan ( 004967951 )
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.306055
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusWin32.SuspectCrc
AVEmsisoftGen:Variant.Kazy.306055
AVZillya!Trojan.FakeAV.Win32.316299
AVKasperskyBackdoor.Win32.Gulpix.vkb
AVTrend MicroBKDR_PLUGX.EO
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.306055
AVArcabit (arcavir)Gen:Variant.Kazy.306055
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.52543
AVF-SecureGen:Variant.Kazy.306055

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates MutexGlobal\mxtlmjiopofvathee

Process
↳ C:\Documents and Settings\All Users\DRM\XXX\.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\mschu
Creates MutexGlobal\onuteywax
Creates MutexGlobal\iqlgrgyod
Creates MutexGlobal\qydypagscilex
Creates MutexGlobal\aemuqqzto
Creates MutexGlobal\ehjwk
Creates MutexGlobal\ehkzbwkeeajtl
Creates MutexGlobal\mxtlmjiopofvathee
Creates MutexGlobal\ommintqmj
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\wyllxlzfs
Creates MutexGlobal\yolmkdfltbeiyknbl
Creates MutexGlobal\cvupekdinrlasigei
Creates MutexGlobal\ykbchaeqgqtdt
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\crikh

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060900.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060850.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060840.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060855.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX\nprqyjadoqkp
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060830.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060835.jpg
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060845.jpg
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060825.jpg
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150930060905.jpg
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\000000010000000000000100
Creates MutexMMMM
Winsock DNS127.0.0.1

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings