Analysis Date2015-07-27 16:01:48
MD5414629e2396433ae61ead41831829592
SHA16f9b7634302085e5a4c2fde180d5432f3ea4196c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5868d4cceb70b0eb2d9a1265d1a64cd4 sha1: 22f0a6953fe3634eb66f5b0a2e568d3acf0b1d62 size: 1008640
Section.rdata md5: f8f8c2f522473ad2acf1e4c2afd69020 sha1: bf63238d71b55d096cb65b6e6ce165b2b4168fff size: 512
Section.data md5: ea965f22f07f892c07d776b1140a080f sha1: e0351c605499f03df940f842af8fde48554f4d35 size: 512
Section.rsrc md5: c22c727a570c2ce342001e81353bd8fc sha1: f805966a712a083f71d185c9a72b0b9d17b5071a size: 4608
Timestamp2015-02-07 09:53:36
PEhash8f2a5c0d827c6e32bf8acae926902d5296bb11ea
IMPhash108015b79db1bddf354902ec81268749
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.2
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Virlock.I virus
AVGrisoft (avg)LockScreen.BO
AVSymantecno_virus
AVFortinetW32/Zegost.ATDB!tr
AVBitDefenderWin32.Virlock.Gen.2
AVK7Trojan ( 0040fa481 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.2
AVMalwareBytesno_virus
AVAuthentiumW32/S-712c29cb!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusVirus-Ransom.FileLocker
AVEmsisoftWin32.Virlock.Gen.2
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend MicroPE_VIRLOCK.I
AVCAT (quickheal)Error Scanning File
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardWin32.Virlock.Gen.2
AVArcabit (arcavir)Win32.Virlock.Gen.2
AVClamAVno_virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.2
AVCA (E-Trust Ino)Win32/Nabucur.C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe,
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wykAsgsk.bat
Creates FileC:\6f9b7634302085e5a4c2fde180d5432f3ea4196c
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wykAsgsk.bat
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\6f9b7634302085e5a4c2fde180d5432f3ea4196c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ "C:\6f9b7634302085e5a4c2fde180d5432f3ea4196c"

Creates ProcessC:\6f9b7634302085e5a4c2fde180d5432f3ea4196c

Process
↳ C:\6f9b7634302085e5a4c2fde180d5432f3ea4196c

Process
↳ "C:\6f9b7634302085e5a4c2fde180d5432f3ea4196c"

Creates ProcessC:\6f9b7634302085e5a4c2fde180d5432f3ea4196c

Process
↳ C:\6f9b7634302085e5a4c2fde180d5432f3ea4196c

Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wqUsIgkI.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\6f9b7634302085e5a4c2fde180d5432f3ea4196c
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\wqUsIgkI.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process"C:\6f9b7634302085e5a4c2fde180d5432f3ea4196c"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileOEUE.ico
Creates FileC:\RCX9.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates Fileiscs.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileGkIc.exe
Creates FileGswE.exe
Creates FileGYgE.ico
Creates FileC:\RCX8.tmp
Creates FileC:\RCX5.tmp
Creates FileC:\RCX3.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileWQcQ.ico
Creates FileQsMM.ico
Creates FileeUcY.exe
Creates FilewWYA.ico
Creates FileSckC.exe
Creates FilewQQc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FilepkYw.ico
Creates FileaycY.ico
Creates FileRIAo.exe
Creates FileuYQM.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\RCX7.tmp
Creates FileFoMW.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileaCgg.ico
Creates FilePIPE\lsarpc
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileBEsi.exe
Creates FileeskA.exe
Creates FileC:\RCX6.tmp
Creates FileuAsc.ico
Creates FileWAcM.ico
Creates FileC:\RCXA.tmp
Creates FileQckk.exe
Creates FileC:\RCX4.tmp
Creates FileGcAg.exe
Creates FileaSMY.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileTAUK.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileKQIu.exe
Deletes FileOEUE.ico
Deletes Fileiscs.ico
Deletes FileGkIc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileGswE.exe
Deletes FileGYgE.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileWQcQ.ico
Deletes FileQsMM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FilewWYA.ico
Deletes FileSckC.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FilewQQc.ico
Deletes FilepkYw.ico
Deletes FileRIAo.exe
Deletes FileuYQM.exe
Deletes FileaCgg.ico
Deletes FileFoMW.exe
Deletes FileeskA.exe
Deletes FileBEsi.exe
Deletes FileuAsc.ico
Deletes FileWAcM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileQckk.exe
Deletes FileGcAg.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileaSMY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileTAUK.exe
Deletes FileKQIu.exe
Creates Mutex$1@
Creates Mutex\\x141@
Creates Mutex,1@
Creates Mutex41@
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates Mutex\\x1c1@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex$1@
Creates Mutex\\x141@
Creates Mutex,1@
Creates Mutex41@
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates Mutex\\x1c1@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1152

Network Details:

DNSblock.io
Type: A
104.237.132.39
DNSgoogle.com
Type: A
173.194.46.73
DNSgoogle.com
Type: A
173.194.46.72
DNSgoogle.com
Type: A
173.194.46.71
DNSgoogle.com
Type: A
173.194.46.70
DNSgoogle.com
Type: A
173.194.46.69
DNSgoogle.com
Type: A
173.194.46.68
DNSgoogle.com
Type: A
173.194.46.67
DNSgoogle.com
Type: A
173.194.46.66
DNSgoogle.com
Type: A
173.194.46.65
DNSgoogle.com
Type: A
173.194.46.64
DNSgoogle.com
Type: A
173.194.46.78
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1032 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1033 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1034 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1035 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1036 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1037 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1038 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1039 ➝ 173.194.46.73:80
Flows TCP192.168.1.1:1040 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1041 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1042 ➝ 173.194.46.73:80
Flows TCP192.168.1.1:1043 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1044 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1045 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1046 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1047 ➝ 104.237.132.39:443

Raw Pcap
0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a 7982dbab cac234              ....y.....4

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a 0127a7a1 a0b678              .....'....x


Strings