Analysis Date2016-02-05 01:32:14
MD59708f99bd2997034e5f23cae2ac977c1
SHA17b28206d33871476648bcc8d354403e5cb044e18

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: bd155eca711e655757fe1f3c42312dea sha1: fd946a5629711862d30a44dec9fe153e04190ee8 size: 17920
Section.rsrc md5: 2bbd59e7e47f6dbc020434c9d2e8dc5c sha1: 86bb054ba5a0d3ad5cc83cfd24b4ada4310aee5f size: 6144
Timestamp2015-03-19 15:02:04
VersionLegalCopyright: Copyright ? 1998-2008 Mark Russinovich
InternalName: Sysinternals Debug Output Viewer
FileVersion: 4.76
CompanyName: Sysinternals
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Sysinternals Debugview
SpecialBuild:
ProductVersion: 4.76
FileDescription: DebugView
OriginalFilename: Dbgview.exe
PackerUPX -> www.upx.sourceforge.net
PEhash7894aa43971ad7fd0702f0bf3a71c218bb815aa7
IMPhash0631757a7096b865c9428639aeb080e0
AVF-SecureGen:Variant.Kazy.444712
AVAd-AwareGen:Variant.Kazy.444712
AVGrisoft (avg)Agent4.CAQD
AVCAT (quickheal)No Virus
AVIkarusTrojan-Downloader.Win32.Agent
AVAvira (antivir)TR/Redosdru.W
AVK7Trojan ( 0040f8861 )
AVClamAVNo Virus
AVKasperskyTrojan.Win32.Agent.icwn
AVArcabit (arcavir)Gen:Variant.Kazy.444712
AVMalwareBytesTrojan.Agent.QQ
AVDr. WebBackDoor.Zegost.568
AVMcafeeRDN/Generic BackDoor
AVBitDefenderGen:Variant.Kazy.444712
AVMicrosoft Security EssentialsError Scanning File
AVEmsisoftGen:Variant.Kazy.444712
AVMicroWorld (escan)Gen:Variant.Kazy.444712
AVAlwil (avast)Dropper-ODF [Drp]
AVRisingNo Virus
AVEset (nod32)Win32/Fusing.CF
AVBullGuardGen:Variant.Kazy.444712
AVSymantecBackdoor.Trojan
AVFortinetW32/Farfli.BMH!tr
AVTrend MicroBKDR_BEAUGRIT.SM
AVAuthentiumW32/NewMalware-Rootkit-I-based!
AVTwisterTrojan.Agent.icwn.tdmm
AVFrisk (f-prot)W32/NewMalware-Rootkit-I-based!
AVVirusBlokAda (vba32)No Virus
AVCA (E-Trust Ino)No Virus
AVZillya!Trojan.Agent.Win32.539211

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wsdihh rvnukyyq\ConnectGroup ➝
\\xc4\\xac\\xc8\\xcf\\xb7\\xd6\\xd7\\xe9\\x00
Creates FileC:\4510.vbs
Creates FileC:\Program Files\Microsoft Qdanir\Wmgeyke.exe
Creates ServiceUkogem kucuykom - C:\Program Files\Microsoft Qdanir\Wmgeyke.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1152

Process
↳ C:\Program Files\Microsoft Qdanir\Wmgeyke.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint

Network Details:

DNSGlory2015.eicp.net
Type: A
174.128.255.231
Flows TCP192.168.1.1:1031 ➝ 174.128.255.231:2014

Raw Pcap
0x00000000 (00000)   235cbdb8 3696258a 771dc07a db508e0f   #\..6.%.w..z.P..
0x00000010 (00016)   027cd9ec 82c6a7d1 ee858c29 1e596a7f   .|.........).Yj.
0x00000020 (00032)   a4352cce 9fdfacb8 084e432d 3ba82e02   .5,......NC-;...
0x00000030 (00048)   02a45f6d f490ec6e 980e4e37 56eee682   .._m...n..N7V...
0x00000040 (00064)   cf8cacbe 7385c3c7 72ce515e 42c4dbc6   ....s...r.Q^B...
0x00000050 (00080)   a9b4876d db055042 0b78765d 150a6eeb   ...m..PB.xv]..n.
0x00000060 (00096)   d1794649 9b7197bf 1377fd93 a365eb9a   .yFI.q...w...e..
0x00000070 (00112)   cc203610 782b119d 70bd88a8 e9bbecd4   . 6.x+..p.......
0x00000080 (00128)   c820ff92 bed6e5aa 8cda5cbb 59fa5636   . ........\.Y.V6
0x00000090 (00144)   9da53e02 652fc008 cb89e864 69e2273e   ..>.e/.....di.'>
0x000000a0 (00160)   3d5ecee2 38acbd61 e922486a 02d18ea9   =^..8..a."Hj....
0x000000b0 (00176)   19fcf0aa 8677c78d 3dcc799d 4a2526a8   .....w..=.y.J%&.
0x000000c0 (00192)   ddc8ea8e 4322244d b70c                ....C"$M..


Strings