Analysis Date2015-07-27 15:59:37
MD51148d038f5711d7b4c1bf9a19bd93346
SHA17ffc33d937e36613d5e1d503ab9fb83075f4b6ab

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0f6cb8d427489423497facdd1278a0de sha1: 26705467ec6e9e3bb053a52de6376d09a6fe64b5 size: 1349120
Section.rdata md5: b7a196cc43cc4e2ce572938e8a1e4bee sha1: b972273c73fdadd70d23a37174e761b9b9a15116 size: 512
Section.data md5: f3b6aa4dc24987cc5f137afb85c2dda5 sha1: c2ebcf94b2d719988f6255cf9b3d8942aab9d8c3 size: 512
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp2015-02-07 09:53:36
PEhash14fcd22707993c4b5e63a9f2fac05e725f0f9ad6
IMPhashbb9d46cefeacf4ceb4b7b17f4c38f075
AVRisingTrojan.Win32.PolyRansom.a
AVMcafeeW32/VirRansom.b
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVTwisterW32.PolyRansom.b.brnk.mg
AVAd-AwareWin32.Virlock.Gen.2
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Virlock.I virus
AVGrisoft (avg)LockScreen.BO
AVSymantecno_virus
AVFortinetW32/Zegost.ATDB!tr
AVBitDefenderWin32.Virlock.Gen.2
AVK7Trojan ( 0040fa481 )
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVMicroWorld (escan)Win32.Virlock.Gen.2
AVMalwareBytesno_virus
AVAuthentiumW32/S-4ad0513c!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftWin32.Virlock.Gen.2
AVZillya!Virus.Virlock.Win32.1
AVKasperskyVirus.Win32.PolyRansom.b
AVTrend Microno_virus
AVCAT (quickheal)Error Scanning File
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardWin32.Virlock.Gen.2
AVArcabit (arcavir)Win32.Virlock.Gen.2
AVClamAVno_virus
AVDr. WebWin32.VirLock.10
AVF-SecureWin32.Virlock.Gen.2
AVCA (E-Trust Ino)Win32/Nabucur.C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe,
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lwkAEEYw.bat
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Setup.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\lwkAEEYw.bat
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Setup.exe
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Setup.exe

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Setup.exe

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutex$1@
Creates Mutex\\x141@
Creates Mutex,1@
Creates Mutex41@
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates Mutex\\x1c1@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileqIUc.ico
Creates FileC:\RCX9.tmp
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileaYcc.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileqgcE.ico
Creates FileKowo.exe
Creates FileC:\RCX2.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileyscM.ico
Creates FileqAcw.exe
Creates FileySIM.ico
Creates FileAYoy.exe
Creates FileC:\RCX8.tmp
Creates FileC:\RCX5.tmp
Creates FileOSok.ico
Creates FileC:\RCX3.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileGcIq.exe
Creates FileOcgG.exe
Creates FileusQa.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates Fileaocg.ico
Creates FileGwAu.exe
Creates FilemwIK.exe
Creates FileAEYG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\RCX7.tmp
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileqsMY.ico
Creates FilePIPE\lsarpc
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileeCgY.ico
Creates FileC:\RCX6.tmp
Creates FileCook.ico
Creates FileC:\RCXA.tmp
Creates FileuWgU.ico
Creates FileC:\RCX4.tmp
Creates FileigMU.exe
Creates FilesWsU.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Deletes FileqIUc.ico
Deletes FileusQa.exe
Deletes Fileaocg.ico
Deletes FileGwAu.exe
Deletes FilemwIK.exe
Deletes FileaYcc.exe
Deletes FileAEYG.exe
Deletes FileqgcE.ico
Deletes FileKowo.exe
Deletes FileyscM.ico
Deletes FileqsMY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileeCgY.ico
Deletes FileqAcw.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileySIM.ico
Deletes FileAYoy.exe
Deletes FileCook.ico
Deletes FileuWgU.ico
Deletes FileOSok.ico
Deletes FileigMU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FilesWsU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileGcIq.exe
Deletes FileOcgG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Creates Mutex$1@
Creates Mutex\\x141@
Creates Mutex,1@
Creates Mutex41@
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates MutexScUMMMcQ
Creates MutexvWcsggUA
Creates Mutex\\x1c1@

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1164

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Setup.exe

Network Details:

DNSblock.io
Type: A
104.237.132.39
DNSgoogle.com
Type: A
173.194.46.64
DNSgoogle.com
Type: A
173.194.46.78
DNSgoogle.com
Type: A
173.194.46.73
DNSgoogle.com
Type: A
173.194.46.72
DNSgoogle.com
Type: A
173.194.46.71
DNSgoogle.com
Type: A
173.194.46.70
DNSgoogle.com
Type: A
173.194.46.69
DNSgoogle.com
Type: A
173.194.46.68
DNSgoogle.com
Type: A
173.194.46.67
DNSgoogle.com
Type: A
173.194.46.66
DNSgoogle.com
Type: A
173.194.46.65
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1032 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1033 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1034 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1035 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1036 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1037 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1038 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1039 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1040 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1041 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1042 ➝ 104.237.132.39:443
Flows TCP192.168.1.1:1043 ➝ 173.194.46.64:80
Flows TCP192.168.1.1:1044 ➝ 173.194.46.64:80

Raw Pcap
0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   160303                                ...

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a d3f78f57 cec7fa              .......W...


Strings