Analysis Date2018-05-16 23:34:31
MD50b850ab69b9748ea5277d1b68e6bd25f
SHA190d0ce9898c534dba41edaf96590a5c895416bf5

Static Details:

AVArcabit (arcavir)Gen:Variant.Emotet.2
AVArcabit (arcavir)Worm.Ludbaruma.A
AVAuthentiumW32/VBInject.IL.gen!Eldorado
AVGrisoft (avg)Win32/DH{gVKBUYFP?}
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)Emotet-AI [Trj]
AVAlwil (avast)Evo-gen [Susp]
AVAlwil (avast)GenMalicious-EUW [Trj]
AVAd-AwareWorm.Ludbaruma.A
AVBitDefenderWorm.Ludbaruma.A
AVBullGuardWorm.Ludbaruma.A
AVClamAVWin.Trojan.Generic-6333842-0
AVDr. WebTrojan.DownLoader7.3730
AVEmsisoftWorm.Ludbaruma.A
AVMicroWorld (escan)Worm.Ludbaruma.A
AVCA (E-Trust Ino)Generic.Malware.SMP!DPk!g.7B255D78
AVFortinetW32/Regrun.PKE!tr
AVFrisk (f-prot)W32/Kovtex.B!Generic
AVF-SecureWorm.Ludbaruma.A
AVIkarusTrojan.Win32.Patched
AVK7Error Scanning File
AVKasperskyTrojan-Ransom.Win32.Blocker.kpuo
AVMalwareBytesTrojan.Dropper
AVMcafeeW32/Rontokbro.gen@MM
AVMicrosoft Security EssentialsTrojan:Win32/Bagsu!rfn
AVMicrosoft Security EssentialsWorm:Win32/Ludbaruma.A
AVNANOError Scanning File
AVEset (nod32)Win32/VB.ORD worm
AVPadvishNo Virus
AVCAT (quickheal)Trojan.Regrun
AVRisingWorm.Win32.VBInjectEx.a
AV360 SafeNo Virus
AVSophosW32/Mato-N
AVSUPERAntiSpywareWorm.Ludbaruma/Variant
AVSymantecW32.Cridex.B
AVTrend MicroNo Virus
AVTwisterW32.VB.ORD.gysn.arc
AVVirusBlokAda (vba32)Trojan.Downloader
AVWindows DefenderTrojan:Win32/Bagsu!rfn
AVWindows DefenderWorm:Win32/Ludbaruma.A
AVZillya!Worm.VB.Win32.28547

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\90d0ce9898c534dba41edaf96590a5c895416bf5.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF7F57469075144038.TMP
Creates FileC:\
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\Phil
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE ➝
C:\Windows\system32\Mig~mig.SCR
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure ➝
0
RegistryHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut ➝
600
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xk ➝
C:\Windows\xk.exe
Creates Mutex
Creates Mutex

Process
↳ C:\Windows\xk.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF455E26566851E64B.TMP

Process
↳ C:\Windows\SysWOW64\IExplorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF001F009C26561753.TMP

Process
↳ C:\Users\Phil\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFDE135DA0AB878657.TMP

Process
↳ C:\Users\Phil\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF4BB5DBD4E597F1D1.TMP

Process
↳ C:\Users\Phil\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF53C293D917FD6798.TMP

Process
↳ C:\Users\Phil\Local Settings\Application Data\WINDOWS\LSASS.EXE

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFDCB2D2DB6AA731BC.TMP

Process
↳ C:\Users\Phil\Local Settings\Application Data\WINDOWS\SMSS.EXE

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF7EEB9572EB591C5A.TMP

Network Details:


Raw Pcap

Strings