Analysis Date2014-08-28 19:08:11
MD5bdd5b51f2e2e4803f9c3905478e86983
SHA1923c747b1831e0b4fdb0f7382d083b4f771e7248

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: dd3d767afd5e98fbfcec3075a3197986 sha1: e452a6a2bfca8341ca3c9d0cc455327a244ea9c5 size: 12800
SectionDATA md5: d8f482ace7c2ab31a18234b04d04474c sha1: f48077f65d892dba3c7bfe6cba8a4ec0c26bdcee size: 60928
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 69a5924f52ab9614d3b8ca1789a30a24 sha1: c70e8f4b3a61a9520e781463f618bbaf9970a4e7 size: 1536
Section.edata md5: b232b688716161525f498e694ed3df56 sha1: bef56a153c280a7ce7a9d4daa2087cef73f93d0d size: 512
Section.reloc md5: 94d1cdc7e448ab9ee61fafdafe631083 sha1: 04d1ec837effc1dac1954a36c8d8cb89a70aad03 size: 512
Section.rsrc md5: 20bc5d68255cfbaad88c1c1ff6acdba6 sha1: edce6483c2b73629026ec95f770b279094b3ca47 size: 1024
Timestamp1992-06-19 22:22:17
PEhash2b729c7a7f703991197fffe2acc91b4c1f6a3d6a
IMPhashfc4583085d0f8f80a5d49534f809ed35

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.28.139
DNSseesaa.net
Type: A
59.106.98.139
DNSyelp.com
Type: A
198.51.132.60
DNSyelp.com
Type: A
198.51.132.160
DNSeitinvalid.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
 
x!
...
nu
m...&...N.1U>y..O.n"

~?],
0UfK
*2[0
2VXb
-'$8
 acqI
Dzs 
f$]1
&F2V
Hbjv&
i3|&
IA>%
`iw9$
kT|f{
lKF'd
mL!1
OOKjm
p+ h
;PtGi
qGqU8
r@KQ
T3uc
tFG@
tSVC
tZ>X
]Yc?'
.YEqV
!0(0}3
3&3.363>3F3V3^3f3n3v3~3
3(4.4=4Z4a4
42969:9>9B9F9J9N9R9V9[9e9o9y9
4&4.464>4F4N4V4^4f4n4
:4<><G<M<
?#?)?/?5?;?A?G?M?S?Y?_?e?k?q?w?}?
6_8f85:
8364913
AddPrintProvidorW
admparse.dll
AdvancedSetupDialog
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B 85#P@
B8;m$s-
BJIGGJ
BX85#P@
ChangeTimerQueueTimer
CharLowerBuffA
ci2;	O
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateMenu
CreatePrinterIC
DeactivateActCtx
DeletePortA
DeviceMode
DialogBoxParamA
.edata
EnterCriticalSection
EnumMonitorsA
EnumMonitorsW
EnumPrintersW
EnumPrintProcessorsW
GetFileSizeEx
GetMenuItemID
GetPrinterDriverDirectoryW
GetProcAddress
GetStartupInfoW
GetWindowInfo
GlobalAlloc
GlobalFree
H:-&P@
.idata
=,=J=U=\=d=k=w=~=
kernel32.dll
KI;m$s-
>,>;>L>`>
LoadLibraryA
LoadLibraryExA
LocalSize
OpenPrinterA
PathFindSuffixArrayA
PerfClose
P.reloc
P.rsrc
Q4eO*/
ReadPrinter
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetMenuContextHelpId
SetPrinterA
SetPrinterDataExA
SetThreadPriority
SetUserObjectInformationA
shlwapi.dll
SHRegDeleteEmptyUSKeyW
StrChrIA
StrChrNIW
StrCSpnIA
StrNCatW
StrRStrIW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnregisterHotKey
UpdateResourceW
UpdateWindow
UrlUnescapeA
user32.dll
VirtualAllocEx
VirtualFreeEx
winspool.drv
WriteFileGather
,xb('''
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>