Analysis Date2015-09-17 15:55:41
MD5b0ba15b111d92a2fd8f6ca44f545501a
SHA1925c31472884e2ef668b753e9c48be78735a0239

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 system file
Section.text md5: 69000f0a253c48efb60d02bbe6bc6c2c sha1: c6c2a8fd37deed65038ea06729a9f8cc5e4e36c7 size: 294912
Section.rdata md5: 9301bbddebafcfa7aa8373f210cf6427 sha1: 6dc9fd43893376e46c5d13945dbfd2f0376d87bf size: 46592
Section.data md5: a74baca2e3e164ce3d9cee8821da6f2a sha1: 71a2c24ac98e0635f2494e7fd661257d28bfaa6a size: 5632
Section.rsrc md5: 01388b519a537c3faa2b211c3f15bd2f sha1: e382dfa4865a5ccf87ebacf4da22456c53f6b2ad size: 104448
Section.reloc md5: 7eb32ede7d7ffcfcf370d5ad65442828 sha1: d7072a8e7b7404ffb2d944226911d65cbcda82e9 size: 9728
Timestamp2015-09-02 00:22:07
Pdb pathP:\work\Refer\closely\achieve\unre.pdb
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: BoxStub.exe
FileVersion: 10.0.30203.0
CompanyName: Microsoft Corporation
ProductName: Microsoft® .NET Framework
ProductVersion: 10.0.30203.0
FileDescription: Box Stub
OriginalFilename: BoxStub.exe
PackerMicrosoft Visual C++ ?.?
PEhashf67d21416b987f2564f1b7e44d8c65e1cb1e656f
IMPhash81eba609f09f83ae8dff82a3ad01aaef
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.54551
AVDr. WebTrojan.MulDrop6.3201
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.54551
AVBullGuardGen:Variant.Symmi.54551
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan-Downloader.Win32.Upatre.eqle
AVZillya!Trojan.Kryptik.Win32.786819
AVEmsisoftGen:Variant.Symmi.54551
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.XMTJ-7107
AVMalwareBytesBackdoor.Bot
AVMicroWorld (escan)Gen:Variant.Symmi.54551
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004cd7091 )
AVBitDefenderGen:Variant.Symmi.54551
AVFortinetW32/Kryptik.DTTK!tr
AVSymantecTrojan.Ransomlock.AK
AVGrisoft (avg)Crypt4.CEBA
AVEset (nod32)Win32/Kryptik.DVOB
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVAd-AwareGen:Variant.Symmi.54551
AVRisingno_virus
AVTwisterTrojan.Girtk.DVOB.cjrk
AVAvira (antivir)TR/Crypt.Xpack.248982
AVMcafeeGenericR-EJS!B0BA15B111D9

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\7bf7927d ➝
869\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\7bf7927d ➝
869\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\208.97.227[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\awuxet\awuxet.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\208.97.227[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes Filec:\malware.exe
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS208.97.227.207

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2AE3D45A404D6229\41A9ABFBF29E2B327E3 ➝
41A9ABFBF29E2B327E3\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2FC9A1EB19B46A60D1FE\48A004B014648BA3F ➝
48A004B014648BA3F\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSa767.dscms.akamai.net
Type: A
23.3.98.11
DNSa767.dscms.akamai.net
Type: A
23.3.98.41
DNSa767.dscms.akamai.net
Type: A
23.3.98.10
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://208.97.227.207/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 208.97.227.207:80
Flows TCP192.168.1.1:1032 ➝ 208.97.227.207:80
Flows TCP192.168.1.1:1033 ➝ 174.122.121.77:80
Flows TCP192.168.1.1:1034 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1035 ➝ 85.189.197.177:80
Flows TCP192.168.1.1:1037 ➝ 158.54.194.8:80
Flows TCP192.168.1.1:1038 ➝ 158.131.255.33:443
Flows TCP192.168.1.1:1040 ➝ 152.233.243.10:80
Flows TCP192.168.1.1:1041 ➝ 71.42.216.181:80
Flows TCP192.168.1.1:1042 ➝ 208.97.227.207:80
Flows TCP192.168.1.1:1043 ➝ 208.13.146.187:80
Flows TCP192.168.1.1:1044 ➝ 211.94.251.19:80
Flows TCP192.168.1.1:1045 ➝ 23.3.98.11:80
Flows TCP192.168.1.1:1046 ➝ 29.150.132.120:80
Flows TCP192.168.1.1:1047 ➝ 25.122.245.106:80
Flows TCP192.168.1.1:1048 ➝ 39.87.198.129:80
Flows TCP192.168.1.1:1049 ➝ 17.132.38.47:8080
Flows TCP192.168.1.1:1050 ➝ 25.202.166.86:8080

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   50                                    P

0x00000000 (00000)   c0                                    .

0x00000000 (00000)   63                                    c

0x00000000 (00000)   7e                                    ~

0x00000000 (00000)   35                                    5

0x00000000 (00000)   b8                                    .

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000020 (00032)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000030 (00048)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   20323038 2e39372e 3232372e 3230370d    208.97.227.207.
0x000000b0 (00176)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x000000c0 (00192)   20343038 0d0a4361 6368652d 436f6e74    408..Cache-Cont
0x000000d0 (00208)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x000000e0 (00224)   0a4a6a74 48697045 2f563743 7175522b   .JjtHipE/V7CquR+
0x000000f0 (00240)   6f4f3167 31683778 57394a76 314a5257   oO1g1h7xW9Jv1JRW
0x00000100 (00256)   676c6377 584f3648 74764678 61784c2b   glcwXO6HtvFxaxL+
0x00000110 (00272)   63593166 41666f52 4d587537 386b534f   cY1fAfoRMXu78kSO
0x00000120 (00288)   67724f50 53493648 59505a42 522f4f6a   grOPSI6HYPZBR/Oj
0x00000130 (00304)   582b6c36 46697650 524d434a 6c4a6c46   X+l6FivPRMCJlJlF
0x00000140 (00320)   544e3979 78537462 4b454d62 4e554e57   TN9yxStbKEMbNUNW
0x00000150 (00336)   38627073 49654241 5a475a4c 77566f51   8bpsIeBAZGZLwVoQ
0x00000160 (00352)   6f504134 6f444239 5a583951 6a6a4359   oPA4oDB9ZX9QjjCY
0x00000170 (00368)   5a694e6b 49484778 394f5173 4c665956   ZiNkIHGx9OQsLfYV
0x00000180 (00384)   4c706341 2b6c5874 37724249 682b6641   LpcA+lXt7rBIh+fA
0x00000190 (00400)   77714767 46303272 58695243 46496d4f   wqGgF02rXiRCFImO
0x000001a0 (00416)   66784d42 4b315147 4d697055 304d7171   fxMBK1QGMipU0Mqq
0x000001b0 (00432)   5765784a 44354b51 592f3358 52766939   WexJD5KQY/3XRvi9
0x000001c0 (00448)   55505a62 6a525067 61353936 49736869   UPZbjRPga596Ishi
0x000001d0 (00464)   74697645 51336955 5a792b41 32446e75   tivEQ3iUZy+A2Dnu
0x000001e0 (00480)   37336650 7071394d 4e536434 61686378   73fPpq9MNSd4ahcx
0x000001f0 (00496)   53436867 516a4f43 317a5133 75656d32   SChgQjOC1zQ3uem2
0x00000200 (00512)   39536e6e 56673846 59584c33 68454135   9SnnVg8FYXL3hEA5
0x00000210 (00528)   73455a47 50476672 66756f70 78382b41   sEZGPGfrfuopx8+A
0x00000220 (00544)   675a2b75 452b5767 53654a6c 62547471   gZ+uE+WgSeJlbTtq
0x00000230 (00560)   5a786434 4c72754d 56686c49 6f636f6c   Zxd4LruMVhlIocol
0x00000240 (00576)   2b516561 45416b43 30646364 5a4d6a35   +QeaEAkC0dcdZMj5
0x00000250 (00592)   6b694776 44582b55 79743677 38417748   kiGvDX+Uyt6w8AwH
0x00000260 (00608)   46547065 42455833 41763064 4930316c   FTpeBEX3Av0dI01l
0x00000270 (00624)   68514372 6b372b61 51                  hQCrk7+aQ

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a 2e39342e 3235312e   ache.....94.251.
0x000000f0 (00240)   31393a38 302c3233 2e332e39 382e3131   19:80,23.3.98.11
0x00000100 (00256)   3a38302c 7363616e 20747970 653a2053   :80,scan type: S
0x00000110 (00272)   594e                                  YN

0x00000000 (00000)   8a                                    .

0x00000000 (00000)   c0                                    .

0x00000000 (00000)   9f                                    .

0x00000000 (00000)   6b                                    k

0x00000000 (00000)   48                                    H

0x00000000 (00000)   87                                    .

0x00000000 (00000)   4f                                    O

0x00000000 (00000)   3a                                    :


Strings