Analysis Date2013-12-09 07:52:19
MD52e21447d3d6d48044f43665cc7ace526
SHA19406e45d3287c308c1b01802c5ca84208608db60

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 44391cf0b8a950497a29c568eea0ffaa sha1: c1e25dea271e914757ab8162e3264184f8adb9ff size: 16384
Section.rdata md5: 5d91c5c50c0f5b5e1353c696fe1c7feb sha1: e154329cc1e70af92881f54dcafde7d6ebd803da size: 8192
Section.data md5: 5fe794a0016c127f8f65c6170df8baf0 sha1: eba2197de9a6b8e4a44b4ae00feb6d002b4f0ece size: 159744
Section.rsrc md5: 2c0048ff837058eec59a14a737843838 sha1: b6210d9f34d965ff6888ebbe639f3ec5ab999325 size: 49152
Timestamp2012-06-05 08:58:55
Pdb pathd:\work\Plug3.0(LYT)\Shell6\Release\Shell6.pdb
PackerMicrosoft Visual C++ 7.0
PEhash27d7fa1da3a2872dcd2d35b93a3c62b46b6caf56
AVavgBackDoor.Generic17.COSI
AVaviraTR/Crypt.ZPACK.Gen2
AVmsseBackdoor:Win32/Plugx.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
Creates FileC:\Documents and Settings\All Users\SxS\bug.log
Creates FileC:\Documents and Settings\All Users\SxS\NvSmart.exe
Creates FileC:\Documents and Settings\All Users\SxS\NvSmartMax.dll
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\SxS\boot.ldr
Creates File\Device\Afd\Endpoint
Creates MutexDoInstPrepare
Creates MutexDBWinMutex

Process
↳ C:\Documents and Settings\All Users\SxS\NvSmart.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ "C:\Documents and Settings\All Users\SxS\NvSmart.exe" 100 1356

Creates FileC:\Documents and Settings\All Users\SxS\bug.log
Deletes FileC:\malware.exe
Creates ServiceSxS - C:\Documents and Settings\All Users\SxS\NvSmart.exe 200 0

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

Creates FileC:\Documents and Settings\All Users\SxS\bug.log
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 1908
Creates MutexDBWinMutex

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Process

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Debug\UserMode\userenv.log

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 1908

Process
↳ C:\WINDOWS\system32\wbem\wmiprvse.exe

Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\All Users\SxS\NvSmart.exe" 100 1356

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings
drAVulVurETnDmsf cy
(&A)...
Copyright (C) 2012
(&F)
                                 H
         (((((                  H
(&H)
         h((((                  H
jjjj
Shell6
SHELL6
Shell6 Version 1.0
	System
(&X)
	<&>/~
07Oc&:
0<Fh)G
0GnI7if
0$Uxp<o,5
+1Esm'g
1F>1&t
:#1M5'
1W"yEtK
(1X}#zFd
28K!`D
2,AS>(
	2@Grq"(@
2!rs'S
3nD;x_d
+3u5Xf
4"*5 i
4A4Lj<
4t~^na
5~EFsu5
#5j0x>
)'6-~$
63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:
6-6Z2H
6O^y8}
6Vf8|\8
6,xQcL6
&6-.XsP
7OjYN!
+7v;xWc
7~{zcY
 >8<39
8!_	F	
\8XR}`
8z.eX5
*92m_0~O
>]{=94
+%94#+
9>6ttA
9BinVK
9de{Cg1
9"J	 #d
9;: S 
9T	Y|	
a0 R o
Aa	Mb'
A buffer overrun has been detected which has corrupted the program's
ACL=ZK
aJ`5wt
aj8e,<
#aLz?;Y
A@Pi9{
/AQCo&/TU
aQqP'48
A security error of unknown cause has been detected which has
aW(h]n
	azE(HU
=B1(<C
bb)`'l
BeginPaint
b@*g)q
b$'_k!.
:bqy"qrM
br"zG0
Buffer overrun detected!
};B,Ve
>BYaeM
!by c[|:
[;C1D3t
c} ,a'
C|bZ=5
C=C'X+<*?
}CF1eC
cKK^WX*
CkuDjx
C>+mE7
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CreateWindowExA
d"!\%).}
/D0~9$
d	",2xz
d3A0+6N_
@.data
DefWindowProcA
DestroyWindow
D$HRQh
DialogBoxParamA
DispatchMessageA
D$LRQP
,dl,:	v
dMv?"c
DOMAIN error
^dqUH_}
d:\work\Plug3.0(LYT)\Shell6\Release\Shell6.pdb
d'X0Br
dy1{Z[
>	E&@?
e0JNSI
E4rpG,+
eJ38x7
EndDialog
EndPaint
"EO+B#_Q
ex~[8@
ExitProcess
([fF~)
Fk*:NP
- floating point not loaded
fOePi[
fp&MkK
Fqg[\u
FreeEnvironmentStringsA
FreeEnvironmentStringsW
frV@4Nyi
FsG2.;
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
g`IpA[
`Gjf(J
GMvw%W\Pm
)g"Oqd
,Gp_BxDq)
'gRoU<
#}Gt5"
GTbsi-
GxOo$s
GYuRxg<:X
H8ahiW"3
+H]{_A
Hbil	*	^
hd-@/;:
hdvNg3Q
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HhJ&(W
H\h)xn
^hI]}W
[>hIXH|
.$,h<J;
hj%3L/
\hqMr6
htDHt%
hU5&e<>
<Hv-d`+;z
\I0B.m<
I0wkL	>
I3')+*+)))*))()*+++,6J!54 CBA
.<{i.b}e0'
I(	Dj>
Ie}L~E
)i.fR/
ImeG`(
InI1PI
InterlockedExchange
internal state.  The program cannot safely continue execution and must
[I}P=N
I`Q|4*
$[IQ=)Pz
]%[Iua
I=W]LY
iX_N#[r
j1Z4r!7w	
j#'.9?
;J	!}c
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
jeQK~-
JHHGGGGGGGGHI
j`hXQ@
j|i^0c
JJIIIIJIIIIJJ
jKh2D(
jMpj%L
>;j-o'
,jRHSn
jYPQTVTSkllZTTXRTUiHceWda/
k87:,m
%kB,s<
KDz!(L
KERNEL32.dll
&kgW{G-p
k`Pu[;y
*K>r9%5
kruz'jOq 
!kUIAm1
LCMapStringA
LCMapStringW
lD7gMWj2 
l|Fu#T
lm~A.{c
l(:::n
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
-lr	i2
[L&S]=Kp
L]wT?Y3
LYfY]/
m,b0EH
mb)4r7
MDu#~O
MessageBoxA
Microsoft Visual C++ Runtime Library
. |;MIY-
M)?l_{
mLx;w/
mMr~5Su
mNKNPr
m|Ozt}]
MR=#K ma)
mscoree.dll
MultiByteToWideChar
n`5id1
<N"5kh
N7`&CO:
NE-Z{,
NG?MC/J
nlH>Lqb
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
now be terminated.
}[@NP;D7
!nqOz?
nS82!	
N>w"\b
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
o3$0N~wr
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
O(@>=77A779?<8;$O' 
O~~9gI
O%JEEEEEEEEEFFB
O'*KZOZ
:O>M0z	
~Onb8)
oN=jun
OSHt|U
oU7@X_b
\?O<)w
Ox--JM
p3	G3l
^Pb*N	
]pC[o/2
+[pD" 
Please contact the application's support team for more information.
PostQuitMessage
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
Program: 
<program name unknown>
- pure virtual function call
PuU|o/
pwwwwwwww
pwwwwwwwwwwwwwwwp
pxDDDDDDDDD@
pxDDDDDDDDDDDDDDpx
pxDDDDDDDDDH
pxDDDDDDpx
[PX;]R
pxwwwwwwpxDDD
pxwwwwwwwwwwwwwxpx
q4{5;,
<q4V6{x
q-|5? 
q7ph.}
Q_F>`UF
QLZ_^Y	
qmy/jx
}>qooggggggg1`_fhsnHK
QPT=/t
QQSVW3
QueryPerformanceCounter
 '||r|
)Rc|3"
`.rdata
|=?R~E
(r(e6#b
RegisterClassExA
rmM.g|
RSDS0/
rsSVWj@h
RtlUnwind
Ru(h<8 
runtime error 
Runtime Error!
	rZPoF
$S1Cn7gZ
%s	9V\"Mx
s	Ajm)<
SetHandleCount
ShowWindow
SING error
/sog4W6
S:Q1:N
s$!QgI1
)?s_TNE
Stz*$|
t2WWVPVSW
t4RG_kv
/T8)]|n
t:AdCI
T"Em]r`ms
TerminateProcess
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
thX;Lyr
TLOSS error
`T?M$i
t{OLAx]
TranslateAcceleratorA
TranslateMessage
t!SS9]
t#SSUP
T['T1v
-[t@T	9
t.;t$$t(
t$<"u	3
Tv1mj1
t/}vBT
t$$VSS
t*zLes
)u8S*;_X
Uf<*MQ
;UjN|B
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
UpdateWindow
user32.dll
USER32.dll
V1]BH1
/,v_6>
VC20XC00U
 /V,D/
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
?vY^i*
]#WBO/
w&CXJz
(WeM9t
WideCharToMultiByte
wJ+=s)
WkV21TSav^8{
w#l{S&
|wO%*`
/WP.GE
WriteFile
'WUx+,
WWWWVSW
wwwwwwwpx
wwwwwwwwwwwwwwwpx
wxtZ7Ro
wx}ZeP
x>14~nW
$x5@4-K
x7cp-x:
x8bW<H%QL
xC}."^
)XF\4y
xIGI{6
X!k	,)Qj
x%mUO|
x$pVXo
]x?*s 
^X>SEz
XtMp )
x?uq0&eUr"2
XxbrNo
/y{-_	
]y;BBz
@Y&hI 
{ym'OS9M
YQjkZFv
:YqZU_
{|yvrrwsqpon
_^][YY
=Yzkv R
{@%|Z,
z1lnV*
Z;7L/	N
zAuH1~
zc_"H$
[:zg\	
=ZhGyQ
Zkn^Kp&
Z)q:\*
zXc.W<c
}zy|yx~