Analysis Date2014-08-31 13:21:23
MD58a1ed9548097bdcfb4a6873d46254c13
SHA196549c7efaa27365c16e55a3ea8420f65569d479

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: cca13871171ec08597b473f1f67a2156 sha1: 742996b7b66babef1396a12f46e2db39506fc081 size: 14336
SectionDATA md5: b435dfaa64a9b57d4450b367daefc511 sha1: 39a03ede79c7fdb5bfe4bc92d34ae754a4fc095d size: 153088
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: bd55d93f0c5bd43cab49ee2f58e37408 sha1: 097489567bda2afeb56d0fdd57f2bcc9ae8969aa size: 1536
Section.edata md5: e0816cbd57998a82650de47342f1a272 sha1: c360779c25bac9ed445db293199954ff092d1bc5 size: 512
Section.reloc md5: 7013bcc4e43b8bb4cee6e2519c8a3d69 sha1: 1a1be53c734b295db68ba2138c4640260b34b384 size: 512
Section.rsrc md5: 0d1daf4560ebac7fcfa7491febaf2c10 sha1: b8a829312a172c23a1624e85039eb2bfe6d13773 size: 1024
Timestamp1992-06-19 22:22:17
PEhash7235bc926040c1fe9584bc35bfbf2dd546fbc358
IMPhash5c4ba5fa149cfa36f14e367f789afddd

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\D1T2EUR7FZ ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\D1T2EUR7FZ\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSkiqconsultants.com
Winsock DNSclubhamm.com

Network Details:

DNSjoomla.org
Type: A
72.249.159.57
DNScsdn.net
Type: A
117.79.157.225
DNStechcrunch.com
Type: A
192.0.82.250
DNStechcrunch.com
Type: A
192.0.83.250
DNStechcrunch.com
Type: A
66.155.9.244
DNStechcrunch.com
Type: A
66.155.11.244
DNStechcrunch.com
Type: A
76.74.255.117
DNStechcrunch.com
Type: A
76.74.255.123
DNSkiqconsultants.com
Type: A
DNSclubhamm.com
Type: A
DNSfirstjs.com
Type: A
DNStopkoel.com
Type: A

Raw Pcap

Strings
[.
\S.06
.
...on
..h.!.$.
.c.......2
8\.``c...CM...x...
...B.Q
.l... 
....Sm.

;%+&
|_*0
`+3d
5J	g[
5u'9m
)9WD
/{Ao
aRsQ
<>B-
b\A'w
cT"l
dbaT,
dFpG
&.E.
%`E+
Fbb3
fMO`
fWvW~.
GDG<
hSoL
=!hw
lvvR
M2K_
MC@L
#mmn
N|{2
Na[1N
QLUt
q'o)
SBA!
T@O;k
	T[X
 'Up
u[X%#
x8uG
xVCt
XXo!
z#^,
z6b#
z+9vd
ZNzr
z\/T
0T1Z1r2
^1e1x1
2:2E2L2T2[2g2n2t2~2
3+3<3P3{3
3e132f69
458534843
5%5+51575=5C5I5O5U5[5a5g5m5s5y5
`5d5h5l5p5t5x5|5
5m8u8~8
8&8.868>8F8N8V8^8f8n8v8~8
9">&>*>.>2>6>:>>>B>F>K>U>_>i>s>}>
9-9J9Q9
adsldpc.dll
Ajo+5[
AppendMenuA
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
CDu@fG
CharToOemA
CompareFileTime
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
ConfigurePortA
CreateEventA
&CW8HF
DdeClientTransaction
DdeNameService
DeleteAtom
DeleteFiber
DeletePortW
DllCanUnloadNow
D$ OIG9M
.edata
EndDialog
EnumChildWindows
EnumFormsA
EqualRect
ExtractIconExA
]f@c#t
FindFirstVolumeMountPointW
FindResourceW
GetConsoleDisplayMode
GetConsoleWindow
GetFileSizeEx
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetUpdateRect
G@KB;T$
GlobalAddAtomA
GlobalAlloc
GlobalFree
@HHOIG
HOK8|$
.idata
IMPQueryIMEA
InternalExtractIconListA
kernel32.dll
LoadLibraryA
lstrcpynW
LZInit
ORCy5#z
;O=V=%?
P.reloc
P.rsrc
,@q)))
qCv5r)au
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetFileTime
SetFormA
SetPrinterDataExW
SetScrollInfo
shell32.dll
SHGetUnreadMailCountW
SHQueryRecycleBinW
SleepEx
StrChrW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
:t#q.0
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
user32.dll
VirtualAllocEx
VkKeyScanW
winspool.drv
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
&zp*)))