Analysis Date2014-09-02 11:48:55
MD520afefc0e2c2cd0092fff1a6047ad8f2
SHA1985b6abc01933163ff7114222c6f0d03b69d2910

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: a3b751f1e3ca2fc91afbdf4c4a9aab1e sha1: 1c52f2ff1f2e064b5ddff74885eb1011cec37019 size: 14336
SectionDATA md5: a37eb8f36123d58421252d3ee215a6cd sha1: f60cab718af34feb04a63517b767c3693bf862ef size: 156160
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 558e6eea54a79bedaf52284790da7d41 sha1: 8646e5258756c8d231abb149a7718028cfcdf5fc size: 1536
Section.edata md5: d90e430ddc13d9d8e745165c3fac3556 sha1: 20a52eb43a9d3b0d328ffc447364049f8856221c size: 512
Section.reloc md5: fa8766b50ea95270f8fecf756ac03dba sha1: 205ef19febf3e2efe722fb7246786f653b95ff8f size: 512
Section.rsrc md5: 4a4821ad7ebf380b863e023c65550e1a sha1: 2953159187cd72470e6e9b6930a91bc3d03d1ec8 size: 1024
Timestamp1992-06-19 22:22:17
PEhashb8ef17258967667d5079dea09b859a9f0def254d
IMPhash5c4ba5fa149cfa36f14e367f789afddd

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\D1T2EUR7FZ ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\D1T2EUR7FZ\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNShopvariety.com

Network Details:

DNSjoomla.org
Type: A
72.249.159.57
DNScsdn.net
Type: A
117.79.157.225
DNStechcrunch.com
Type: A
76.74.255.123
DNStechcrunch.com
Type: A
192.0.82.250
DNStechcrunch.com
Type: A
192.0.83.250
DNStechcrunch.com
Type: A
66.155.9.244
DNStechcrunch.com
Type: A
66.155.11.244
DNStechcrunch.com
Type: A
76.74.255.117
DNShopvariety.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
.'
....
0g.}.ZY.
....^:G....0/...
U.o.
.;+..bW.A
[
8.
.
...
..
.o...
.
.r9
..l..p
11pH
	@2&
\3m<
.)5,1
[6M &
-AX3
b1BO
BOg<
C-\	
c0w=
cBh'74
 e-{
e/,2
fE"k
Gx=%
?h\\
H$l!
hN7TB
I}Zs^
jK`xR
?\Jn
Jn}L
JR-li
}J``zG
l5*L
m^ 4
m(:9
}N55
O!YPh
p@2d
[Q6	O
Rj,e
"!RS
Te="
v.l)
W_pn
x\!Z
y<5x
0T1Z1r2
1 1,10141
^1e1x1
2:2E2L2T2[2g2n2t2~2
3+3<3P3{3
3e132f69
458534843
5%5+51575=5C5I5O5U5[5a5g5m5s5y5
5m8u8~8
8&8.868>8F8N8V8^8f8n8v8~8
9">&>*>.>2>6>:>>>B>F>K>U>_>i>s>}>
9-9J9Q9
adsldpc.dll
AppendMenuA
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
CharToOemA
CompareFileTime
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
ConfigurePortA
CreateEventA
DdeClientTransaction
DdeNameService
DeleteAtom
DeleteFiber
DeletePortW
DllCanUnloadNow
D$ OIG9M
d?<v2x
.edata
EndDialog
EnumChildWindows
EnumFormsA
EqualRect
ExtractIconExA
!eZ7M8m
FindFirstVolumeMountPointW
FindResourceW
GetConsoleDisplayMode
GetConsoleWindow
GetFileSizeEx
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetUpdateRect
G@KB;T$
GlobalAddAtomA
GlobalAlloc
GlobalFree
[&`:hA
@HHOIG
HOK8|$
.idata
I$mfYrI&.u-
IMPQueryIMEA
InternalExtractIconListA
kernel32.dll
LoadLibraryA
lstrcpynW
LZInit
;O=V=%?
P.reloc
P.rsrc
,@q)))
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetFileTime
SetFormA
SetPrinterDataExW
SetScrollInfo
shell32.dll
SHGetUnreadMailCountW
SHQueryRecycleBinW
SleepEx
StrChrW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
user32.dll
VirtualAllocEx
VkKeyScanW
winspool.drv
&xL^F)
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
]xRH:B
&zp*)))