Analysis Date2014-09-02 18:24:23
MD5c04422f041d975e6f0d095b4337630cf
SHA1987399f62e317503b949fea14c4a747ab8a41ff2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 4e62f4175989060fb3817453d972f42b sha1: 2ebd452c8759dfd047642c312c6eb293b35e1a58 size: 13824
SectionDATA md5: 22194c3a7ffd32a8ea71f87d92083241 sha1: 5f7963fb0bb73f2f19b48aebcb4069254c6daec1 size: 154624
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: b94686157c362e1064997ba3a74c7bf4 sha1: df3e3125701266d72b3d890023b6e1e298a7a6d2 size: 1536
Section.edata md5: 9f2f69c0b89ae81467ec477a44814da0 sha1: 8544f18236cb6f5b6d740da1a0420be1e528f2ff size: 512
Section.reloc md5: 430c985d5f293c8c55bce8a1845ec56b sha1: 1bc6ac361a215e1a1b7b6fd655a5cd4de7f198bf size: 512
Section.rsrc md5: 84d3841b2dd02c8f432386fcb3c7c60d sha1: d5b2e83e48e7e9f5faa6029685f41bf29903a254 size: 1024
Timestamp1992-06-19 22:22:17
PEhashc185efb16fb972eb0abc2ab2bcb31fb235ba3924
IMPhash0f13239fcb90722a0b38cfe05258a22f

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSfalallen.com
Winsock DNStopkio.com

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Network Details:

DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSfalallen.com
Type: A
DNStopkio.com
Type: A
DNSphreeway.com
Type: A
DNStirefondn.com
Type: A

Raw Pcap

Strings
..
....,..o.Z~.......2.n........v.5/
C.
..
..
!...b;..WJ.%H
....
.
n

:"{^
@=!.
0yYeq
4;nD<
4SqP
'\6_
7CAY
al`G
{}cS
dmB;
*e~8
f9fd
FX]w
fYdD
:$G5
gb|f?
%.|h
K>@}
KpO"
#+L+=
luI3%
}{M(;&
>m3H|
~m]7
Ng_"
>nH<
<#NOJ
o!{/g8
P^0ZZ
%q{Y
saq>
SS/u
 TW)
T{&Z
U59TO^
uJ	-
U~;J=
V.5u
Vv35
W2c-
w3TR
&wud
{yRt
YZ76 
zRQ3u
0$1*1B2t4{4
0&3+31373
2&2.262>2F2N2V2^2f2n2v2~2
4&7-7@7
5#5)5/555;5A5G5M5S5Y5
676898c6
7D8L8U8
834140862
8#8/868<8F8L8T8Z8a8j8q8x8
9"9)9E:
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
AssocQueryStringByKeyW
BCKABH8t$
BCKHJG:l$
Boolean
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateWindowExA
DefineDosDeviceA
DialogBoxIndirectParamW
DisconnectNamedPipe
DispatchMessageA
.edata
EnumDateFormatsExW
EnumDesktopsA
ExtractAssociatedIconExW
F4U199
<?=F=Q=`=o=
fweerthrtgr
GetCaretBlinkTime
GetConsoleTitleW
GetNumaAvailableMemoryNode
GetProcAddress
GetUserDefaultLCID
GlobalFix
HAK@:t$
HIAI8T$
.idata
JGG;t$
kernel32.dll
keybd_event
?k(*SS7
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
lstrcmpiA
mouse_event
(|n,+++
OABH8\$
OpenAs_RunDLLW
PathRemoveArgsW
PathRemoveBackslashW
P.reloc
P.rsrc
ReadConsoleInputA
RemovePropA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
*>s+++
      </security>
      <security>
SetClassLongW
SetEndOfFile
SetEnvironmentVariableA
SetWindowsHookW
shell32.dll
SHEnumKeyExW
SHEnumValueW
SHGetNewLinkInfo
SHHelpShortcuts_RunDLLA
shlwapi.dll
StrCmpW
StrRStrIA
StrStrIA
StrToIntW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
T$(I95
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
user32.dll
VerifyVersionInfoW
VirtualAllocEx
V>N];`
}XIe] F
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>