Analysis Date2013-07-19 11:31:58
MD5f9f0d0d3a433455c7925990e8fe041d0
SHA198d59524b60468547913d81cb2738a07910c5936

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: b0151cb6b8ef4cca07d1b8fa8a5fd2be sha1: dee4bfa2588fa8983d1a8dd780f3083c4aaab68c size: 50176
Section.rsrc md5: 6c351ad9dcc40b7f7452f6b7d962b712 sha1: c3fcbb55b3ea0b82a4ce5c09027326293f82dd5a size: 512
Timestamp2004-09-20 02:49:24
PackerUPX -> www.upx.sourceforge.net
PEhash48ad188acb00e774d5ce22416a93d921b4a80fe0
AVmsseBackdoor:Win32/Votwup.B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winupd32 ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\ ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe:*:Enabled:KL\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ddid
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScoo0lnet.net

Network Details:

DNScoo0lnet.net
Type: A

Raw Pcap

Strings