Analysis Date2015-08-06 15:25:40
MD5d83ff95a7888a30df2ed7b5be9236e82
SHA19b936e77f7b375e74f8415d18219c4e18eb99221

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 795c10aa9260f334bb1e9f6d8d5ee1f9 sha1: 3175625765e54ffe5e5198b80cfed642d6f86639 size: 68096
Section.rdata md5: 9b6219216ea62c1e869ff49848d6876f sha1: 7cf37670f4bc18dfca439e06a01824e3444a5baf size: 49664
Section.data md5: 0149c931243def9feca209827071fbdb sha1: 424f0bcdd7035b26ce27650694d69dbeab58022f size: 5632
Section.rsrc md5: f7d9279f2fced6186c9250e6c3a16469 sha1: 955087d16edb2d8638c960e4b7dba2eaa3ff43ce size: 33280
Timestamp2015-04-14 02:24:22
VersionLegalCopyright: Copyright (C) Couple 2005-2013
Legal Trademarks: Couple
Internal Name: Screen.exe
CompanyName: Explore bound - www.Couple.com
ProductName: Couple
Original Filename: Screen.exe
ProductVersion: 3.0
FileDescription: Bicycle vote
FileVersion: 7.0.0.2
PackerMicrosoft Visual C++ ?.?
PEhash958e01ebe6149b67add4d08c170e7a49cce39d20
IMPhash70785941f5805492c5161aa06ca34008
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCAT (quickheal)Worm.Gamarue.WL4
AVEset (nod32)Win32/Kryptik.DFKA
AVAvira (antivir)TR/Crypt.Xpack.186736
AVVirusBlokAda (vba32)Trojan.Neurevt
AVBitDefenderGen:Heur.CryptoWall.1
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVMicrosoft Security EssentialsTrojan:Win32/Toga!rfn
AVAlwil (avast)Kryptik-PDP [Trj]
AVKasperskyTrojan.Win32.Reconyc.dzsm
AVEmsisoftGen:Heur.CryptoWall.1
AVRisingno_virus
AVAd-AwareGen:Heur.CryptoWall.1
AVDr. Webno_virus
AVArcabit (arcavir)Gen:Heur.CryptoWall.1
AVFortinetW32/Kryptik.DFOP!tr
AVF-SecureGen:Heur.CryptoWall.1
AVPadvishno_virus
AVMicroWorld (escan)Gen:Heur.CryptoWall.1
AVClamAVno_virus
AVGrisoft (avg)Agent_r.CAU
AVTrend MicroTROJ_GE.7583920C
AVTwisterno_virus
AVK7Trojan ( 004c66091 )
AVMalwareBytesTrojan.Agent.DED
AVBullGuardGen:Heur.CryptoWall.1
AVMcafeeRDN/Generic.dx!dql
AVSymantecTrojan.Gen
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Zs\svchost.exe
Creates Process"C:\Documents and Settings\Administrator\Application Data\Zs\svchost.exe"
Creates Mutexgra:version.dll

Process
↳ cmd /c echo Y|CACLS "C:\Documents and Settings\Administrator\Application Data\Zs\svchost.exe" /P "Administrator:N"

Creates ProcessC:\WINDOWS\system32\cmd.exe /S /D /c" echo Y"

Process
↳ C:\WINDOWS\system32\cmd.exe /S /D /c" echo Y"

Process
↳ "C:\Documents and Settings\Administrator\Application Data\Zs\svchost.exe"

Creates Processcmd /c echo Y|CACLS "C:\Documents and Settings\Administrator\Application Data\Zs\svchost.exe" /P "Administrator:N"
Creates Mutexgra:version.dll

Network Details:


Raw Pcap

Strings