Analysis Date2016-03-09 19:44:08
MD575ebf12b370ab122d840dcfc5528676d
SHA19c80443f1ee294c95e5c02451879d650ba41bebe

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dae94a13d90f78fbdb123b0f73ffe2bf sha1: 067b3e7af707b75c87c5ef46002f1f7e48e442a0 size: 1107968
Section.rdata md5: 07cdcec95d0f9bff93c41d54ad7c8ac7 sha1: 422db541c737f0846dde5bb3c256d26ba9b097d1 size: 262656
Section.data md5: b367e2a3f7f0a73e9bf1b6b8082294ba sha1: e5e45a021e0745ac706c1514f154005b6e56d6de size: 3072
Section.reloc md5: 649e8590e11af1a5cf2ca40977605e2a sha1: 6f5ac64f5a8a8b1c00aec6cddb9ecbf58b54be5e size: 140288
Timestamp2015-12-28 21:43:06
PackerMicrosoft Visual C++ ?.?
PEhashd54a8ed3e939a818bd2610212ed5f91c0cf32ad1
IMPhashe3acf382985f1d245ea0f90ae5b359df
AVRisingNo Virus
AVMcafeeTrojan-FHSX!75EBF12B370A
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.16325
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)No Virus
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.16325
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DF
AVMicroWorld (escan)Gen:Variant.Razy.16325
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Razy.16325
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.16325
AVArcabit (arcavir)Gen:Variant.Razy.16325
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.16325
AVCA (E-Trust Ino)Gen:Variant.Razy.16325

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zztumlxh1pi8cxbpukkwhi0.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\umgtkvlrsg\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zztumlxh1pi8cxbpukkwhi0.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zztumlxh1pi8cxbpukkwhi0.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DLL AuthIP Time Web Workstation ➝
C:\WINDOWS\system32\usyhtyvuokpd.exe
Creates FileC:\WINDOWS\system32\umgtkvlrsg\lck
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\umgtkvlrsg\tst
Creates FileC:\WINDOWS\system32\usyhtyvuokpd.exe
Creates ProcessC:\WINDOWS\system32\usyhtyvuokpd.exe
Creates ServiceVirtual Shadow BitLocker iSCSI Defragmenter - C:\WINDOWS\system32\usyhtyvuokpd.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1168

Process
↳ C:\WINDOWS\system32\usyhtyvuokpd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\umgtkvlrsg\cfg
Creates FileC:\WINDOWS\system32\umgtkvlrsg\rng
Creates FileC:\WINDOWS\system32\umgtkvlrsg\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\umgtkvlrsg\run
Creates FileC:\WINDOWS\TEMP\zztumlx2c6ca0xbpu.exe
Creates FileC:\WINDOWS\system32\umgtkvlrsg\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\zsiypmon.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\usyhtyvuokpd.exe"
Creates ProcessC:\WINDOWS\TEMP\zztumlx2c6ca0xbpu.exe -r 50063 tcp

Process
↳ c:\windows\system32\usyhtyvuokpd.exe

Creates FileC:\WINDOWS\system32\umgtkvlrsg\tst

Process
↳ C:\WINDOWS\system32\usyhtyvuokpd.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\umgtkvlrsg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\usyhtyvuokpd.exe"

Creates FileC:\WINDOWS\system32\umgtkvlrsg\tst
Creates Processc:\windows\system32\usyhtyvuokpd.exe

Process
↳ C:\WINDOWS\TEMP\zztumlx2c6ca0xbpu.exe -r 50063 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSfeararms.net
Type: A
195.22.26.248
DNSfearstone.net
Type: A
184.168.221.38
DNSwestside.net
Type: A
98.124.199.108
DNSwaitwing.net
Type: A
DNSgentleangry.net
Type: A
DNScasestep.net
Type: A
DNSwifeabout.net
Type: A
DNSmorningduring.net
Type: A
DNSresultneedle.net
Type: A
DNSstreetsquare.net
Type: A
DNSclassbetween.net
Type: A
DNSseasonproduce.net
Type: A
DNSpointsecond.net
Type: A
DNScallsecond.net
Type: A
DNSpointocean.net
Type: A
DNScallocean.net
Type: A
DNSpointhave.net
Type: A
DNScallhave.net
Type: A
DNSnonehold.net
Type: A
DNSliarhold.net
Type: A
DNSnonesecond.net
Type: A
DNSliarsecond.net
Type: A
DNSnoneocean.net
Type: A
DNSliarocean.net
Type: A
DNSnonehave.net
Type: A
DNSliarhave.net
Type: A
DNSwellhold.net
Type: A
DNSnosehold.net
Type: A
DNSwellsecond.net
Type: A
DNSnosesecond.net
Type: A
DNSwellocean.net
Type: A
DNSnoseocean.net
Type: A
DNSwellhave.net
Type: A
DNSnosehave.net
Type: A
DNSringhold.net
Type: A
DNSfavorhold.net
Type: A
DNSringsecond.net
Type: A
DNSfavorsecond.net
Type: A
DNSringocean.net
Type: A
DNSfavorocean.net
Type: A
DNSringhave.net
Type: A
DNSfavorhave.net
Type: A
DNSsorrythere.net
Type: A
DNSfiftythere.net
Type: A
DNSsorryarms.net
Type: A
DNSfiftyarms.net
Type: A
DNSsorrystone.net
Type: A
DNSfiftystone.net
Type: A
DNSsorryside.net
Type: A
DNSfiftyside.net
Type: A
DNStheirthere.net
Type: A
DNSlikrthere.net
Type: A
DNStheirarms.net
Type: A
DNSlikrarms.net
Type: A
DNStheirstone.net
Type: A
DNSlikrstone.net
Type: A
DNStheirside.net
Type: A
DNSlikrside.net
Type: A
DNSfearthere.net
Type: A
DNSwestthere.net
Type: A
DNSwestarms.net
Type: A
DNSweststone.net
Type: A
DNSfearside.net
Type: A
DNStablethere.net
Type: A
DNSleadthere.net
Type: A
DNStablearms.net
Type: A
DNSleadarms.net
Type: A
DNStablestone.net
Type: A
DNSleadstone.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://feararms.net/index.php
User-Agent:
HTTP GEThttp://fearstone.net/index.php
User-Agent:
HTTP GEThttp://westside.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1041 ➝ 98.124.199.108:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d6f6e 65747465 64776572 7279686f   imonettedwerryho
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   65617261 726d732e 6e65740d 0a0d0a6f   eararms.net....o
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   65617273 746f6e65 2e6e6574 0d0a0d0a   earstone.net....
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65737473 6964652e 6e65740d 0a0d0a0a   estside.net.....
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....


Strings