Analysis Date2014-09-23 11:41:02
MD5897066398b3d9b093b2912ee5364f313
SHA19d897613a3b1e185ee613d542181c31840d11af5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: df7403c1ac9d4eac6124c1673fe1e626 sha1: e2e57ee4842ffd5767d195b87d708de069182e2b size: 14336
SectionDATA md5: 9fa204b6aa48b43a48feda1b9100b971 sha1: c8ce611a6ce404f144ee3ce74fe3f2e2c33d860b size: 60416
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: fd2348ec1fcd0363af5f1bc1a59ae230 sha1: 606cfda9f46b5bb6b00e43f7de81b6fd75c86f85 size: 1536
Section.edata md5: 1ba1c14e8b9e9c64a1e3bdbf490e2e02 sha1: 5272362b76489ad4e190b3ca83ed7053ebd45fe7 size: 512
Section.reloc md5: 9b0912f9d1ae83deb190108230c3bd65 sha1: 4e0308ae567b6c3abcd0d14ece5bc387a6bd8217 size: 512
Section.rsrc md5: e571d42c6bf264e1998d48c34b3f639f sha1: bf253311c2a051f32fbaca15c33077d856aebd3a size: 1024
Timestamp1992-06-19 22:22:17
PEhashd585f11557b64a2ebd737056e4fe350fc469991e
IMPhash425e24a2ff39b3020b63f9770f016c5f

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.98.139
DNSseesaa.net
Type: A
59.106.28.139
DNSyelp.com
Type: A
198.51.132.160
DNSyelp.com
Type: A
198.51.132.60
DNSeitinvalid.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
..G.c.fQ.GBbT...*..H5
.r&sE
.ZF4
`:['
1KWC
4fs:
bnOp
>:c2
":D 
Fk3%
fQnO
fZ	L
"^HI
_I7_
}[i<A
~iC+
^i/vp
:_<m
n$Nm
o5*~
O8zd
p^*M
	-q?
Q\iM
[r*8
s&\[
t,Wv 
u._'
U`C#
u{rI
XF9s
Y;+_
Zw3i
00161N2x4
:1A1T1
>">'>1>;>E>O>Y>c>m>
2!2(20272C2J2P2Z2`2h2n2u2~2
2h3r3|3
3,3W3^3s3
3$454?4I4R4X4]4c4n5
4I8Q8Z8
780d3040
8"8*828:8B8J8R8Z8b8j8r8z8
8	9&9-9
9i<x<'=
adsldpc.dll
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B49-#P@
@C9-#P@
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
DdeClientTransaction
DeleteFormA
DevQueryPrintEx
.edata
EndDialog
EnumCalendarInfoA
EnumPrinterDataW
FindResourceExW
FrameRect
GetFileSizeEx
GetFormA
GetPrinterDriverDirectoryA
GetProcAddress
GetQueueStatus
GetStartupInfoW
GetTimeFormatA
GlobalAlloc
GlobalFree
GlobalReAlloc
HJ@hH-@
.idata
IsCharAlphaNumericA
!J7ob7
kernel32.dll
LoadAcceleratorsW
LoadLibraryA
LoadLibraryExA
LockResource
LookupIconIdFromDirectoryEx
@;m r	
OI@8="P@
O;-%P@
P4:} v&
PathIsDirectoryA
PathIsFileSpecW
PathIsSameRootW
PathMatchSpecW
PathRemoveArgsW
PathRemoveExtensionW
P.reloc
P.rsrc
,@q)))
QueryColorProfile
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetScrollInfo
SHCopyKeyW
shlwapi.dll
SleepEx
StrFormatKBSizeA
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
T;X;\;`;d;h;l;p;|;
user32.dll
VirtualAllocEx
winspool.drv
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
&zp*)))