Analysis Date2014-09-11 20:01:41
MD5d8064132fdfbc71ee1ac484db76f5836
SHA1a2759f6c0b72bd97e8b368019919922cb04103d8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 4913bdf2de167ec3f5d4a03e0e7b878e sha1: 8fddfc4f34ccaf54788bb9bdcb35ca464b591a32 size: 13312
SectionDATA md5: 8dc321d6a8b11c369bd10e008b3653ff sha1: 1862f51e5deec7212ad9d6d1cb0e117d4f050fa7 size: 153088
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 1eb915365158a1b0e0bbecfa0fb7add0 sha1: df4cd276a05a2a1b0ad2d20a73c7a03a8f354953 size: 2048
Section.edata md5: 97d7f6aeb90413dcd2101c34cf2a8cb7 sha1: 16606f4433f20cdc2a6f0ec09f69ec647e96ae21 size: 512
Section.reloc md5: 5517b2432355b50d8004c680fa3bba93 sha1: ee5222a8776977821007dbac898dac155d40581a size: 1024
Section.rsrc md5: 9545c1c172f88efa95f7d57bf42c2d4c sha1: 92ceecb45e38676e2af574cb29addda8251cb69a size: 1024
Timestamp1992-06-19 22:22:17
PEhash43dac912de4158dc9f61b13113dbd3172543deff
IMPhashd1d53603936afe83b9f03c34b2adcf44

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Q7NZMT7RLB ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Q7NZMT7RLB\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNStopqstore.com

Network Details:

DNSwp.pl
Type: A
212.77.100.101
DNSspankwire.com
Type: A
94.199.252.72
DNS51.la
Type: A
117.21.226.199
DNStopqstore.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
J|.4
.
.%\L
.
iP..
.
.Z.
..
...r.vVj..:
.j...H..
}{..R..> .V..Cma..

`)`;
<~2?
3W3M
<-4&
'5c<
60QP
b8qQ
B`IL
bPv!
b*Su
!ByT
!CmM
DH;B
dk4B	
?EcK
$))F
FnEL
GI/_2
IB,z
j=ce
Je*H
#jKN
k&fo
K*x2
{~^l
#Me}
mIAi
`m!S
?N2u
<NJj
 OCu
	&&P
p 3L
pplD
;q^6
Q7mi
qVi)
=/>r
RrY'
	]s#
!SJD
t,iv
{t"Z
$<V#
v@/E1
Wr^Q
W?sQM
xM}g
0$0*00060<0B0H0N0T0Z0`0f0l0r0x0~0
0<u---
120983218
2"2*222:2B2J2R2Z2b2r2z2
283>3(4
3"3*323:3B3J3R3Z3b3j3r3z3
?4?:?@?F?L?R?X?^?d?j?p?v?|?
6n6u6,9s9
6N7c7t7
8,889?9!;(;Y=`=p=
8b9c3GA3
8cc3866
9I"8s-
AbortDoc
accept
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
.A%u&0
B:]0{#f
BringWindowToTop
CallNamedPipeA
ChildWindowFromPoint
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CopyFileExA
CopyFileExW
CreateFileW
CreateHardLinkW
DefFrameProcW
DEfggy0
DestroyCaret
.edata
EqualRect
FlushConsoleInputBuffer
gdi32.dll
GetFileSizeEx
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFileVersionInfoSizeW
GetModuleHandleA
getnameinfo
GetProcAddress
GetSysColorBrush
GetSystemDefaultLCID
GetWindowTextA
GetWindowThreadProcessId
;H<O<Q=
.idata
inet_addr
IntersectRect
J"\oYg
kernel32.dll
"~l.---
LoadLibraryA
LocalAlloc
LocalFree
OffsetRect
OpenAs_RunDLLW
o?Ynw+
:+:<:P:{:
PathMakeUniqueName
PifMgr_CloseProperties
P.reloc
P.rsrc
PtInRect
regapi.dll
RegenerateUserEnvironment
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
 rWxf{
RzSjEO
      </security>
      <security>
SetLocaleInfoW
SetWindowTextA
SHChangeNotifyDeregister
shell32.dll
ShellExec_RunDLLW
SHFileOperation
SHFlushSFCache
SHGetNewLinkInfoA
SHOpenPropSheetW
SHPathPrepareForWriteW
SHSimpleIDListFromPath
StrChrIW
StrCmpNIW
StringX
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
TerminateProcess
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnionRect
user32.dll
VerFindFileA
VerInstallFileA
VerLanguageNameA
VerQueryValueA
VerQueryValueW
version.dll
VirtualAllocEx
><w6<#
wI0q`B
ws2_32.dll
WSAAsyncGetHostByName
WSACloseEvent
WSAConnect
WSAEnumNetworkEvents
WSAEventSelect
WSAHtonl
WSCInstallNameSpace
wtsapi32.dll
WTSEnumerateProcessesA
WTSEnumerateServersA
WTSEnumerateSessionsA
WTSLogoffSession
WTSOpenServerA
WTSQuerySessionInformationW
WTSVirtualChannelRead
WTSWaitSystemEvent
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>