Analysis Date2016-03-09 06:30:23
MD5f6490bf2d9457909a4255f0254869620
SHA1a77bbc44c86043f71fa46898097ab77727de1ffd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: 6e6e9eb0fa6b2fe0980ecb3583449a12 sha1: 7b4faa7b97e25b5f96840ff2403bcc0c5f857b22 size: 20992
Section md5: 247128b867ebb2859d9d73d2d430d041 sha1: 26be357b6644ae722c9e0e4a6780318482b67229 size: 1024
Section md5: 7f4eefcb83d5256be61906af8d645997 sha1: 69e897a4cf20b11fefb42b488c954fc623aee87a size: 2048
Section md5: 34c90fcb1abb995be999a9f8e1f48a18 sha1: 330e81e453c812de5e464a54f02589518ae40e40 size: 26624
Section.rsrc md5: 8fa63fa11397d7095f80a79e3b02bc39 sha1: 7a0057d5f65786e73b67c34fa4994811362659ac size: 512
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.DATA md5: 8775f05900cc95d656f7ec2068e437b2 sha1: 457408511690dcae3828346f9416e7713d948f16 size: 712192
Timestamp2010-08-17 20:51:01
PackerEnigma Protector 1.1X-1.3X -> Sukhov Vladimir & Serge N. Markin
PEhash0a7df42ba51340f4469b61ebabafeb5cde382a83
IMPhash29d8ac559b1603951ccdbdc7cbf353ed
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Dropper.Gen
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.115244
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/ServStart.DT
AVGrisoft (avg)Generic_r.ZQ
AVSymantecTrojan.Zbot
AVFortinetNo Virus
AVBitDefenderGen:Variant.Kazy.115244
AVK7Backdoor ( 04c509901 )
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.A
AVMicroWorld (escan)Gen:Variant.Kazy.115244
AVMalwareBytesTrojan.ServStart
AVAuthentiumW32/Threat-HLLIE-based!Maximus
AVEmsisoftGen:Variant.Kazy.115244
AVFrisk (f-prot)W32/Threat-HLLIE-based!Maximus
AVIkarusWin32.SuspectCrc
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)TrojanDownloader.Agent
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.115244
AVArcabit (arcavir)Gen:Variant.Kazy.115244
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.115244
AVCA (E-Trust Ino)Gen:Variant.Kazy.115244

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalplx\Description ➝
Providesfyb a domain server for NI security.
Creates FileScsi0:
Creates FileC:\WINDOWS\system32\uusmuk.exe
Creates ServiceNationaljvs Instruments Domain Service - C:\WINDOWS\system32\uusmuk.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\uusmuk.exe

Creates Filepipe\net\NtControlPipe10
Creates FileScsi0:
Creates File\Device\Afd\Endpoint
Creates MutexNationalplx

Network Details:

DNSsisa.codns.com
Type: A
127.0.0.1

Raw Pcap

Strings