Analysis Date2015-09-17 14:37:44
MD52a7df3bd0aba21fed3785063a7930379
SHA1ae6561e66619065d9ddcaf5c1008fc33cc5b6a24

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 system file
Section.text md5: 69000f0a253c48efb60d02bbe6bc6c2c sha1: c6c2a8fd37deed65038ea06729a9f8cc5e4e36c7 size: 294912
Section.rdata md5: 9301bbddebafcfa7aa8373f210cf6427 sha1: 6dc9fd43893376e46c5d13945dbfd2f0376d87bf size: 46592
Section.data md5: a74baca2e3e164ce3d9cee8821da6f2a sha1: 71a2c24ac98e0635f2494e7fd661257d28bfaa6a size: 5632
Section.rsrc md5: 01388b519a537c3faa2b211c3f15bd2f sha1: e382dfa4865a5ccf87ebacf4da22456c53f6b2ad size: 104448
Section.reloc md5: 7eb32ede7d7ffcfcf370d5ad65442828 sha1: d7072a8e7b7404ffb2d944226911d65cbcda82e9 size: 9728
Timestamp2015-09-02 00:22:07
Pdb pathP:\work\Refer\closely\achieve\unre.pdb
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: BoxStub.exe
FileVersion: 10.0.30203.0
CompanyName: Microsoft Corporation
ProductName: Microsoft® .NET Framework
ProductVersion: 10.0.30203.0
FileDescription: Box Stub
OriginalFilename: BoxStub.exe
PackerMicrosoft Visual C++ ?.?
PEhashf67d21416b987f2564f1b7e44d8c65e1cb1e656f
IMPhash81eba609f09f83ae8dff82a3ad01aaef
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.54551
AVDr. WebTrojan.MulDrop6.3201
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.54551
AVBullGuardGen:Variant.Symmi.54551
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanDownloader.Upatre.r5
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!Trojan.Kryptik.Win32.786819
AVEmsisoftGen:Variant.Symmi.54551
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesBackdoor.Bot
AVMicroWorld (escan)Gen:Variant.Symmi.54551
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004cd7091 )
AVBitDefenderGen:Variant.Symmi.54551
AVFortinetW32/Kryptik.DTTK!tr
AVSymantecTrojan.Ransomlock.AK
AVGrisoft (avg)Crypt4.CEBA
AVEset (nod32)Win32/Kryptik.DVOB
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVAd-AwareGen:Variant.Symmi.54551
AVTwisterTrojan.Girtk.DVOB.cjrk
AVAvira (antivir)TR/Crypt.Xpack.248982
AVMcafeeGenericR-EJS!2A7DF3BD0ABA
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\7bf7927d ➝
864\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\7bf7927d ➝
864\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\46.198.246[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\gamysy\gamysy.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\46.198.246[1].htm
Deletes Filec:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS46.198.246.189

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\8B5735DE84387DCAF\2CA5A8DCF2E6F991 ➝
2CA5A8DCF2E6F991\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\568C6349C08645672CD\4A056CF4EFCF24B60B8 ➝
4A056CF4EFCF24B60B8\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSa767.dscms.akamai.net
Type: A
23.3.98.41
DNSa767.dscms.akamai.net
Type: A
23.3.98.11
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://46.198.246.189/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.188.221:80
Flows TCP192.168.1.1:1033 ➝ 189.184.130.103:80
Flows TCP192.168.1.1:1034 ➝ 161.116.54.54:80
Flows TCP192.168.1.1:1032 ➝ 46.198.246.189:80
Flows TCP192.168.1.1:1035 ➝ 46.198.246.189:80
Flows TCP192.168.1.1:1036 ➝ 138.154.217.157:80
Flows TCP192.168.1.1:1037 ➝ 144.53.63.34:80
Flows TCP192.168.1.1:1039 ➝ 53.203.190.178:8080
Flows TCP192.168.1.1:1040 ➝ 163.198.65.148:80
Flows TCP192.168.1.1:1041 ➝ 195.225.146.72:80
Flows TCP192.168.1.1:1042 ➝ 23.3.98.41:80
Flows TCP192.168.1.1:1043 ➝ 66.206.146.133:80
Flows TCP192.168.1.1:1045 ➝ 156.234.99.173:80
Flows TCP192.168.1.1:1044 ➝ 87.29.166.244:8080
Flows TCP192.168.1.1:1047 ➝ 69.208.14.227:80
Flows TCP192.168.1.1:1049 ➝ 221.87.252.34:80
Flows TCP192.168.1.1:1050 ➝ 54.243.133.148:80
Flows TCP192.168.1.1:1054 ➝ 60.219.109.224:80
Flows TCP192.168.1.1:1055 ➝ 178.244.14.99:80
Flows TCP192.168.1.1:1057 ➝ 11.239.96.104:80
Flows TCP192.168.1.1:1058 ➝ 144.171.205.16:80
Flows TCP192.168.1.1:1059 ➝ 28.74.237.29:80
Flows TCP192.168.1.1:1060 ➝ 108.204.243.191:80
Flows TCP192.168.1.1:1061 ➝ 187.12.5.239:80
Flows TCP192.168.1.1:1062 ➝ 199.209.39.234:443
Flows TCP192.168.1.1:1063 ➝ 122.2.123.198:80
Flows TCP192.168.1.1:1064 ➝ 82.186.178.65:80
Flows TCP192.168.1.1:1065 ➝ 22.255.26.145:80
Flows TCP192.168.1.1:1066 ➝ 119.192.177.210:443
Flows TCP192.168.1.1:1068 ➝ 118.195.226.58:443
Flows TCP192.168.1.1:1069 ➝ 132.131.158.19:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   80                                    .

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000020 (00032)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000030 (00048)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   2034362e 3139382e 3234362e 3138390d    46.198.246.189.
0x000000b0 (00176)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x000000c0 (00192)   20343030 0d0a4361 6368652d 436f6e74    400..Cache-Cont
0x000000d0 (00208)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x000000e0 (00224)   0a637a6c 44323538 2b566144 46327066   .czlD258+VaDF2pf
0x000000f0 (00240)   6e734174 4e437578 634c416f 6b5a356e   nsAtNCuxcLAokZ5n
0x00000100 (00256)   77667569 50624673 6278774f 5353634c   wfuiPbFsbxwOSScL
0x00000110 (00272)   6948584f 4e487452 67455a46 3763744a   iHXONHtRgEZF7ctJ
0x00000120 (00288)   752b462f 55496c57 616c4366 31785630   u+F/UIlWalCf1xV0
0x00000130 (00304)   58466d2f 436b5432 31776778 6f6b5278   XFm/CkT21wgxokRx
0x00000140 (00320)   354c7942 4a57736c 35726d66 6963464b   5LyBJWsl5rmficFK
0x00000150 (00336)   61387770 77524534 79384945 7565394a   a8wpwRE4y8IEue9J
0x00000160 (00352)   74433475 445a6f4d 68775a52 71697833   tC4uDZoMhwZRqix3
0x00000170 (00368)   67587776 45453772 656f7731 56655155   gXwvEE7reow1VeQU
0x00000180 (00384)   32705471 2b335137 6f70564c 316b5a54   2pTq+3Q7opVL1kZT
0x00000190 (00400)   70743850 58685a63 2f557071 4f6a312b   pt8PXhZc/UpqOj1+
0x000001a0 (00416)   624d4d67 30654268 786a4574 6239654b   bMMg0eBhxjEtb9eK
0x000001b0 (00432)   4d566859 5959524d 6d79354d 79737176   MVhYYYRMmy5Mysqv
0x000001c0 (00448)   4f757062 2f397036 62634f4e 75527438   Oupb/9p6bcONuRt8
0x000001d0 (00464)   4664566c 61347558 6a6e6645 77716b50   FdVla4uXjnfEwqkP
0x000001e0 (00480)   74545332 50526b54 42427773 556c506b   tTS2PRkTBBwsUlPk
0x000001f0 (00496)   51544370 686f4442 546c3755 6565455a   QTCphoDBTl7UeeEZ
0x00000200 (00512)   6450566d 6a6d4344 2b37544a 7a664c73   dPVmjmCD+7TJzfLs
0x00000210 (00528)   73433835 50312f57 354e7056 52427662   sC85P1/W5NpVRBvb
0x00000220 (00544)   34723759 33547135 68636644 6c744362   4r7Y3Tq5hcfDltCb
0x00000230 (00560)   792b4531 306d3078 55792b58 694d6a4e   y+E10m0xUy+XiMjN
0x00000240 (00576)   4a664d39 30435979 6e715049 46484248   JfM90CYynqPIFHBH
0x00000250 (00592)   6b376b6d 55716d33 42546338 4f674546   k7kmUqm3BTc8OgEF
0x00000260 (00608)   775a4162 34307465 56675531 614b673d   wZAb40teVgU1aKg=
0x00000270 (00624)   3d                                    =

0x00000000 (00000)   71                                    q

0x00000000 (00000)   c5                                    .

0x00000000 (00000)   71                                    q

0x00000000 (00000)   5e                                    ^

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a 68697320 69732074   ache....his is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   89                                    .

0x00000000 (00000)   66                                    f

0x00000000 (00000)   92                                    .

0x00000000 (00000)   60                                    `

0x00000000 (00000)   70                                    p

0x00000000 (00000)   53                                    S

0x00000000 (00000)   73                                    s

0x00000000 (00000)   ba                                    .

0x00000000 (00000)   7c                                    |

0x00000000 (00000)   35                                    5

0x00000000 (00000)   73                                    s

0x00000000 (00000)   43                                    C

0x00000000 (00000)   c0                                    .

0x00000000 (00000)   49                                    I

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   99                                    .

0x00000000 (00000)   94                                    .

0x00000000 (00000)   b4                                    .

0x00000000 (00000)   ae                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b2                                    .

0x00000000 (00000)   80                                    .

0x00000000 (00000)   53                                    S


Strings