Analysis Date2015-09-17 14:30:52
MD5e20753e628675529be2ee05cb58ba5a0
SHA1b01630ad17a9ebe0dbf485e8ab1b0bd4842f7b1f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9d434d1e2bd172d41e97d81e93b3574c sha1: 9c262c69c95b32622e28068a73ddfd6ca7a748c6 size: 131072
Section.rdata md5: 2abdf94142547637a79f12cbffbc6b37 sha1: b9325a18e7f571d86fae7e0f0b59ddd37d5e2e99 size: 264192
Section.data md5: 917b4b2f8ebc69675b1359489c592b00 sha1: 8db052e652984b68b68cf0bebe4e2d60a0d6172f size: 4096
Section.CTR md5: 30669a4e607c2763f91cfad1fa658653 sha1: 00653167036d45a9a61738b7e31bd0732f8911ca size: 28672
Section.rsrc md5: 5867f071cac51cedc1b3396ef0799cd2 sha1: 5be0f18b55ad851b50ab9365c97590551376038b size: 84480
Timestamp2015-07-24 03:58:13
Pdb pathJ:\Lot\provides\temporary\URI\miti.pdb
PEhash732eabb5f1bc455612dbdf2312f079a02bbe3f3a
IMPhash6e6ff3f37d7a854fa43d04a1b12d6083
AVRisingno_virus
AVMcafeeGenericR-EBM!E20753E62867
AVAvira (antivir)TR/Agent.513571
AVTwisterno_virus
AVAd-AwareGen:Variant.Mikey.20553
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.DRFR
AVGrisoft (avg)Crypt4.BOSQ
AVSymantecno_virus
AVFortinetW32/Kryptik.DRFR!tr
AVBitDefenderGen:Variant.Mikey.20553
AVK7Trojan ( 004c94fc1 )
AVMicrosoft Security EssentialsTrojan:Win32/Kovter
AVMicroWorld (escan)Gen:Variant.Mikey.20553
AVMalwareBytesBackdoor.Bot
AVAuthentiumW32/Trojan.VCFT-0757
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Mikey.20553
AVZillya!Downloader.Upatre.Win32.48764
AVKasperskyTrojan-Downloader.Win32.Upatre.erpb
AVTrend Microno_virus
AVCAT (quickheal)Trojan.Generic.B4
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVPadvishno_virus
AVBullGuardGen:Variant.Mikey.20553
AVArcabit (arcavir)Gen:Variant.Mikey.20553
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.5888
AVF-SecureGen:Variant.Mikey.20553
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\11b030026b\cd31b4cb ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\11b030026b\aa188dbd ➝
875\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\11b030026b\cd31b4cb ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
NULL
RegistryHKEY_CURRENT_USER\software\11b030026b\aa188dbd ➝
875\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\sywubo\sywubo.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes Filec:\malware.exe
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\67811F6923D275F1
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex75020A7769E31DEB
Winsock DNSmicrosoft.com

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates MutexECFE40416C026AD3

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\11b030026b\cd31b4cb ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\11b030026b\cd31b4cb ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\7808E7A211B599A989 ➝
7808E7A211B599A989\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Winsock DNSdownload.microsoft.com

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Network Details:

DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSa767.dscms.akamai.net
Type: A
23.3.98.10
DNSa767.dscms.akamai.net
Type: A
23.3.98.32
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.188.221:80
Flows TCP192.168.1.1:1032 ➝ 75.205.194.15:8080
Flows TCP192.168.1.1:1034 ➝ 205.186.28.39:80
Flows TCP192.168.1.1:1033 ➝ 73.184.17.3:80
Flows TCP192.168.1.1:1035 ➝ 23.3.98.10:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   b5                                    .

0x00000000 (00000)   90                                    .

0x00000000 (00000)   a0                                    .


Strings