Analysis Date2015-10-02 00:04:55
MD5c840a0be33569c3c0a034d8f803f8463
SHA1b88058c02f6c6720201717b451b5c01fcae6f4c7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 75c12fd8ce974793b52fbe647f31faa6 sha1: 2b01f655caed10e49593b33fe5514cf8f181d8b2 size: 79360
Section.rdata md5: 9801eb08e41d66b346cd2bbd796ae122 sha1: b1507c60edbe7425b415ec0b8dc592db27934cb6 size: 25088
Section.data md5: 55fde0cd90178dff413edd83bf276869 sha1: 9b049d8dbb8f59f1a026064d08e303c92c050b72 size: 6144
Section.san md5: 3f3ff8aa37d4e464ee256784f33a5782 sha1: aced1ac8b4765a1268304bb55c990cadde4d2758 size: 203776
Section.kada md5: 3a24bdd59bf0fec263c90177c30671b0 sha1: bfe6360a948960a732a638e2f274b468a0660407 size: 10240
Section.grd md5: 0a795d2b188f80f3cf50df2aa8bde889 sha1: 143613b18815759131494697611f6a98000167d1 size: 76288
Section.rela md5: 064198b05142a31b72d97813463fcf9d sha1: 28c03d2d1ce4d1ea0170a689631eb832dca4d082 size: 11776
Section.rsrc md5: b940ae479c69d5533392568f1326e22b sha1: 77044d17f35a7bfdf6696f45bbca41b1c41b3cef size: 32256
Section.reloc md5: 232a1e03aa4f96816a272adf696ffc31 sha1: ca9a1bb08c985a8dd932a4dc7e45c6715cdd43c8 size: 11264
Timestamp2015-08-23 12:23:40
Pdb pathZ:\this\animations\analysis\Thoses.pdb
VersionLegalCopyright: Copyright © 2002-2008 Canneverbe Limited
Assembly Version: 4.5.5.5571
InternalName: cdbxpp.exe
FileVersion: 4.5.5.5571
CompanyName: Canneverbe Limited
Comments: An application to burn audio and data discs
ProductName: CDBurnerXP
ProductVersion: 4.5.5.5571
FileDescription: CDBurnerXP
OriginalFilename: cdbxpp.exe
PackerMicrosoft Visual C++ ?.?
PEhash03f139fd6c774214a1a3e7019fab410dfe023782
IMPhash1e547c03995c1562ea9c03288db132b9
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.53786
AVDr. WebTrojan.MulDrop6.3201
AVClamAVWin.Trojan.Symmi-1432
AVArcabit (arcavir)Gen:Variant.Symmi.53786
AVBullGuardGen:Variant.Symmi.53786
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Downloader.Upatre.Win32.51352
AVEmsisoftGen:Variant.Symmi.53786
AVIkarusTrojan.Win32.Kovter
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.RJPE-8716
AVMalwareBytesTrojan.Fileless.DR
AVMicroWorld (escan)Gen:Variant.Symmi.53786
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004c61ee1 )
AVBitDefenderGen:Variant.Symmi.53786
AVFortinetW32/Kovter.D!tr
AVSymantecTrojan.Ransomlock.AK
AVGrisoft (avg)Pakes.RCV
AVEset (nod32)Win32/Kovter.D
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.53786
AVTwisterW32.Kovter.D.qilj
AVAvira (antivir)TR/Crypt.Xpack.276696
AVMcafeeGenericR-EIE!C840A0BE3356
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\a3d9e0eb ➝
B2EF0867C0BD56BC3CFF9D6934ABB642\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\a3d9e0eb ➝
B2EF0867C0BD56BC3CFF9D6934ABB642\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\126.158.79[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\gupe\gupe.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\126.158.79[1].htm
Deletes Filec:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS126.158.79.54

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\57212DBFFECA3FD995\D2D2FFAFDDDC57E8F6 ➝
D2D2FFAFDDDC57E8F6\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\BE6EBC6FEC114D492400\5DEC89A71ED8C4C557F ➝
5DEC89A71ED8C4C557F\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSe3673.dspg.akamaiedge.net
Type: A
23.13.203.75
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://126.158.79.54/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.188.221:80
Flows TCP192.168.1.1:1033 ➝ 194.235.31.85:80
Flows TCP192.168.1.1:1032 ➝ 126.158.79.54:80
Flows TCP192.168.1.1:1035 ➝ 140.183.94.241:80
Flows TCP192.168.1.1:1036 ➝ 217.123.185.109:80
Flows TCP192.168.1.1:1037 ➝ 21.223.67.254:80
Flows TCP192.168.1.1:1038 ➝ 114.224.28.202:80
Flows TCP192.168.1.1:1039 ➝ 126.158.79.54:80
Flows TCP192.168.1.1:1040 ➝ 221.195.37.231:80
Flows TCP192.168.1.1:1041 ➝ 23.13.203.75:80
Flows TCP192.168.1.1:1042 ➝ 15.180.247.194:80
Flows TCP192.168.1.1:1043 ➝ 158.175.84.216:80
Flows TCP192.168.1.1:1044 ➝ 163.239.83.120:8080
Flows TCP192.168.1.1:1045 ➝ 153.153.238.217:80
Flows TCP192.168.1.1:1046 ➝ 123.203.71.104:80
Flows TCP192.168.1.1:1047 ➝ 203.27.216.230:80
Flows TCP192.168.1.1:1048 ➝ 188.237.180.167:80
Flows TCP192.168.1.1:1049 ➝ 4.76.234.125:80
Flows TCP192.168.1.1:1050 ➝ 60.25.136.2:443
Flows TCP192.168.1.1:1051 ➝ 207.18.2.154:80
Flows TCP192.168.1.1:1052 ➝ 58.35.196.206:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   4c                                    L

0x00000000 (00000)   7a                                    z

0x00000000 (00000)   bd                                    .

0x00000000 (00000)   7e                                    ~

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000020 (00032)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000030 (00048)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   20313236 2e313538 2e37392e 35340d0a    126.158.79.54..
0x000000b0 (00176)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000c0 (00192)   3431320d 0a436163 68652d43 6f6e7472   412..Cache-Contr
0x000000d0 (00208)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x000000e0 (00224)   65547352 674a3975 4179666d 65633343   eTsRgJ9uAyfmec3C
0x000000f0 (00240)   43446641 52565355 734c386e 314f5a71   CDfARVSUsL8n1OZq
0x00000100 (00256)   7858676d 3676524e 6671394f 76424349   xXgm6vRNfq9OvBCI
0x00000110 (00272)   46314f36 33395268 564b2b44 69473632   F1O639RhVK+DiG62
0x00000120 (00288)   6c614f42 45344345 70614978 48457378   laOBE4CEpaIxHEsx
0x00000130 (00304)   44762f45 6c733158 2f757a6a 6a6d796a   Dv/Els1X/uzjjmyj
0x00000140 (00320)   41336a59 63496f54 455a7663 79702b56   A3jYcIoTEZvcyp+V
0x00000150 (00336)   514d374f 74514e4a 392f6362 77366d75   QM7OtQNJ9/cbw6mu
0x00000160 (00352)   48383975 3150566e 56475963 30734158   H89u1PVnVGYc0sAX
0x00000170 (00368)   432b6f74 5357627a 5a315856 6b544877   C+otSWbzZ1XVkTHw
0x00000180 (00384)   6c436446 65445270 79514237 79574d5a   lCdFeDRpyQB7yWMZ
0x00000190 (00400)   6b6b2f43 39367044 4248524e 7a746e30   kk/C96pDBHRNztn0
0x000001a0 (00416)   6858774b 71394f79 61416870 742f7972   hXwKq9OyaAhpt/yr
0x000001b0 (00432)   6b556943 6b515052 71794769 69707449   kUiCkQPRqyGiiptI
0x000001c0 (00448)   6f47532b 78333239 45547453 594c6c71   oGS+x329ETtSYLlq
0x000001d0 (00464)   76786558 3141556e 7151766d 7a655238   vxeX1AUnqQvmzeR8
0x000001e0 (00480)   51464676 50327764 4b4e5632 31367063   QFFvP2wdKNV216pc
0x000001f0 (00496)   49426a65 4b35644a 4a736b35 4f736559   IBjeK5dJJsk5OseY
0x00000200 (00512)   78706f31 545a6a62 486d4244 4959382f   xpo1TZjbHmBDIY8/
0x00000210 (00528)   73334f4a 63307370 4c372f76 6434626e   s3OJc0spL7/vd4bn
0x00000220 (00544)   66324364 4a73536b 6f734571 4f436875   f2CdJsSkosEqOChu
0x00000230 (00560)   6e2b4e52 51737947 6f75487a 64633067   n+NRQsyGouHzdc0g
0x00000240 (00576)   38754951 3634676d 33635179 5a2f4854   8uIQ64gm3cQyZ/HT
0x00000250 (00592)   55426948 76783139 4e617075 4434667a   UBiHvx19NapuD4fz
0x00000260 (00608)   63696a53 2f524148 6f47384c 6c774c46   cijS/RAHoG8LlwLF
0x00000270 (00624)   70453943 6c352b4c 73513d3d            pE9Cl5+LsQ==

0x00000000 (00000)   86                                    .

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a 4179666d 65633343   ache....Ayfmec3C
0x000000f0 (00240)   43446641 52565355 734c386e 314f5a71   CDfARVSUsL8n1OZq
0x00000100 (00256)   7858676d 3676524e 6671394f 76424349   xXgm6vRNfq9OvBCI
0x00000110 (00272)   46314f36 33395268 564b2b44 69473632   F1O639RhVK+DiG62
0x00000120 (00288)   6c614f42 45344345 70614978 48457378   laOBE4CEpaIxHEsx
0x00000130 (00304)   44762f45 6c733158 2f757a6a 6a6d796a   Dv/Els1X/uzjjmyj
0x00000140 (00320)   41336a59 63496f54 455a7663 79702b56   A3jYcIoTEZvcyp+V
0x00000150 (00336)   514d374f 74514e4a 392f6362 77366d75   QM7OtQNJ9/cbw6mu
0x00000160 (00352)   48383975 3150566e 56475963 30734158   H89u1PVnVGYc0sAX
0x00000170 (00368)   432b6f74 5357627a 5a315856 6b544877   C+otSWbzZ1XVkTHw
0x00000180 (00384)   6c436446 65445270 79514237 79574d5a   lCdFeDRpyQB7yWMZ
0x00000190 (00400)   6b6b2f43 39367044 4248524e 7a746e30   kk/C96pDBHRNztn0
0x000001a0 (00416)   6858774b 71394f79 61416870 742f7972   hXwKq9OyaAhpt/yr
0x000001b0 (00432)   6b556943 6b515052 71794769 69707449   kUiCkQPRqyGiiptI
0x000001c0 (00448)   6f47532b 78333239 45547453 594c6c71   oGS+x329ETtSYLlq
0x000001d0 (00464)   76786558 3141556e 7151766d 7a655238   vxeX1AUnqQvmzeR8
0x000001e0 (00480)   51464676 50327764 4b4e5632 31367063   QFFvP2wdKNV216pc
0x000001f0 (00496)   49426a65 4b35644a 4a736b35 4f736559   IBjeK5dJJsk5OseY
0x00000200 (00512)   78706f31 545a6a62 486d4244 4959382f   xpo1TZjbHmBDIY8/
0x00000210 (00528)   73334f4a 63307370 4c372f76 6434626e   s3OJc0spL7/vd4bn
0x00000220 (00544)   66324364 4a73536b 6f734571 4f436875   f2CdJsSkosEqOChu
0x00000230 (00560)   6e2b4e52 51737947 6f75487a 64633067   n+NRQsyGouHzdc0g
0x00000240 (00576)   38754951 3634676d 33635179 5a2f4854   8uIQ64gm3cQyZ/HT
0x00000250 (00592)   55426948 76783139 4e617075 4434667a   UBiHvx19NapuD4fz
0x00000260 (00608)   63696a53 2f524148 6f47384c 6c774c46   cijS/RAHoG8LlwLF
0x00000270 (00624)   70453943 6c352b4c 73513d3d            pE9Cl5+LsQ==

0x00000000 (00000)   34                                    4

0x00000000 (00000)   aa                                    .

0x00000000 (00000)   bf                                    .

0x00000000 (00000)   35                                    5

0x00000000 (00000)   c3                                    .

0x00000000 (00000)   c4                                    .

0x00000000 (00000)   74                                    t

0x00000000 (00000)   75                                    u

0x00000000 (00000)   3c                                    <

0x00000000 (00000)   37                                    7

0x00000000 (00000)   b5                                    .

0x00000000 (00000)   8f                                    .

0x00000000 (00000)   71                                    q


Strings