Analysis Date2015-10-29 06:03:29
MD5c956f52afb7f1b1e962f25702dcf5a72
SHA1b9cded3186d5cc557aefc0ed682f25dad2b4d65f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d4340a2c2fa12cfe976a347249974b7 sha1: 541210cf18c9ce026569d7d545afd366b5e1f6fc size: 1016832
Section.rdata md5: 33b2a82f2a7040b0f76f34d0c6b568c2 sha1: 3e410cf405d1daf3c7269f41066303e39a0dab3b size: 305152
Section.data md5: e25e1bc2b8e60b1158726aec47498079 sha1: 120f8dc89cda0dcff57b99c6038f750c15a2719e size: 11264
Section.reloc md5: fb2540574992d2862840c8e7130f3bf4 sha1: 0e14697e3aab4c2163c433be8d5910a4113db445 size: 64512
Timestamp2015-04-30 21:28:59
PackerMicrosoft Visual C++ 8
PEhashd5803cfe62f164d9592337c801dfcfbbe2c78fe7
IMPhashab029f328f670475315d469c7696d2d2
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Backdoor.SoxGrave.013162
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.606112
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.606112
AVFortinetW32/Kryptic.WU!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.R
AVAlwil (avast)Dropper-OJI [Drp]
AVAd-AwareGen:Variant.Kazy.606112
AVRisingno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.192414
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rarnv51m40htov8mchi33.exe
Creates FileC:\WINDOWS\system32\ntblhujnzvo\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\rarnv51m40htov8mchi33.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\rarnv51m40htov8mchi33.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Protection Isolation AutoConnect ➝
C:\WINDOWS\system32\bwknlioyxxrw.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ntblhujnzvo\lck
Creates FileC:\WINDOWS\system32\ntblhujnzvo\etc
Creates FileC:\WINDOWS\system32\bwknlioyxxrw.exe
Creates FileC:\WINDOWS\system32\ntblhujnzvo\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\bwknlioyxxrw.exe
Creates ServiceAuthIP Support Trap Sharing Adapter Print - C:\WINDOWS\system32\bwknlioyxxrw.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1844

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\bwknlioyxxrw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ntblhujnzvo\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ntblhujnzvo\cfg
Creates FileC:\WINDOWS\system32\ntblhujnzvo\rng
Creates FileC:\WINDOWS\system32\ntblhujnzvo\lck
Creates FileC:\WINDOWS\TEMP\rarnv51tpvhtov8.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\mawefhwp.exe
Creates FileC:\WINDOWS\system32\ntblhujnzvo\tst
Creates ProcessC:\WINDOWS\TEMP\rarnv51tpvhtov8.exe -r 37816 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\bwknlioyxxrw.exe"

Process
↳ C:\WINDOWS\system32\bwknlioyxxrw.exe

Creates FileC:\WINDOWS\system32\ntblhujnzvo\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\bwknlioyxxrw.exe"

Creates FileC:\WINDOWS\system32\ntblhujnzvo\tst

Process
↳ C:\WINDOWS\TEMP\rarnv51tpvhtov8.exe -r 37816 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
DNSrathersystem.net
Type: A
Flows TCP192.168.1.1:1049 ➝ 24.220.92.193:443

Raw Pcap

Strings