Analysis Date2015-07-27 15:59:00
MD52b42219a2bb6a7e6a3676f97d3b98a01
SHA1b9d8c38357b2dbb54ca20779094273aa37882609

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c502249b44981596aa4cdcde7cf907bf sha1: 43fe1176bed9fa252a821132d192048b5851b956 size: 446976
Section.rdata md5: 4b66f3564ebc1175ab254ca6e8b6b72d sha1: 7645903c3e29683a1944dfb34bc8f08978cc9b51 size: 512
Section.data md5: 6536c73359e5f8af35bc9c12e6c754a5 sha1: caca03970e372163a1ef3d2fdba38bf6cb5eeb9d size: 512
Section.rsrc md5: 208dd3fc24a2725766a3ee2d4c3f27c1 sha1: d0760cdaef8e3eac2d88b4b807539f360b334421 size: 4608
Timestamp2015-01-06 00:36:08
PEhash5c99e640371e78e09d2eba67c24bc534cdc2d6f8
IMPhashbcdc4d5d5dbcfd2224b52feaf645ed4a
AVCA (E-Trust Ino)Win32/Nabucur.C
AVF-SecureWin32.Virlock.Gen.1
AVDr. WebWin32.VirLock.10
AVClamAVno_virus
AVArcabit (arcavir)Win32.Virlock.Gen.1
AVBullGuardWin32.Virlock.Gen.1
AVPadvishno_virus
AVVirusBlokAda (vba32)Virus.VirLock
AVCAT (quickheal)Ransom.VirLock.A2
AVTrend MicroPE_VIRLOCK.D
AVKasperskyVirus.Win32.PolyRansom.b
AVZillya!Virus.Virlock.Win32.1
AVEmsisoftWin32.Virlock.Gen.1
AVIkarusVirus-Ransom.FileLocker
AVFrisk (f-prot)no_virus
AVAuthentiumW32/S-b256b4b7!Eldorado
AVMalwareBytesTrojan.VirLock
AVMicroWorld (escan)Win32.Virlock.Gen.1
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.C
AVK7Trojan ( 0040f9f31 )
AVBitDefenderWin32.Virlock.Gen.1
AVFortinetW32/Zegost.ATDB!tr
AVSymantecno_virus
AVGrisoft (avg)Generic_r.EKW
AVEset (nod32)Win32/Virlock.G virus
AVAlwil (avast)MalOb-FE [Cryp]
AVAd-AwareWin32.Virlock.Gen.1
AVRisingTrojan.Win32.PolyRansom.a
AVTwisterW32.PolyRansom.b.brnk.mg
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVMcafeeW32/VirRansom.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zGAcsgcM.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dsAccwQI.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\b9d8c38357b2dbb54ca20779094273aa37882609
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\zGAcsgcM.bat
Creates ProcessC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\dsAccwQI.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\b9d8c38357b2dbb54ca20779094273aa37882609"
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates ServiceBgMMsMHT - C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Starts ServiceBgMMsMHT

Process
↳ "C:\b9d8c38357b2dbb54ca20779094273aa37882609"

Creates ProcessC:\b9d8c38357b2dbb54ca20779094273aa37882609

Process
↳ C:\b9d8c38357b2dbb54ca20779094273aa37882609

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vWowQsAM.bat
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\b9d8c38357b2dbb54ca20779094273aa37882609
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uScokMwE.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\uScokMwE.bat
Creates Process""C:\Documents and Settings\Administrator\Local Settings\Temp\vWowQsAM.bat" "C:\malware.exe""
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Process"C:\b9d8c38357b2dbb54ca20779094273aa37882609"
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ "C:\b9d8c38357b2dbb54ca20779094273aa37882609"

Creates ProcessC:\b9d8c38357b2dbb54ca20779094273aa37882609

Process
↳ C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\HUEcIEkg.exe ➝
C:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg.exe
Creates FilexkwM.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileC:\RCX14.tmp
Creates FileyaUI.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FileC:\RCX2.tmp
Creates FileCaco.ico
Creates FileC:\Documents and Settings\All Users\ICUk.txt
Creates FileEGAc.ico
Creates FileGwQE.ico
Creates FileZsYw.ico
Creates FileC:\RCX5.tmp
Creates FileaQkW.exe
Creates FilegkIQ.ico
Creates FileC:\RCX3.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FileC:\RCXF.tmp
Creates FileC:\RCX12.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileWwUS.exe
Creates FileymkM.ico
Creates FileC:\RCXD.tmp
Creates FileNwEY.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileKKYM.ico
Creates FileC:\RCX6.tmp
Creates FileOowA.exe
Creates FileC:\RCXE.tmp
Creates FileC:\RCXA.tmp
Creates FilewEQk.exe
Creates FileEgYY.ico
Creates FileGYIE.ico
Creates FileRYwW.exe
Creates FileC:\RCX13.tmp
Creates FileC:\RCX11.tmp
Creates FileWOIY.ico
Creates FileUMMG.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FilencAI.exe
Creates FileawoQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileiUcS.exe
Creates FileqMEi.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\RCX9.tmp
Creates FileOmwg.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileRkIU.exe
Creates FileCYsW.exe
Creates FileQcAc.ico
Creates FileC:\RCX8.tmp
Creates FileGAgs.exe
Creates FileiWcc.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileYEsE.exe
Creates FileioQU.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileC:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe
Creates FileaEAE.ico
Creates FileC:\RCX7.tmp
Creates FileKoUa.exe
Creates FileusMM.exe
Creates FileWAYY.ico
Creates FileC:\RCX4.tmp
Creates FileCMwI.ico
Creates FileuYAg.ico
Creates FileacMS.exe
Creates FileoYAI.exe
Creates FileGmQE.ico
Deletes FilexkwM.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileqMEi.exe
Deletes FileyaUI.ico
Deletes FileCaco.ico
Deletes FileRkIU.exe
Deletes FileOmwg.ico
Deletes FileEGAc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FileQcAc.ico
Deletes FileGwQE.ico
Deletes FileZsYw.ico
Deletes FileiWcc.ico
Deletes FileaQkW.exe
Deletes FileGAgs.exe
Deletes FilegkIQ.ico
Deletes FileYEsE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileioQU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileymkM.ico
Deletes FileWwUS.exe
Deletes FileaEAE.ico
Deletes FileNwEY.exe
Deletes FileKKYM.ico
Deletes FileKoUa.exe
Deletes FileusMM.exe
Deletes FileOowA.exe
Deletes FileWAYY.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FilewEQk.exe
Deletes FileGYIE.ico
Deletes FileCMwI.ico
Deletes FileRYwW.exe
Deletes FileuYAg.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileWOIY.ico
Deletes FileUMMG.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileacMS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileoYAI.exe
Deletes FilencAI.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes FileawoQ.exe
Deletes FileGmQE.ico
Deletes FileiUcS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates FileC:\Documents and Settings\Administrator\sckowYEM\HUEcIEkg
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates File\Device\Afd\Endpoint
Creates MutexnwYEEQIw0
Creates MutexrIwsEEEo0
Creates Mutex\\xc2\\xb7*@
Creates Mutex\\xc2\\xaf*@
Creates Mutex\\xc9\\xb8*@
Creates MutexvWcsggUA
Creates MutexScUMMMcQ
Creates Mutex\\xc2\\xbf*@
Creates Mutex\\xc2\\xa7*@

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ Pid 1212

Process
↳ Pid 1308

Process
↳ Pid 1860

Process
↳ Pid 1176

Process
↳ C:\Documents and Settings\All Users\BGIwEQog\wAYUMkIw.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\igEsYooY.exe ➝
C:\Documents and Settings\All Users\jGgMgwwU\igEsYooY.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Documents and Settings\All Users\jGgMgwwU\igEsYooY
Creates FileC:\Documents and Settings\LocalService\sckowYEM\HUEcIEkg
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\dsAccwQI.bat" "C:\malware.exe""

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Process
↳ ""C:\Documents and Settings\Administrator\Local Settings\Temp\vWowQsAM.bat" "C:\malware.exe""

Process
↳ C:\b9d8c38357b2dbb54ca20779094273aa37882609

Network Details:

DNSgoogle.com
Type: A
173.194.46.65
DNSgoogle.com
Type: A
173.194.46.64
DNSgoogle.com
Type: A
173.194.46.78
DNSgoogle.com
Type: A
173.194.46.73
DNSgoogle.com
Type: A
173.194.46.72
DNSgoogle.com
Type: A
173.194.46.71
DNSgoogle.com
Type: A
173.194.46.70
DNSgoogle.com
Type: A
173.194.46.69
DNSgoogle.com
Type: A
173.194.46.68
DNSgoogle.com
Type: A
173.194.46.67
DNSgoogle.com
Type: A
173.194.46.66
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 173.194.46.65:80
Flows TCP192.168.1.1:1032 ➝ 173.194.46.65:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a20676f 6f676c65 2e636f6d   Host: google.com
0x00000020 (00032)   0d0a0d0a                              ....


Strings