Analysis Date2015-11-20 04:36:14
MD5ef9db636fc6f5305cebe724d4efb4892
SHA1bbba2cd8a9f8824d0a6bde3f625fae59680626c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 674cd7c33f7593b32098d5feabb347b3 sha1: 5ba4e156e443c1734b780e89e76362c8eeeb2d54 size: 1083392
Section.rdata md5: 2f9b74ac3c9311ae1de6bd7b06b673ea sha1: fabffdf5a8da530ffcf0de91e1fc20e7c86b8303 size: 314368
Section.data md5: 7f9c3f340ed6f25216c3ed65d7c81914 sha1: 30e73ff9db5d49f420619ab01e5b3cfe3b433e0f size: 11264
Section.reloc md5: bebd98b375061ddead48d4b079615a01 sha1: 619d86ca4a2427065d8fe24334461b90ab72ccd9 size: 70144
Timestamp2015-04-30 21:18:23
PackerMicrosoft Visual C++ 8
PEhashc60bb6c1a6fe9ceed458ea4a1a8bcf3a42346756
IMPhash401df8617c413a3fe9a40dda67be4d09
AVRising0x59302068
AVMcafeeno_virus
AVAvira (antivir)TR/Boryab.aiez
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.140251
AVAlwil (avast)Dropper-OJG [Drp]
AVEset (nod32)Win32/Bayrob.R
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptic.WU!tr
AVBitDefenderGen:Variant.Zusy.140251
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BG
AVMicroWorld (escan)Gen:Variant.Zusy.140251
AVMalwareBytesno_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Zusy.140251
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)Backdoor.SoxGrave.013162
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.140251
AVArcabit (arcavir)Gen:Variant.Zusy.140251
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Zusy.140251
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gkcu9swl1mglinwial4iazn1o.exe
Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\gkcu9swl1mglinwial4iazn1o.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\gkcu9swl1mglinwial4iazn1o.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Log Adaptive Themes Receiver Shadow DNS ➝
C:\WINDOWS\system32\vthmwatd.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\vthmwatd.exe
Creates FileC:\WINDOWS\system32\omshpqwlmqno\etc
Creates FileC:\WINDOWS\system32\omshpqwlmqno\lck
Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\vthmwatd.exe
Creates ServiceNow Human ActiveX Process Accounts - C:\WINDOWS\system32\vthmwatd.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1080

Process
↳ Pid 1196

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1064

Process
↳ C:\WINDOWS\system32\vthmwatd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\omshpqwlmqno\run
Creates FileC:\WINDOWS\system32\omshpqwlmqno\cfg
Creates FileC:\WINDOWS\system32\omshpqwlmqno\lck
Creates FileC:\WINDOWS\system32\lyrhcvyp.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\omshpqwlmqno\rng
Creates FileC:\WINDOWS\TEMP\gkcu9swl1tvjinwia.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst
Creates ProcessWATCHDOGPROC "c:\windows\system32\vthmwatd.exe"
Creates ProcessC:\WINDOWS\TEMP\gkcu9swl1tvjinwia.exe -r 50069 tcp

Process
↳ C:\WINDOWS\system32\vthmwatd.exe

Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\vthmwatd.exe"

Creates FileC:\WINDOWS\system32\omshpqwlmqno\tst

Process
↳ C:\WINDOWS\TEMP\gkcu9swl1tvjinwia.exe -r 50069 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
DNSrathersystem.net
Type: A
DNSstrangedistant.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=4ba89400&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80

Raw Pcap

Strings