Analysis Date2013-12-08 20:42:26
MD5ad9a222a592e6235ccb089d08069fd1f
SHA1c2b6a5be5df7b08e23215764d41454ba10751e78

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7e719d87097deabc5c009102f253facd sha1: 561de5de0b459ff93c8251655581bf03900dfdd3 size: 9216
Section.rdata md5: 782fb58626d7715f83c70107a9bed6fa sha1: 13e59a934553bffbf4c1fe8d686f4d268bfa1f3e size: 5120
Section.data md5: c60dc58d0ed4d30162b953686d7bfc67 sha1: 401e1c10a946934864beda20d55f883a3fc08a0c size: 49152
Section.rsrc md5: c30049187ff70ea065094e6487bda65d sha1: 2193e7646b46b4d042b04293da6bab9a95256ac8 size: 2048
Timestamp2009-08-23 13:32:37
VersionLegalCopyright: Copyright (C) V DoctorWeb, Ltd., 1992-2011
InternalName: Dr.Web for Windows
FileVersion: 5.0.572.1152
CompanyName: ComponentOne LLC
LegalTrademarks:
Comments:
ProductName: Dr.Web for Windows LR
ProductVersion: 5.0.572.1152
FileDescription: M1DrWeb For Windows X 2011
OriginalFilename: wBRENDWE
PEhashe0b7bdedc39d812e1444ef22fbfd2055c9960635
AVavgWin32/Cryptor
AVmcafeeDownloader-CEW.ae
AVmsseTrojanDownloader:Win32/Renos.PT
AVaviraTR/Agent.66560.EL
AVclamavTrojan.FakeAV.DRW

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat

Network Details:

DNShubpages.com
Type: A
66.211.109.13
DNSterra.com.br
Type: A
200.154.56.80
DNSnetdatum.in
Type: A
DNSglenninyx.in
Type: A

Raw Pcap

Strings
041904E3
5.0.572.1152
Alt+ Clipboard does not support Icons
Cannot open clipboard
Comments
CompanyName
ComponentOne LLC
Copyright (C) V DoctorWeb, Ltd., 1992-2011
Ctrl+
Docked control must have a name%Error removing control from dock tree
 - Dock zone has no control
 - Dock zone not found
Down
Dr.Web for Windows 
Dr.Web for Windows LR
FileDescription
FileVersion
InternalName
ixho
LegalCopyright
LegalTrademarks
M1DrWeb For Windows X 2011
OriginalFilename
ProductName
ProductVersion
Right
Shift+
StringFileInfo
Text exceeds memo capacity/Menu '%s' is already being used by another form
Translation
VarFileInfo
VS_VERSION_INFO
wBRENDWE
:~	02m`Mar 
05d<9?d
0~DHL$X
~0HL$p
0N4(8@
0OQCmsHI
1A%Shjl?
1HqdR\
1m$basic_
 1RcSP#
2(0DK}
3](m:S
\::;]4
4^cx.L
4~HHp$
4mxD@B
@5L"d:
:6;MA 
6o7954
6pVDR56
6y10hy
+[7;\B_ 
8j0]ta
8^,u<`0
ActivateKeyboardLayout
`aG`_1
AH?=n ?
b4[@],`
BeginPaint
Bmx#h}
.brdat<y>8
CallNextHookEx
CG}@0zB
CharNextA
CharUpperA
CloseClipboard
CloseHandle
CoFreeUnusedLibraries
?com	p
CompareStringA
CoReleaseMarshalData
/cpyDx
CreateBrushIndirect
CreateMenu
CreatePopupMenu
CreateThread
<"CxAF
$cY-0s
@.data
	 DcI[8e
DefFrameProcA
DeleteCriticalSection
DeleteFileA
DeleteMenu
DestroyIcon
D^fx/O
\~dHl$
DispatchMessageA
DispatchMessageW
d+JES$
[D\L~$
dNl(px
DNT(`p
DOp@=]
DrawIconEx
D^$uH`(
Du@k.%K/ 
e4NL(\h
E6IJkt4g
e(~8HH$T
|^ef.d]
EfS_Agz
e$N,(8T
EnterCriticalSection
EnumChildWindows
EnumThreadWindows
E&`=o3#
et8L_;
eUNIQqSTR
)E	w^	
F6FIH_:
Fbvq1vaEJ
FgM5iV
FindClose
FindFirstFileA
FindResourceA
\$fk(Y;
f_LY"k
Fm\h5f
fN\(R4
(/FOh'
FormatMessageA
FreeLibrary
FreeResource
FsevOR
G8_W4s(0P
G987654
gdi32.dll
-g][e0
GetACP
GetBitmapBits
GetClassInfoA
GetClassLongA
GetClassNameA
GetClipboardData
GetClipBox
GetCommandLineA
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceA
GetDlgItem
GetEnvironmentStrings
GetFileSize
GetFileType
GetFocus
GetFullPathNameA
GetKeyboardLayoutList
GetKeyboardState
GetLastError
GetMenu
GetMenuItemInfoA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcessHeap
GetScrollPos
GetScrollRange
GetStartupInfoA
GetStdHandle
GetStringTypeW
GetSubMenu
GetVersionExA
GetWindow
GetWindowLongA
GetWindowPlacement
GetWindowTextA
GetWindowTextLengthA
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomA
gxPezu
GZFG8x
$~,H0$8
 ~,H8$D
hDWSwj
HeapAlloc
|hH>ht
,~HH\$p
h/$LeNL
HNT(dp
H~PHX$\
h~RH<$2
h\_T.N
H^@uL`D
.#Hw.I
>h%?$_X
i3"leC
i/dE<v
ijsDOS
InflateRect
InitializeCriticalSection
iN+wU'E
}:iRich|
IsBadReadPtr
IsDialogMessageA
IsWindowEnabled
IsZoomed
><<?ixml v
j<cLD,@H
%JeMu`
JH7DqBE
jmbly 
jNZ(J8
KeAf7cTh
kernel32.dll
.KFe{,b
kJKERN]L32ZJD
Ku789E
KUJlIJ9D
+;KV_ <8C
| *?"L
LFQZFHi
LfThios prog
LJH0qc
l.LhC&pfS
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
LockResource
?lOIV1
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
lstrlenW
)<~LyJ
L|ZW9}
m.1.n#
mCQ=1i
m,e4,k
MessageBeep
MjSE6j
MosM!gWQN
MoveFileA
MoveFileExA
Mq(ZC'
Mr]c|W
MsgWaitForMultipleObjects
$m^,zl
n4~\'u
n;	7Il
nag@DUN
<ND(LT
*Ne6(JZ
neB#AS
N'&hd$
NmKh kHj0N
?npo;s6
@NP(`p
!|o#Amj
oCg"Q	
OffsetRect
oL7aBt
OLE32.DLL
OleRegGetUserType
OleRun
Ool=Gb
OpenIcon
ORHd<U
O =(t3 
,.O~_V2n=
P8tkl84K
=<PcucZ
PDmrYHD
p='k*6
pN+~y@(
PostQuitMessage
PropVariantClear
PS%$F 
p)uuf.
 QAP)0L
QPV(fW
r1iwsL
r88hwU
RaiseException
`.rdata
?RdE^$
R'DzQa
RedrawWindow
RemovePropA
ResetEvent
rF@\k,
roUEvEY
rp6i0yugL
^RV~9(
r+YPZGH)t.%
S~4uF0`8
ScreenToClient
SetActiveWindow
SetBkColor
SetCapture
SetCursor
SetErrorMode
SetFilePointer
SetHandleCount
SetMenuItemInfoA
SetParent
SetRect
SetScrollInfo
SetScrollPos
SetThreadLocale
SetWindowLongW
SetWindowPlacement
SetWindowPos
SetWindowTextA
+sG;3}|.
SizeofResource
sk.texT
StringFromIID
SV)LrL
S&Y19I
t3-Hv^
!This program cannot be run in DOS mode.
t(io\$
t^~jc?'
TQG"f%	@N
TranslateMDISysAccel
tu=fM&
TWAIN_32.DLL
tWINhETp.dl
u%8I/*
^ ,uFfM/
uH;Ozty
UI+	pg+!
~uq5NM
user32.dll
uXeD9X
;\U)Zf 9
/U:>Zm_%
*V0ZzIh
VirtualAlloc
VirtualAllocEx
VirtualFree
(VNFx+
v[uGji
^;Vw,FbIv
WaitForSingleObject
WaitMessage
wAlp`^
wBRENDWE
~We`PR!.
wF>]Ne
WriteFile
wSCDy7
,X86Ttnam{UA-CBuk{w-
Xd`j$Q
 )=xoT|
X^Pu\`T
x	PW$M
x+QM;6;
XQsu"M
XzM__D
Y(-Bs~?
Y]Ct/>
y#+MwG
zgn1[*
%ZIh Hw~,-~
zJlP_2}9$
z~N+>b9g
	,$zP(
ZR?]e(
Z@(R<t
z?swxn$
z`(,u!
ZU\^te