Analysis Date2015-09-16 21:02:35
MD5a5a171dad65369854e8168fb176b7757
SHA1c3388d8a5157c87217dc289238f8992fdf31ed69

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c0e27b9fefcd694e5e0d16b5f71448e9 sha1: 49e8065612cc34eb2e5114d19780c49001c468b1 size: 20480
Section.rdata md5: 1dea50b8bc860546c41343331f10b8ea sha1: 313d7531021022873e502ff1d5c1172f8843a70a size: 114688
Section.data md5: ba7faa2c560c4ecc2df3e5456b344952 sha1: e68d1638adba6bdfb2e9613d7534c9cf9aba8b13 size: 8192
Section.rsrc md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.reloc md5: 7b1b66df0d5b8ae47f6b814b67a95b52 sha1: 016583d093fe19bb0d0be84a3a440ea559deef0b size: 4096
Timestamp2014-04-21 07:58:53
PackerMicrosoft Visual C++ ?.?
PEhash5b7c83a73d745eddc10dbe2dfcb73ffc1ca90806
IMPhash9f6fbf34abd659426cbc0dc8bc1dd107
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVAvira (antivir)TR/Dropper.Gen
AVTwisterTrojan.DOMG.eohj
AVAd-AwareGen:Win32.ExplorerHijack.juW@ayvcUPi
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Korplug.BY
AVGrisoft (avg)Agent4.BTSZ
AVSymantecTrojan.Gen
AVFortinetW32/Korplug.BY!tr
AVBitDefenderGen:Win32.ExplorerHijack.juW@ayvcUPi
AVK7no_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.H
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.juW@ayvcUPi
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Agent4
AVEmsisoftGen:Win32.ExplorerHijack.juW@ayvcUPi
AVZillya!Trojan.Korplug.Win32.651
AVKasperskyBackdoor.Win32.Gulpix.aoz
AVTrend MicroBKDR_PLUGX.EO
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Win32.ExplorerHijack.juW@ayvcUPi
AVArcabit (arcavir)Gen:Win32.ExplorerHijack.juW@ayvcUPi
AVClamAVno_virus
AVDr. WebTrojan.PWS.Ibank.795
AVF-SecureGen:Win32.ExplorerHijack.juW@ayvcUPi
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates MutexGlobal\abjzw

Process
↳ C:\Documents and Settings\All Users\DRM\XXX\.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\qzkdc
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\abjzw
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\mschu
Creates MutexGlobal\iqlgrgyod
Creates MutexGlobal\kcbmwgymqtveo
Creates MutexGlobal\crjljnixlvwdm
Creates MutexGlobal\ommintqmj
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\imbnx
Creates MutexGlobal\khutgmgyc
Creates MutexGlobal\uinglqjbkrilvyqrh
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\oibmskwsrdlel
Creates MutexGlobal\afudrymmy
Creates MutexGlobal\msblu
Creates MutexGlobal\gbssdtcjd

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202039.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202024.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202034.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202028.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202009.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916201959.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202019.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202013.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20150916202004.jpg
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\000000010000000000000100
Creates MutexMMMM
Winsock DNS127.0.0.1

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings