Analysis Date2015-11-17 23:04:15
MD59255f6e1ac6cf5aa14b1ef479ef3fc4a
SHA1c7c6c40b7f3571473283f78c5f4883e17890d175

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bc421400d4ccc88ba973aa55d6ac9cb9 sha1: ccaed618ae7fdb65e7ea7eea8bae828c8afa3a1c size: 105984
Section.rdata md5: ea99934c07cfc02c741d13fa19317648 sha1: 61398083221a1698fbd74ae162f530e4a8c60315 size: 40448
Section.data md5: cc4323873155351e2bcfc6c427055d68 sha1: 69cfbbd9484096cd54b352e9ee3e163d73a7fc34 size: 36352
Section.rsrc md5: 3574e4b5520649165a6171d423dfd8ee sha1: 60dc97e9228e0849e5216129df406378d4fe1286 size: 139264
Timestamp2015-10-20 06:28:11
PackerMicrosoft Visual C++ ?.?
PEhash31439b308f32cb4b2999d2e22b8b4deafcb1c1b7
IMPhasha0c4514a58071233aeadae5d80b1cb6d
AVMalwareBytesBackdoor.Andromeda
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVK7Trojan ( 004d47951 )
AVMalwareBytesBackdoor.Andromeda
AVMicrosoft Security EssentialsWorm:Win32/Dorkbot
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d47951 )
AVKasperskyWorm.Win32.Ngrbot.auht
AVClamAVno_virus
AVMcafeeGamarue-FDC!9255F6E1AC6C
AVMicrosoft Security EssentialsWorm:Win32/Dorkbot
AVF-SecureTrojan.GenericKDZ.30724
AVEmsisoftTrojan.GenericKDZ.30724
AVGrisoft (avg)Crypt5.FRN
AVGrisoft (avg)Crypt5.FRN
AVEmsisoftTrojan.GenericKDZ.30724
AVIkarusTrojan.Win32.Crypt
AVDr. WebBackDoor.IRC.NgrBot.42
AVFortinetW32/Kryptik.EASA!tr
AVAd-AwareTrojan.GenericKDZ.30724
AVKasperskyWorm.Win32.Ngrbot.auht
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKDZ.30724
AVMcafeeGamarue-FDC!9255F6E1AC6C
AVFrisk (f-prot)no_virus
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVBitDefenderTrojan.GenericKDZ.30724
AVBitDefenderTrojan.GenericKDZ.30724
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVAd-AwareTrojan.GenericKDZ.30724
AVEset (nod32)Win32/Injector.BNHS
AVBullGuardTrojan.GenericKDZ.30724
AVBullGuardTrojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVAvira (antivir)TR/Crypt.ZPACK.191038
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVCAT (quickheal)Worm.Ngrbot.r4
AVCAT (quickheal)Worm.Ngrbot.r4
AVFortinetW32/Kryptik.EASA!tr
AVDr. WebBackDoor.IRC.NgrBot.42
AVAvira (antivir)TR/Crypt.ZPACK.191038
AVClamAVno_virus
AVPadvishno_virus
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates ProcessC:\WINDOWS\system32\calc.exe
Creates MutexSSLOADasdasc000900

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\9ee5_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 184

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman ➝
C:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Installer ➝
C:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\c731200
Creates FileC:\Documents and Settings\Administrator\Application Data\Update\Update.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\desktop.ini
Deletes FileC:\dgckobtss\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\INFO2
Deletes FileC:\dgckobtss\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\desktop.ini
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
Deletes FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Creates ProcessC:\WINDOWS\system32\mspaint.exe
Creates MutexSVCHOST_MUTEX_OBJECT_RELEASED_c0009X00GOAL

Process
↳ C:\WINDOWS\system32\calc.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\c731200
Creates Mutexc731200

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 184

Process
↳ C:\WINDOWS\system32\mspaint.exe

Network Details:


Raw Pcap

Strings