Analysis Date2018-04-10 01:46:48
MD5d40e504621e2cfc3d778c0a028e6faf7
SHA1c87e99f2a36ef63774cf92b6f3d28d671e8dd174

Static Details:

AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)BDS/Zegost.Gen
AVAlwil (avast)Kryptik-OOC [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVBitDefenderGen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVClamAVError Scanning File
AVDr. WebTrojan.KillFiles.25172
AVEmsisoftGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Kryptik.DDQD!tr
AVFrisk (f-prot)W32/Nivdort.A.gen!Eldorado
AVF-SecureGen:Variant.Symmi.22722
AVIkarusError Scanning File
AVK7Error Scanning File
AVKasperskyError Scanning File
AVMalwareBytesNo Virus
AVMcafeeNivdort!D40E504621E2
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVNANOTrojan.Win32.KillFiles.dowczq
AVEset (nod32)Win32/Kryptik.CCLE
AVPadvishNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR3
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecDownloader.Upatre!g15
AVTrend MicroTROJ_WONTON.SMJ1
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojanSpy:Win32/Nivdort
AVZillya!Trojan.Kryptik.Win32.735029

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\c87e99f2a36ef63774cf92b6f3d28d671e8dd174.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\exdusawffvcua\tst
Creates FileC:\Windows\exdusawffvcua\tst
Creates Filec:\Users\Phil\AppData\Local\Temp\c87e99f2a36ef63774cf92b6f3d28d671e8dd174.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\ozuebn3mz26ezzsifxich.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\ozuebn3mz26ezzsifxich.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\exdusawffvcua\tst
Creates FileC:\Windows\exdusawffvcua\tst
Creates FileC:\Windows\exdusawffvcua\lck
Creates FileC:\Windows\exdusawffvcua\upd
Creates FileC:\Windows\exdusawffvcua\etc
Creates FileC:\Windows\exdusawffvcua\etc
Creates FileC:\Windows\sysnative\drivers\etc\hosts
Creates FileC:\Windows\exdusawffvcua\run

Process
↳ C:\Windows\ifnzlrh.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Windows\exdusawffvcua\tst
Creates FileC:\Windows\exdusawffvcua\tst
Creates FileC:\Windows\exdusawffvcua\lck

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings