Analysis Date2013-10-09 19:13:14
MD579cdecb292822ba2884e0e75509e6624
SHA1cd1c9fd2db9119696d322447e274694de201c5dd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0436f2be4cc5c6d3cd4721293b8e6b98 sha1: 812fefa3b3e5ad7004a4a3485d828d0b36b84a65 size: 4608
Section.data md5: 86a789a893c60d5e207d053188cdc250 sha1: d0e52208299ef3349fa51c9f92d15a0d1ffaf1ce size: 512
Section.rsrc md5: 9df25893e018ea356b90ed73b245af3c sha1: 6463edab53fbfa289113f02dc7a32cd78f5203db size: 80896
Timestamp2008-04-13 18:31:34
Pdb pathlsass.pdb
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: lsass.exe
FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: LSA Shell (Export Version)
OriginalFilename: lsass.exe
PEhash406e9bf924cdaf653cb93a820e0bfc0900e0648e
AVavgWin32/Sality
AVaviraW32/Sality.AT
AVmsseVirus:Win32/Sality.AT

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\A1_0 ➝
3299283285
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\-993627007\1768776769 ➝
144
Creates FileC:\TEMP\FILES\monitor.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winevnpl.exe
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FilePIPE\SfcApi
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\TEMP\FILES\AcroRd32.exe
Creates FilePIPE\lsarpc
Creates FileC:\TEMP\monitor.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\TEMP\FILES\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\winevnpl.exe
Creates MutexuxJLpe1m
Creates Mutexservices.exeM_616_
Creates Mutexmonitor.exeM_1084_
Creates Mutexexplorer.exeM_360_
Creates Mutexsvchost.exeM_1184_
Creates Mutexsmss.exeM_324_
Creates Mutexmalware.exeM_1140_
Creates Mutexlsass.exeM_628_
Creates Mutexsvchost.exeM_1072_
Creates Mutexsvchost.exeM_844_
Creates Mutexreader_sl.exeM_456_
Creates Mutexuserinit.exeM_272_
Creates Mutexalg.exeM_1856_
Creates Mutexspoolsv.exeM_1356_
Creates Mutexcsrss.exeM_548_
Creates Mutexsvchost.exeM_1056_
Creates Mutexrundll32.exeM_1252_
Creates Mutexwinlogon.exeM_572_
Creates Mutexsvchost.exeM_784_
Creates Mutexsvchost.exeM_1008_

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates MutexuxJLpe1m
Creates Mutexuserinit.exeM_272_

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
Creates MutexuxJLpe1m
Creates Mutexexplorer.exeM_360_

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates MutexuxJLpe1m
Creates Mutexreader_sl.exeM_456_

Network Details:


Raw Pcap

Strings
040904B0
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2113)
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LSAMOFRESOURCE
LSA Shell (Export Version)
lsass.exe
Microsoft
Microsoft Corporation
 Microsoft Corporation. All rights reserved.
MOFDATA
 Operating System
OriginalFilename
ProductName
ProductVersion
\SAM_SERVICE_STARTED
\SETUP_FAILED
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
 Windows
_29m+)XZ
2M;u	YA
- )*2R
2=* YJh
%,3mpt
3v'vue
3xCD)B
$`4)<wq
!5/l]BD
_5Xj%t[3
7?$$B;
7v-#='
8fIJM<
9mA"$u
-9RVa(o
ADVAPI32.dll
|<[-Ah7
AllocateAndInitializeSid
/BGs2V
B}o.] J@@
	C9*n&
}CgZ*$
CheckTokenMembership
ClhrSh
CloseHandle
"e) 5i
EAt#C~i
E;r+fl
ExitThread
:Ey{~bOg
fE(8)`b
fK5@:R
FMgPR<
FreeSid
FYC"	E
FyVbXGc
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
h@mHMr
?HpcCLV
/-i`6KR4t
ii*F74
\%IlWc9
ImpersonateSelf
InterlockedExchange
{iZu1o)r
j1 sn(e"^
jh>(</
j{vTce
J@XL) ,
|k|})E>
KERNEL32.dll
kFKd&:
`KXFQb
LsaISetupWasRun
LsapAuOpenSam
LsapCheckBootMode
LsapDsDebugInitialize
LsapDsInitializeDsStateInfo
LsapDsInitializePromoteInterface
LsapInitLsa
LSASRV.dll
lsass.pdb
Lz3dx5
M6lO/k@
?Mpolx
MvJ)O0u[;
N=4Vq^
nG$~QyEM
|n(JA@
NtClose
NtCreateEvent
ntdll.dll
NTDLL.DLL
NtOpenEvent
NtRaiseHardError
NtSetEvent
NtSetInformationProcess
NtShutdownSystem
n:X4f4
nz7M:w
n"z+wz
*|_O9D}
ofnX.R
ok/t"'
OpenThreadToken
op-!;J
*oqR74>
^O_vEB=
o|zZ0P
p>;B{22
pfj>e!
'PJ..G.-
PSSSSSSSj
P""Uem
PUtXo]3
(@+	?q
q6~]`f
QlE$aO
Qt63yOn
QueryPerformanceCounter
R)	16`
;;R(5N
RevertToSelf
RtlAdjustPrivilege
RtlInitUnicodeString
RtlUnhandledExceptionFilter
RtlUnwind
R^TNk]z
_R&,wbo
SamIInitialize
SampUsingDsData
SAMSRV.dll
ServiceInit
SetErrorMode
SetUnhandledExceptionFilter
sj$\WhS
{sqU(hA
T@_1{q
Tak/kz
TerminateProcess
_t,hI #
!This program cannot be run in DOS mode.
TKt"7S
;t$(v(
U0c7K!
UnhandledExceptionFilter
'U|Pec
UQPXY]Y[
`v%0(-
v7K<`#
" V8Fyh
VC20XC00U
VirtualQuery
'VLKMf
WewN|B
]XB6->
X};-bO
x~CI,>
:X(:je
X<+=L*
Xweja]F
XX?CUf
xY\b$D:
Y-eT*K+
_Y}gK}}W.
.Yk5U.
z7YRo1
z~a3G]