Analysis Date2015-10-30 10:31:47
MD5bc103b0ce6d120e3732ce288d8eef9df
SHA1cf19c6e8d3283d6e0558420b627516aad370ba29

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3bfd04f1b10d115d39a797be8facb8a6 sha1: 8a8bfb33cdc9e010ac6691404cfaca1857f640bd size: 107008
Section.rdata md5: 54935b43d7ecf08a04f921a79a164fb9 sha1: d538b0612d43815fe9dd1dfa14567c7f629f4326 size: 41984
Section.data md5: 1f065755da7256194d67cbc53822c4e4 sha1: 0f432a7e8965aaf709beb8cfd21e1fa131febecc size: 36352
Section.rsrc md5: 24220228ae4f69ef0628cbc471a138dc sha1: 8f597584c29bbc74eabb7c5baae63cf5602431a6 size: 126976
Timestamp2015-10-19 10:06:23
PackerMicrosoft Visual C++ ?.?
PEhashb21f7311dc425d5f3fb593e98c922783452119c9
IMPhash8502d612899c401ae8fe59a99bba6865
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeGamarue-FDC!BC103B0CE6D1
AVAvira (antivir)TR/Crypt.ZPACK.195642
AVTwisterno_virus
AVAd-AwareTrojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVGrisoft (avg)Crypt_r.AEY
AVSymantecno_virus
AVFortinetW32/Kryptik.EASA!tr
AVBitDefenderTrojan.GenericKDZ.30724
AVK7Trojan ( 004d46981 )
AVMicrosoft Security EssentialsRansom:Win32/Crowti
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.GenericKDZ.30724
AVZillya!no_virus
AVKasperskyno_virus
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Mikey.26666
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVClamAVno_virus
AVDr. WebTrojan.Inject1.56622
AVF-SecureTrojan.GenericKDZ.30724

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbono.by
Winsock DNSgarlanddeli.com
Winsock DNSdivinemodels.ru
Winsock DNSaye2zee.biz
Winsock DNSnewconsult.by
Winsock DNSvoteforbrendan.mobi
Winsock DNSdkforma.ru
Winsock DNSifloresti.ro
Winsock DNScurlmyip.com
Winsock DNSpeegas.ru
Winsock DNSproductprovider.nl
Winsock DNSberattv.com.tr
Winsock DNSmyexternalip.com
Winsock DNSbursauygulamaoteli.com
Winsock DNSvoteforbrendan.biz
Winsock DNSip-addr.es

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSproductprovider.nl
Type: A
37.153.204.79
DNSberattv.com.tr
Type: A
185.33.128.131
DNSbono.by
Type: A
91.149.157.185
DNSvoteforbrendan.biz
Type: A
67.23.254.89
DNSdkforma.ru
Type: A
195.19.214.27
DNSpeegas.ru
Type: A
176.57.216.209
DNSnewconsult.by
Type: A
93.125.99.68
DNSifloresti.ro
Type: A
176.126.201.10
DNSbursauygulamaoteli.com
Type: A
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?t=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?r=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/O_xjRv.php?z=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?h=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?z=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?a=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?x=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?p=j1wv18yy9np
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 37.153.204.79:80
Flows TCP192.168.1.1:1035 ➝ 185.33.128.131:80
Flows TCP192.168.1.1:1036 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1037 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1038 ➝ 195.19.214.27:80
Flows TCP192.168.1.1:1039 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1040 ➝ 93.125.99.68:80
Flows TCP192.168.1.1:1041 ➝ 176.126.201.10:80

Raw Pcap

Strings