Analysis Date2015-10-13 11:27:01
MD525c265aa607e62863c7e5a222b74e3aa
SHA1cf9391ed6388e60cf6cd3aef838869968228510b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 92c0ef651663630b5e4e04755207f5e3 sha1: a6bc4b7d8e82a6c99a41faa70222db027d534ea9 size: 225280
Section.data md5: 333da686a380bd73b56b01f2b52cdff7 sha1: 65b788cd53084193922dd94d4a7667608a99962e size: 20480
Section.rdata md5: 7d7b1c9a376a9fc495f36223061e864b sha1: 5220e618b33720b20e9f628ce2feea5840ee3e2d size: 38912
Section.eh_fram md5: 6b3bb6868eed4a5869bc8a8e05f8e073 sha1: afc376677d78dbfd25787133dfad6bba31fa8667 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 63849760ee1a46b8553b2b0e00ed938e sha1: a956172e58613d44b262165086222a42492233ad size: 6656
Section.CRT md5: eadf6021249cf5e00f071f7229a6b1e9 sha1: 85e0a569b9f297006bd747221c6ec3ea3aceaa54 size: 512
Section.tls md5: 0ce6abcd4a239e467a3f7c1eae57b7ac sha1: 517a855bd75ab3981304fca2766a949050841c60 size: 512
Timestamp2015-03-05 06:30:19
PEhash50a6930baa6c496692ebdeddd958ef8481fbdafa
IMPhash333f68b456edff5fdc87e530ee9ba5af
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.51758
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVBullGuardGen:Variant.Symmi.51758
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.51758
AVIkarusTrojan.Win32.Agent
AVFrisk (f-prot)no_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004c988e1 )
AVBitDefenderGen:Variant.Symmi.51758
AVFortinetW32/Agent.XDQ!tr
AVSymantecDownloader.Upatre!g16
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.XDQ
AVAlwil (avast)no_virus
AVAd-AwareGen:Variant.Symmi.51758
AVTwisterno_virus
AVAvira (antivir)TR/ATRAPS.A.9221
AVMcafeeTrojan-FGOJ!25C265AA607E
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates FileC:\swkdxnvmpr3a\laqdkjisb6
Creates FileC:\swkdxnvmpr3a\txkgwivh1jk0zmcyusl90tsq.exe
Deletes FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates ProcessC:\swkdxnvmpr3a\txkgwivh1jk0zmcyusl90tsq.exe

Process
↳ C:\swkdxnvmpr3a\txkgwivh1jk0zmcyusl90tsq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPsec Security Problem Logs Time Auto Font ➝
C:\swkdxnvmpr3a\zdjcvsiagk.exe
Creates FileC:\swkdxnvmpr3a\zdjcvsiagk.exe
Creates FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates FilePIPE\lsarpc
Creates FileC:\swkdxnvmpr3a\yhvsalwww8md
Creates FileC:\swkdxnvmpr3a\laqdkjisb6
Deletes FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates ProcessC:\swkdxnvmpr3a\zdjcvsiagk.exe
Creates ServiceIdentity Adapter UserMode - C:\swkdxnvmpr3a\zdjcvsiagk.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1132

Process
↳ C:\swkdxnvmpr3a\zdjcvsiagk.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\swkdxnvmpr3a\mvec5xgimi.exe
Creates FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates FileC:\swkdxnvmpr3a\bzqtoowl1cex
Creates FileC:\swkdxnvmpr3a\yhvsalwww8md
Creates File\Device\Afd\Endpoint
Creates FileC:\swkdxnvmpr3a\laqdkjisb6
Deletes FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates Processxamqu5qaovuu "c:\swkdxnvmpr3a\zdjcvsiagk.exe"

Process
↳ C:\swkdxnvmpr3a\zdjcvsiagk.exe

Creates FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates FileC:\swkdxnvmpr3a\laqdkjisb6
Deletes FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6

Process
↳ xamqu5qaovuu "c:\swkdxnvmpr3a\zdjcvsiagk.exe"

Creates FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6
Creates FileC:\swkdxnvmpr3a\laqdkjisb6
Deletes FileC:\WINDOWS\swkdxnvmpr3a\laqdkjisb6

Network Details:

DNSgenevieveanthonyson.net
Type: A
195.22.26.231
DNSgenevieveanthonyson.net
Type: A
195.22.26.252
DNSgenevieveanthonyson.net
Type: A
195.22.26.253
DNSgenevieveanthonyson.net
Type: A
195.22.26.254
DNScatherinewilliamson.net
Type: A
184.168.221.63
DNSmadeleinechamberlain.net
Type: A
DNSantonetteanthonyson.net
Type: A
DNSmadeleineanthonyson.net
Type: A
DNScharlottebrassington.net
Type: A
DNSstephaniebrassington.net
Type: A
DNScharlotteecclestone.net
Type: A
DNSstephanieecclestone.net
Type: A
DNScharlottechamberlain.net
Type: A
DNSstephaniechamberlain.net
Type: A
DNScharlotteanthonyson.net
Type: A
DNSstephanieanthonyson.net
Type: A
DNSkimberlynbrassington.net
Type: A
DNSglanvillebrassington.net
Type: A
DNSkimberlynecclestone.net
Type: A
DNSglanvilleecclestone.net
Type: A
DNSkimberlynchamberlain.net
Type: A
DNSglanvillechamberlain.net
Type: A
DNSkimberlynanthonyson.net
Type: A
DNSglanvilleanthonyson.net
Type: A
DNSjessaminebrassington.net
Type: A
DNSgenevievebrassington.net
Type: A
DNSjessamineecclestone.net
Type: A
DNSgenevieveecclestone.net
Type: A
DNSjessaminechamberlain.net
Type: A
DNSgenevievechamberlain.net
Type: A
DNSjessamineanthonyson.net
Type: A
DNSzechariahbrassington.net
Type: A
DNSmarmadukebrassington.net
Type: A
DNSzechariahecclestone.net
Type: A
DNSmarmadukeecclestone.net
Type: A
DNSzechariahchamberlain.net
Type: A
DNSmarmadukechamberlain.net
Type: A
DNSzechariahanthonyson.net
Type: A
DNSmarmadukeanthonyson.net
Type: A
DNSkristopherwilliamson.net
Type: A
DNScassandrawilliamson.net
Type: A
DNSkristopherherbertson.net
Type: A
DNScassandraherbertson.net
Type: A
DNSkristopherwhittemore.net
Type: A
DNScassandrawhittemore.net
Type: A
DNSkristopherderrickson.net
Type: A
DNScassandraderrickson.net
Type: A
DNSmaximilianwilliamson.net
Type: A
DNSkimberleewilliamson.net
Type: A
DNSmaximilianherbertson.net
Type: A
DNSkimberleeherbertson.net
Type: A
DNSmaximilianwhittemore.net
Type: A
DNSkimberleewhittemore.net
Type: A
DNSmaximilianderrickson.net
Type: A
DNSkimberleederrickson.net
Type: A
DNScatherinawilliamson.net
Type: A
DNScatherinaherbertson.net
Type: A
DNScatherineherbertson.net
Type: A
DNScatherinawhittemore.net
Type: A
DNScatherinewhittemore.net
Type: A
DNScatherinaderrickson.net
Type: A
DNScatherinederrickson.net
Type: A
DNSantonettewilliamson.net
Type: A
DNSmadeleinewilliamson.net
Type: A
DNSantonetteherbertson.net
Type: A
DNSmadeleineherbertson.net
Type: A
DNSantonettewhittemore.net
Type: A
DNSmadeleinewhittemore.net
Type: A
DNSantonettederrickson.net
Type: A
DNSmadeleinederrickson.net
Type: A
DNScharlottewilliamson.net
Type: A
DNSstephaniewilliamson.net
Type: A
DNScharlotteherbertson.net
Type: A
DNSstephanieherbertson.net
Type: A
DNScharlottewhittemore.net
Type: A
DNSstephaniewhittemore.net
Type: A
DNScharlottederrickson.net
Type: A
DNSstephaniederrickson.net
Type: A
DNSkimberlynwilliamson.net
Type: A
DNSglanvillewilliamson.net
Type: A
DNSkimberlynherbertson.net
Type: A
DNSglanvilleherbertson.net
Type: A
DNSkimberlynwhittemore.net
Type: A
DNSglanvillewhittemore.net
Type: A
DNSkimberlynderrickson.net
Type: A
DNSglanvillederrickson.net
Type: A
DNSjessaminewilliamson.net
Type: A
DNSgenevievewilliamson.net
Type: A
HTTP GEThttp://genevieveanthonyson.net/index.php
User-Agent:
HTTP GEThttp://catherinewilliamson.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.63:80

Raw Pcap

Strings