Analysis Date2015-11-17 22:57:48
MD58d9653f51fd78e8625dc15278a84f0fa
SHA1d61173becf3fb2b434c4cd5dff46309362eea335

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d244eeff626d977689916bb024e18e8a sha1: c6e38339c2aeb0cbb65bd68d818fb91535296e6d size: 29184
Section.rdata md5: 34b17ba7e56839292133d0e27e080bb0 sha1: 35e2d7ac9428299c108c3b2112dc6a24215cf01b size: 9728
Section.data md5: 734c7654fe2dea3b79512122cc8ecd58 sha1: 4440952d4a226ed2f55962203cd549a4fa28bd7b size: 21504
Section.rsrc md5: f2c1c31277904532a718e9eea4727a2e sha1: 038d73e426f384722e221a06562020f2e7655b00 size: 55296
Section.reloc md5: b8bba4697ffa167699398335b46c5aac sha1: e06c73371bc2f6730cd72f509053fab721b92067 size: 3584
Timestamp2013-05-10 14:39:58
VersionLegalCopyright: Copyright (c) 1995-2005 Ahead Software and its licensors
InternalName: Nero BackItUp Restore
FileVersion: 1, 2, 0, 60
CompanyName: Ahead Software AG
PrivateBuild:
LegalTrademarks:
Comments: Nero BackItUp Restore application, used to restore a single file backed up by Nero BackItUp
ProductName: Nero BackItUp Restore
SpecialBuild: 1, 2, 0, 60
ProductVersion: 1, 2, 0, 60
FileDescription: Nero BackItUp Restore Application
OriginalFilename: NBR.EXE
PackerMicrosoft Visual C++ ?.?
PEhash9c95430f9f26098ce8fcca8c9001efada057d7f5
IMPhash505251eb270699d18d85e2a7503ef4e2
AVRisingno_virus
AVMcafeeFake-Rena-FATY!8D9653F51FD7
AVAvira (antivir)TR/Dldr.Andromeda.utc
AVTwisterTrojan.50887F9E33698205
AVAd-AwareGen:Variant.Symmi.20371
AVAlwil (avast)Ransom-AIR [Trj]
AVEset (nod32)Win32/Injector.AGKK
AVGrisoft (avg)Win32/Cryptor
AVSymantecTrojan.Zbot!gen44
AVFortinetW32/Andromeda.UTC!tr.dldr
AVBitDefenderGen:Variant.Symmi.20371
AVK7no_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicroWorld (escan)Gen:Variant.Symmi.20371
AVMalwareBytesTrojan.Injector
AVAuthentiumW32/Zbot.TJ.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusVirus.Win32.Cryptor
AVEmsisoftGen:Variant.Symmi.20371
AVZillya!Downloader.Andromeda.Win32.3365
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_SPNR.35FE13
AVCAT (quickheal)Worm.Gamarue.r5
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Oop
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.20371
AVArcabit (arcavir)Gen:Variant.Symmi.20371
AVClamAVno_virus
AVDr. WebTrojan.Necurs.198
AVF-SecureGen:Variant.Symmi.20371
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeFake-Rena-FATY!8D9653F51FD7
AVAvira (antivir)TR/Dldr.Andromeda.utc
AVTwisterTrojan.50887F9E33698205
AVAd-AwareGen:Variant.Symmi.20371
AVAlwil (avast)Ransom-AIR [Trj]
AVEset (nod32)Win32/Injector.AGKK
AVGrisoft (avg)Win32/Cryptor
AVSymantecTrojan.Zbot!gen44
AVFortinetW32/Andromeda.UTC!tr.dldr
AVBitDefenderGen:Variant.Symmi.20371
AVK7no_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicroWorld (escan)Gen:Variant.Symmi.20371
AVMalwareBytesTrojan.Injector
AVAuthentiumW32/Zbot.TJ.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusVirus.Win32.Cryptor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msrfrw.com\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msrfrw.com
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\D61173~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSkodaly.org.au
Type: A
43.241.54.230
DNSwww.update.microsoft.com
Type: A
DNSwww.kodaly.org.au
Type: A
HTTP POSThttp://www.kodaly.org.au/libraries/andro/image.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.190:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 43.241.54.230:80

Raw Pcap

Strings