Analysis Date2015-01-06 11:55:32
MD5c78631b6abf8f57e0a1ecf5dbe88b50e
SHA1da745955e97295a029846cc7ec16aee06640ac2a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhash7bfd043ac63ba2facdc9c3129ea88fe8c8472fd7
IMPhash
AV360 Safeno_virus
AVAd-AwareTrojan.Obfus.3.Gen
AVAlwil (avast)VirLock-A:Win32:VirLock-A
AVArcabit (arcavir)Trojan.Obfus.3.Gen
AVAuthentiumW32/S-43a675a7!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVBullGuardTrojan.Obfus.3.Gen
AVCA (E-Trust Ino)Win32/Nabucur.A
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Obfus.3.Gen
AVEset (nod32)Win32/Virlock.G virus
AVFortinetW32/Agent.NCA
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Obfus.3.Gen
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus-Ransom.FileLocker
AVK7Virus ( 0040f99f1 )
AVKasperskyVirus.Win32.PolyRansom.a
AVMalwareBytesTrojan.Agent.RND1Gen
AVMcafeeTrojan-FFGO!C78631B6ABF8
AVMicrosoft Security EssentialsVirus:Win32/Nabucur.A
AVMicroWorld (escan)Trojan.Obfus.3.Gen
AVRisingno_virus
AVSophosW32/VirRnsm-A
AVSymantecW32.Ransomlock.AO!inf
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\123.zip
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\VGocUgEA.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\VGocUgEA.bat
Creates ProcessC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates Processreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\123.zip
Creates Processreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Creates ProcessC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1

Process
↳ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\123.zip

Creates FilePIPE\wkssvc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\123.zip

Process
↳ C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\VyAMAMkQ.exe ➝
C:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
Creates FileC:\RCX15.tmp
Creates FileC:\RCX14.tmp
Creates FileC:\RCX2.tmp
Creates FileCkMa.exe
Creates FilemMkU.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
Creates FileyYoK.exe
Creates FileaEEW.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
Creates FileC:\RCX5.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ.inf
Creates FileC:\RCXF.tmp
Creates FileukwE.ico
Creates FileeIQc.exe
Creates FileC:\RCX12.tmp
Creates FileKYIk.ico
Creates Filemsge.exe
Creates FileqYMm.exe
Creates FileC:\RCX18.tmp
Creates FileKoky.exe
Creates FileaIYC.ico
Creates FilegAMQ.ico
Creates FileC:\RCXE.tmp
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates FileqoUy.exe
Creates FileucQG.exe
Creates FileqoUc.ico
Creates FileFUEq.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
Creates FileC:\RCXC.tmp
Creates FileOEMs.ico
Creates FileegkC.ico
Creates FileukUk.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp.exe
Creates FileC:\RCX9.tmp
Creates FileuEwU.exe
Creates FileSQIC.ico
Creates FileGwIo.ico
Creates FileskAq.exe
Creates FilePIPE\wkssvc
Creates FileiAYG.ico
Creates FileSwUK.ico
Creates FileSUkO.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
Creates FileOQcc.exe
Creates FileC:\RCX1D.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
Creates FileKUIu.ico
Creates FileC:\RCX1B.tmp
Creates FileC:\RCX7.tmp
Creates FileKssi.exe
Creates FileC:\RCX17.tmp
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
Creates FileyUcS.ico
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
Creates FileYAEG.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
Creates FileuwAU.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
Creates FileUAYI.ico
Creates FileUIQy.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
Creates FilesUMO.exe
Creates FileKEEG.ico
Creates FileWscA.ico
Creates FileuocU.ico
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\RCX3.tmp
Creates FileC:\RCX20.tmp
Creates FileC:\RCXB.tmp
Creates FileC:\RCX10.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
Creates FilekEMe.exe
Creates FileykcW.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
Creates FileuYEU.ico
Creates FileyAQm.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
Creates FileusAU.ico
Creates FileSswu.exe
Creates FileeoME.exe
Creates FileC:\RCXD.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
Creates FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
Creates FileuwYM.exe
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\RCX1E.tmp
Creates FileC:\RCX6.tmp
Creates FileC:\RCXA.tmp
Creates FileC:\RCX1F.tmp
Creates FileC:\RCX13.tmp
Creates FileCMoO.exe
Creates FileC:\RCX11.tmp
Creates FileC:\RCX21.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
Creates FileC:\RCX19.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
Creates Fileygce.ico
Creates FileC:\RCX1C.tmp
Creates FileC:\RCX1A.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
Creates FileeAME.ico
Creates FilesYMQ.ico
Creates FileiQAm.ico
Creates FilemgwA.ico
Creates FileC:\RCX8.tmp
Creates FileaggC.exe
Creates FileKYQG.exe
Creates FileyEEW.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
Creates FilemQQo.exe
Creates FileykIS.exe
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
Creates FileWUQc.ico
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
Creates FileSswa.exe
Creates FileKYEq.ico
Creates FilemUIE.exe
Creates FileUQQy.exe
Creates FileC:\RCX16.tmp
Creates FileigAq.ico
Creates FileOwUo.exe
Creates FileKgsy.ico
Creates FileC:\RCX4.tmp
Creates FilemosS.ico
Creates FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
Deletes FileuwAU.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp
Deletes FileUIQy.exe
Deletes FileUAYI.ico
Deletes FilesUMO.exe
Deletes FileKEEG.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp
Deletes FileCkMa.exe
Deletes FilemMkU.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp
Deletes FileyYoK.exe
Deletes FileaEEW.ico
Deletes FileWscA.ico
Deletes FileuocU.ico
Deletes FilekEMe.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp
Deletes FileukwE.ico
Deletes FileykcW.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp
Deletes FileeIQc.exe
Deletes FileuYEU.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
Deletes FileusAU.ico
Deletes FileyAQm.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp
Deletes FileSswu.exe
Deletes FileKYIk.ico
Deletes FileeoME.exe
Deletes Filemsge.exe
Deletes FileqYMm.exe
Deletes FileuwYM.exe
Deletes FileKoky.exe
Deletes FileaIYC.ico
Deletes FilegAMQ.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp
Deletes FileqoUy.exe
Deletes FileucQG.exe
Deletes FileqoUc.ico
Deletes FileCMoO.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp
Deletes FileFUEq.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\install.bmp
Deletes FileOEMs.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp
Deletes Fileygce.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp
Deletes FileegkC.ico
Deletes FileukUk.exe
Deletes FileuEwU.exe
Deletes FileSQIC.ico
Deletes FileGwIo.ico
Deletes FileskAq.exe
Deletes FileeAME.ico
Deletes FileiAYG.ico
Deletes FileSwUK.ico
Deletes FilesYMQ.ico
Deletes FileiQAm.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp
Deletes FilemgwA.ico
Deletes FileaggC.exe
Deletes FileKYQG.exe
Deletes FileyEEW.exe
Deletes FileC:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
Deletes FilemQQo.exe
Deletes FileSUkO.exe
Deletes FileykIS.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp
Deletes FileWUQc.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
Deletes FileOQcc.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp
Deletes FileKYEq.ico
Deletes FileSswa.exe
Deletes FilemUIE.exe
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp
Deletes FileKUIu.ico
Deletes FileUQQy.exe
Deletes FileigAq.ico
Deletes FileKssi.exe
Deletes FileOwUo.exe
Deletes FileKgsy.ico
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
Deletes FilemosS.ico
Deletes FileyUcS.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp
Deletes FileC:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp
Deletes FileYAEG.ico
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp
Deletes FileC:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\QWcQAwoI.exe ➝
C:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.exe
Creates FileC:\Documents and Settings\Administrator\qwEYAYUE\VyAMAMkQ
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\hEkAgEII\QWcQAwoI.inf
Creates MutexvWcsggUA
Creates MutexScUMMMcQ

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\123.zip

Network Details:

DNSgoogle.com
Type: A
173.194.121.40
DNSgoogle.com
Type: A
173.194.121.39
DNSgoogle.com
Type: A
173.194.121.38
DNSgoogle.com
Type: A
173.194.121.37
DNSgoogle.com
Type: A
173.194.121.36
DNSgoogle.com
Type: A
173.194.121.35
DNSgoogle.com
Type: A
173.194.121.34
DNSgoogle.com
Type: A
173.194.121.33
DNSgoogle.com
Type: A
173.194.121.32
DNSgoogle.com
Type: A
173.194.121.46
DNSgoogle.com
Type: A
173.194.121.41
HTTP GEThttp://google.com/
User-Agent:
HTTP GEThttp://google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1031 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1032 ➝ 173.194.121.40:80
Flows TCP192.168.1.1:1033 ➝ 173.194.121.40:80
Flows TCP192.168.1.1:1034 ➝ 200.87.164.69:9999
Flows TCP192.168.1.1:1035 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1036 ➝ 200.119.204.12:9999
Flows TCP192.168.1.1:1037 ➝ 190.186.45.170:9999
Flows TCP192.168.1.1:1038 ➝ 190.186.45.170:9999

Raw Pcap

Strings