Analysis Date2015-09-17 15:30:45
MD57fd94650da058dc3d2985fc0bbe6bf80
SHA1dbc9eef10c53a50b7b91528b91b068453c25a8e1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d0aa46516bc32ee4ed5407439718b419 sha1: 6e4665a69136c6ee6030e0073e68402f47ef86ad size: 365568
Section.rdata md5: 4f4725a7e6a3c934528b5505c73a5d27 sha1: 8be7096ab011311cf95feda2ae4406cb7f5a46d0 size: 112640
Section.data md5: 4c7727f5077894ef6f37ef876754ecb5 sha1: 11543490735b53e8ccd6c62ff132fab875b371a1 size: 50688
Section.rsrc md5: 6f887b6a452d0e5d906e5e6e871d36e8 sha1: 8ec8afbc5044316a26011d72ce410098f98c0dd2 size: 31744
Section.reloc md5: 9cece16fc2586d1135f8429b82e661de sha1: 2ffdf4498fd10c764fbdb110cec05fbe11904284 size: 12288
Timestamp2015-09-02 01:18:34
Pdb pathH:\moved\referenced\GPRS\challengi.pdb
PackerMicrosoft Visual C++ ?.?
PEhash914afbe2540626b31c4a7b00792b10ac0fb80aa8
IMPhash0ca8fd97d93758c8e87d0cc6211bc089
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeGenericR-EKO!7FD94650DA05
AVAvira (antivir)TR/Crypt.Xpack.249273
AVTwisterW32.Kovter.D.eyxa
AVAd-AwareTrojan.GenericKD.2696637
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kovter.D
AVGrisoft (avg)Pakes.RFR
AVSymantecTrojan.Ransomlock.AK
AVFortinetW32/Upatre.EQMP!tr.dldr
AVBitDefenderTrojan.GenericKD.2696637
AVK7Trojan ( 004c672c1 )
AVMicrosoft Security EssentialsTrojan:Win32/Kovter!rfn
AVMicroWorld (escan)Trojan.GenericKD.2696637
AVMalwareBytesTrojan.Agent.ED
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Kovter
AVEmsisoftTrojan.GenericKD.2696637
AVZillya!Downloader.Upatre.Win32.52139
AVKasperskyTrojan-Downloader.Win32.Upatre.eqmp
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2696637
AVArcabit (arcavir)Trojan.GenericKD.2696637
AVClamAVno_virus
AVDr. WebTrojan.MulDrop6.3116
AVF-SecureTrojan.GenericKD.2696637

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\7bf7927d ➝
869\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\7bf7927d ➝
869\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\71.25.51[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\suweta\suweta.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\71.25.51[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes Filec:\malware.exe
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS71.25.51.56

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\1D722285026A791585\7A194AB288E5CEDB ➝
7A194AB288E5CEDB\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\439BFB6E95AB45F3\1B6F17D0A8D6A95FD7AD ➝
1B6F17D0A8D6A95FD7AD\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSa767.dscms.akamai.net
Type: A
23.3.98.10
DNSa767.dscms.akamai.net
Type: A
23.3.98.32
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://71.25.51.56/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.188.221:80
Flows TCP192.168.1.1:1032 ➝ 20.252.16.115:80
Flows TCP192.168.1.1:1033 ➝ 71.25.51.56:80
Flows TCP192.168.1.1:1035 ➝ 217.242.74.123:80
Flows TCP192.168.1.1:1036 ➝ 156.28.21.71:80
Flows TCP192.168.1.1:1037 ➝ 113.88.23.224:80
Flows TCP192.168.1.1:1038 ➝ 71.25.51.56:80
Flows TCP192.168.1.1:1039 ➝ 126.83.201.84:80
Flows TCP192.168.1.1:1040 ➝ 79.167.109.246:80
Flows TCP192.168.1.1:1041 ➝ 26.18.47.169:80
Flows TCP192.168.1.1:1042 ➝ 23.3.98.10:80
Flows TCP192.168.1.1:1044 ➝ 90.178.247.3:80
Flows TCP192.168.1.1:1045 ➝ 193.234.14.194:80
Flows TCP192.168.1.1:1047 ➝ 1.198.54.86:80
Flows TCP192.168.1.1:1048 ➝ 135.172.95.128:80
Flows TCP192.168.1.1:1049 ➝ 83.87.238.9:80
Flows TCP192.168.1.1:1050 ➝ 90.200.111.85:80
Flows TCP192.168.1.1:1052 ➝ 89.158.222.209:443
Flows TCP192.168.1.1:1053 ➝ 61.240.201.42:80
Flows TCP192.168.1.1:1054 ➝ 110.72.220.65:80
Flows TCP192.168.1.1:1055 ➝ 173.243.252.229:8080
Flows TCP192.168.1.1:1056 ➝ 216.4.236.250:8080
Flows TCP192.168.1.1:1057 ➝ 204.138.185.91:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   35                                    5

0x00000000 (00000)   49                                    I

0x00000000 (00000)   bb                                    .

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000020 (00032)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000030 (00048)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   2037312e 32352e35 312e3536 0d0a436f    71.25.51.56..Co
0x000000b0 (00176)   6e74656e 742d4c65 6e677468 3a203339   ntent-Length: 39
0x000000c0 (00192)   320d0a43 61636865 2d436f6e 74726f6c   2..Cache-Control
0x000000d0 (00208)   3a206e6f 2d636163 68650d0a 0d0a636d   : no-cache....cm
0x000000e0 (00224)   7041675a 55395634 664a4567 5268684b   pAgZU9V4fJEgRhhK
0x000000f0 (00240)   49763669 53386f4f 65302b4b 2b57586b   Iv6iS8oOe0+K+WXk
0x00000100 (00256)   396d5468 6d553354 76514e70 4f6a6450   9mThmU3TvQNpOjdP
0x00000110 (00272)   764c5055 6b647346 6f6e4378 74307439   vLPUkdsFonCxt0t9
0x00000120 (00288)   394e5878 63575249 4d344835 54443436   9NXxcWRIM4H5TD46
0x00000130 (00304)   6931307a 50434b4b 4f544835 41383943   i10zPCKKOTH5A89C
0x00000140 (00320)   4946754e 7950375a 56386a6a 4e315632   IFuNyP7ZV8jjN1V2
0x00000150 (00336)   57653346 43427579 43324a37 58734e74   We3FCBuyC2J7XsNt
0x00000160 (00352)   532b4a7a 63587365 2f347547 56694b36   S+JzcXse/4uGViK6
0x00000170 (00368)   474a7949 346e5973 7561532f 68377856   GJyI4nYsuaS/h7xV
0x00000180 (00384)   59524a64 476c5031 754b794f 2b386d36   YRJdGlP1uKyO+8m6
0x00000190 (00400)   41796967 67394630 78584246 424b3167   Ayigg9F0xXBFBK1g
0x000001a0 (00416)   63507057 4a2b344b 5749314f 30504a53   cPpWJ+4KWI1O0PJS
0x000001b0 (00432)   2b476965 47354d34 6e544957 734b5a6c   +GieG5M4nTIWsKZl
0x000001c0 (00448)   37385a6d 556f794a 4e38504f 57776d51   78ZmUoyJN8POWwmQ
0x000001d0 (00464)   7a364d4f 53446b53 3474346f 71514764   z6MOSDkS4t4oqQGd
0x000001e0 (00480)   6c4a6e53 77573463 346a3778 4e673868   lJnSwW4c4j7xNg8h
0x000001f0 (00496)   32374c67 326f7230 43777565 4d495046   27Lg2or0CwueMIPF
0x00000200 (00512)   4e34672b 66347652 334d5476 62557744   N4g+f4vR3MTvbUwD
0x00000210 (00528)   416f6768 66616b72 56576130 476d6962   AoghfakrVWa0Gmib
0x00000220 (00544)   6944316a 2b6a6b33 7a6f5374 526e304d   iD1j+jk3zoStRn0M
0x00000230 (00560)   685a4369 4c654156 4934686d 76574f67   hZCiLeAVI4hmvWOg
0x00000240 (00576)   666c4c68 73596561 6a633258 416f5a6e   flLhsYeajc2XAoZn
0x00000250 (00592)   444a3077 7a726438 37584f66 78627834   DJ0wzrd87XOfxbx4
0x00000260 (00608)   41695773 553d                         AiWsU=

0x00000000 (00000)   ab                                    .

0x00000000 (00000)   53                                    S

0x00000000 (00000)   a3                                    .

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a 664a4567 5268684b   ache....fJEgRhhK
0x000000f0 (00240)   49763669 53386f4f 65302b4b 2b57586b   Iv6iS8oOe0+K+WXk
0x00000100 (00256)   396d5468 6d553354 76514e70 4f6a6450   9mThmU3TvQNpOjdP
0x00000110 (00272)   764c5055 6b647346 6f6e4378 74307439   vLPUkdsFonCxt0t9
0x00000120 (00288)   394e5878 63575249 4d344835 54443436   9NXxcWRIM4H5TD46
0x00000130 (00304)   6931307a 50434b4b 4f544835 41383943   i10zPCKKOTH5A89C
0x00000140 (00320)   4946754e 7950375a 56386a6a 4e315632   IFuNyP7ZV8jjN1V2
0x00000150 (00336)   57653346 43427579 43324a37 58734e74   We3FCBuyC2J7XsNt
0x00000160 (00352)   532b4a7a 63587365 2f347547 56694b36   S+JzcXse/4uGViK6
0x00000170 (00368)   474a7949 346e5973 7561532f 68377856   GJyI4nYsuaS/h7xV
0x00000180 (00384)   59524a64 476c5031 754b794f 2b386d36   YRJdGlP1uKyO+8m6
0x00000190 (00400)   41796967 67394630 78584246 424b3167   Ayigg9F0xXBFBK1g
0x000001a0 (00416)   63507057 4a2b344b 5749314f 30504a53   cPpWJ+4KWI1O0PJS
0x000001b0 (00432)   2b476965 47354d34 6e544957 734b5a6c   +GieG5M4nTIWsKZl
0x000001c0 (00448)   37385a6d 556f794a 4e38504f 57776d51   78ZmUoyJN8POWwmQ
0x000001d0 (00464)   7a364d4f 53446b53 3474346f 71514764   z6MOSDkS4t4oqQGd
0x000001e0 (00480)   6c4a6e53 77573463 346a3778 4e673868   lJnSwW4c4j7xNg8h
0x000001f0 (00496)   32374c67 326f7230 43777565 4d495046   27Lg2or0CwueMIPF
0x00000200 (00512)   4e34672b 66347652 334d5476 62557744   N4g+f4vR3MTvbUwD
0x00000210 (00528)   416f6768 66616b72 56576130 476d6962   AoghfakrVWa0Gmib
0x00000220 (00544)   6944316a 2b6a6b33 7a6f5374 526e304d   iD1j+jk3zoStRn0M
0x00000230 (00560)   685a4369 4c654156 4934686d 76574f67   hZCiLeAVI4hmvWOg
0x00000240 (00576)   666c4c68 73596561 6a633258 416f5a6e   flLhsYeajc2XAoZn
0x00000250 (00592)   444a3077 7a726438 37584f66 78627834   DJ0wzrd87XOfxbx4
0x00000260 (00608)   41695773 553d                         AiWsU=

0x00000000 (00000)   3f                                    ?

0x00000000 (00000)   ae                                    .

0x00000000 (00000)   33                                    3

0x00000000 (00000)   81                                    .

0x00000000 (00000)   a5                                    .

0x00000000 (00000)   ab                                    .

0x00000000 (00000)   3d                                    =

0x00000000 (00000)   ae                                    .

0x00000000 (00000)   72                                    r

0x00000000 (00000)   7a                                    z

0x00000000 (00000)   a6                                    .

0x00000000 (00000)   79                                    y

0x00000000 (00000)   49                                    I

0x00000000 (00000)   59                                    Y


Strings