Analysis Date2015-11-28 16:16:49
MD53877be9653ee5d10f5c60808665e0db4
SHA1e2c9dd2b1c72a5a149d894e51655aca2846b5d63

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 29de4fe335d43554bd28b51751dbf012 sha1: 8096d3e18a153f6d102ae09312db4dc503a6fad6 size: 107008
Section.rdata md5: 0ecec6e189dd59158ba9588dd0207236 sha1: 1948da9e7fbed90a2bb1d4b648860cdb6e48e03e size: 42496
Section.data md5: 3da0b197fcd9f9cda7843f67f9818836 sha1: bf3e4162a5569dddbf62e64b753ec413aa7a6299 size: 35840
Section.rsrc md5: ae03024f0a15b24b21f45299b3f3515a sha1: 4839062256e8e7d6fd22b4c66cb0556f2c3d8003 size: 78336
Timestamp2015-10-19 07:10:16
PackerMicrosoft Visual C++ ?.?
PEhashe3f4d0752aa7523a5c544c9bdf4ac21029fcb533
IMPhash272db5dbb2d8b1760df3d02dc1415ab3
AVMalwareBytesRansom.CryptoWall
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVK7Trojan ( 004d46981 )
AVMalwareBytesRansom.CryptoWall
AVMicrosoft Security EssentialsWorm:Win32/Dorkbot.I
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d46981 )
AVKasperskyTrojan.Win32.Bublik.dxnh
AVClamAVno_virus
AVMcafeeGamarue-FDC!3877BE9653EE
AVMicrosoft Security EssentialsWorm:Win32/Dorkbot.I
AVF-SecureTrojan.GenericKDZ.30724
AVEmsisoftTrojan.GenericKDZ.30724
AVGrisoft (avg)Crypt5.FIC
AVGrisoft (avg)Crypt5.FIC
AVEmsisoftTrojan.GenericKDZ.30724
AVIkarusTrojan.Win32.Crypt
AVDr. WebTrojan.Inject1.56622
AVFortinetW32/Kryptik.EASA!tr
AVAd-AwareTrojan.GenericKDZ.30724
AVKasperskyTrojan.Win32.Bublik.dxnh
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKDZ.30724
AVMcafeeGamarue-FDC!3877BE9653EE
AVFrisk (f-prot)no_virus
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVBitDefenderTrojan.GenericKDZ.30724
AVBitDefenderTrojan.GenericKDZ.30724
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVAd-AwareTrojan.GenericKDZ.30724
AVEset (nod32)Win32/Injector.BNHS
AVBullGuardTrojan.GenericKDZ.30724
AVBullGuardTrojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVAvira (antivir)Worm/Dorkbot.264704.1
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVCAT (quickheal)Ransom.Crowti.B4
AVCAT (quickheal)Ransom.Crowti.B4
AVFortinetW32/Kryptik.EASA!tr
AVDr. WebTrojan.Inject1.56622
AVAvira (antivir)Worm/Dorkbot.264704.1
AVClamAVno_virus
AVPadvishno_virus
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Installer ➝
C:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Live.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Live.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp41.tmp
Creates Mutex316Mutex316Explorer316Mutex316
Creates Mutex1z2z3reas34534543233245x6

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live ➝
C:\Documents and Settings\Administrator\Application Data\Windows Live\loevjtallr.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Live ➝
C:\Documents and Settings\Administrator\Application Data\Windows Live\loevjtallr.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Windows Live\debug_cache_dump_2384394.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\apiSoftCA
Creates FileC:\Documents and Settings\Administrator\Application Data\Windows Live\loevjtallr.exe
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\desktop.ini
Deletes FileC:\malware.exe
Deletes FileC:\irwqehdtj\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\desktop.ini
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
Deletes FileC:\irwqehdtj\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\INFO2
Deletes FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Creates Mutex316Mutex316Explorer316Mutex316

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Network Details:


Raw Pcap

Strings