Analysis Date2015-09-17 15:55:13
MD5586f70c239504181c4fc2fde84f0cdfd
SHA1ed5f411312342edf67c9774dfe3b1668237ec780

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 system file
Section.text md5: 69000f0a253c48efb60d02bbe6bc6c2c sha1: c6c2a8fd37deed65038ea06729a9f8cc5e4e36c7 size: 294912
Section.rdata md5: 9301bbddebafcfa7aa8373f210cf6427 sha1: 6dc9fd43893376e46c5d13945dbfd2f0376d87bf size: 46592
Section.data md5: a74baca2e3e164ce3d9cee8821da6f2a sha1: 71a2c24ac98e0635f2494e7fd661257d28bfaa6a size: 5632
Section.rsrc md5: 01388b519a537c3faa2b211c3f15bd2f sha1: e382dfa4865a5ccf87ebacf4da22456c53f6b2ad size: 104448
Section.reloc md5: 7eb32ede7d7ffcfcf370d5ad65442828 sha1: d7072a8e7b7404ffb2d944226911d65cbcda82e9 size: 9728
Timestamp2015-09-02 00:22:07
Pdb pathP:\work\Refer\closely\achieve\unre.pdb
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: BoxStub.exe
FileVersion: 10.0.30203.0
CompanyName: Microsoft Corporation
ProductName: Microsoft® .NET Framework
ProductVersion: 10.0.30203.0
FileDescription: Box Stub
OriginalFilename: BoxStub.exe
PackerMicrosoft Visual C++ ?.?
PEhashf67d21416b987f2564f1b7e44d8c65e1cb1e656f
IMPhash81eba609f09f83ae8dff82a3ad01aaef
AVRisingno_virus
AVMcafeeGenericR-EJS!586F70C23950
AVAvira (antivir)TR/Crypt.Xpack.248982
AVTwisterTrojan.Girtk.DVOB.cjrk
AVAd-AwareGen:Variant.Symmi.54551
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.DVOB
AVGrisoft (avg)Crypt4.CEBA
AVSymantecTrojan.Ransomlock.AK
AVFortinetW32/Kryptik.DTTK!tr
AVBitDefenderGen:Variant.Symmi.54551
AVK7Trojan ( 004cd7091 )
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.54551
AVMalwareBytesBackdoor.Bot
AVAuthentiumW32/Trojan.HCUS-0274
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Symmi.54551
AVZillya!Trojan.Kryptik.Win32.786819
AVKasperskyTrojan-Downloader.Win32.Upatre.eqkl
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.54551
AVArcabit (arcavir)Gen:Variant.Symmi.54551
AVClamAVno_virus
AVDr. WebTrojan.MulDrop6.3201
AVF-SecureGen:Variant.Symmi.54551
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

Creates Processregsvr32.exe

Process
↳ regsvr32.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\2a89521acd\7bf7927d ➝
869\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\2a89521acd\7bf7927d ➝
869\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe ➝
8888
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\dipeva\dipeva.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\195.94.223[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\195.94.223[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes Filec:\malware.exe
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Process"C:\WINDOWS\system32\regsvr32.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDE7B2F08C5C35678
Creates MutexGlobal\A0B9737978FF60B0
Winsock DNSmicrosoft.com
Winsock DNS195.94.223.153

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

Creates Mutex5734B585673D7847

Process
↳ "C:\WINDOWS\system32\regsvr32.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\48A55497D386A394\F5DC348117F41EA13FF4 ➝
F5DC348117F41EA13FF4\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\5FAFE4859468130C\D4689994FA4AF5793 ➝
D4689994FA4AF5793\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\2a89521acd\c984f294 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSa767.dscms.akamai.net
Type: A
23.3.98.10
DNSa767.dscms.akamai.net
Type: A
23.3.98.11
DNSa767.dscms.akamai.net
Type: A
23.3.98.41
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://195.94.223.153/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.188.221:80
Flows TCP192.168.1.1:1032 ➝ 209.79.23.135:80
Flows TCP192.168.1.1:1034 ➝ 51.84.225.204:80
Flows TCP192.168.1.1:1033 ➝ 195.94.223.153:80
Flows TCP192.168.1.1:1036 ➝ 97.248.80.58:80
Flows TCP192.168.1.1:1037 ➝ 195.94.223.153:80
Flows TCP192.168.1.1:1038 ➝ 18.180.22.16:80
Flows TCP192.168.1.1:1039 ➝ 85.239.65.246:80
Flows TCP192.168.1.1:1040 ➝ 75.162.197.254:443
Flows TCP192.168.1.1:1041 ➝ 9.38.163.146:80
Flows TCP192.168.1.1:1042 ➝ 221.106.245.152:80
Flows TCP192.168.1.1:1043 ➝ 23.3.98.10:80
Flows TCP192.168.1.1:1044 ➝ 92.219.242.33:80
Flows TCP192.168.1.1:1046 ➝ 140.229.103.216:443
Flows TCP192.168.1.1:1047 ➝ 217.34.182.161:8080
Flows TCP192.168.1.1:1048 ➝ 6.252.87.68:80
Flows TCP192.168.1.1:1049 ➝ 5.84.13.146:80
Flows TCP192.168.1.1:1051 ➝ 218.93.170.137:80
Flows TCP192.168.1.1:1052 ➝ 49.160.112.242:80
Flows TCP192.168.1.1:1054 ➝ 64.51.63.210:80
Flows TCP192.168.1.1:1055 ➝ 169.3.186.234:80
Flows TCP192.168.1.1:1056 ➝ 207.107.92.112:80
Flows TCP192.168.1.1:1057 ➝ 146.78.59.177:80
Flows TCP192.168.1.1:1058 ➝ 96.143.42.237:80

Raw Pcap
0x00000000 (00000)   7d                                    }

0x00000000 (00000)   44                                    D

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000020 (00032)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000030 (00048)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   20313935 2e39342e 3232332e 3135330d    195.94.223.153.
0x000000b0 (00176)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x000000c0 (00192)   20333830 0d0a4361 6368652d 436f6e74    380..Cache-Cont
0x000000d0 (00208)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x000000e0 (00224)   0a646a35 42675a46 73414e58 51334c6e   .dj5BgZFsANXQ3Ln
0x000000f0 (00240)   58414635 2b753231 30425175 44596641   XAF5+u210BQuDYfA
0x00000100 (00256)   6a6f4450 4c6c7857 6f5a7171 52656332   joDPLlxWoZqqRec2
0x00000110 (00272)   56346c56 3446564c 36707173 7a6f587a   V4lV4FVL6pqszoXz
0x00000120 (00288)   6d324578 54577436 41675455 6c626d4a   m2ExTWt6AgTUlbmJ
0x00000130 (00304)   55357433 4f727353 49677149 61374e62   U5t3OrsSIgqIa7Nb
0x00000140 (00320)   4e6c6654 4a745873 5750536a 44645172   NlfTJtXsWPSjDdQr
0x00000150 (00336)   364c4a66 654c4134 30785471 4c7a4344   6LJfeLA40xTqLzCD
0x00000160 (00352)   7071746b 45417847 43353074 4b473854   pqtkEAxGC50tKG8T
0x00000170 (00368)   7164736c 69616d47 43693831 666a6c65   qdsliamGCi81fjle
0x00000180 (00384)   38704d50 6a727769 696e6757 4a506b6a   8pMPjrwiingWJPkj
0x00000190 (00400)   75456f4a 2f443352 2f2f6652 41484835   uEoJ/D3R//fRAHH5
0x000001a0 (00416)   78506147 63586366 7a564d54 6c365954   xPaGcXcfzVMTl6YT
0x000001b0 (00432)   5145506d 5a595044 4679514c 57446536   QEPmZYPDFyQLWDe6
0x000001c0 (00448)   4b653356 54355031 6a6b5737 5a566f65   Ke3VT5P1jkW7ZVoe
0x000001d0 (00464)   3642426f 484f4469 2b664857 55596654   6BBoHODi+fHWUYfT
0x000001e0 (00480)   63392b55 7a48302f 636a346b 54447150   c9+UzH0/cj4kTDqP
0x000001f0 (00496)   456b4f57 79717845 77737245 702f7968   EkOWyqxEwsrEp/yh
0x00000200 (00512)   71664f2b 5a763970 70766972 456b5274   qfO+Zv9ppvirEkRt
0x00000210 (00528)   4c413951 69787143 4f4f7a37 65516d6b   LA9QixqCOOz7eQmk
0x00000220 (00544)   7659347a 7651746c 4c41396a 637a4830   vY4zvQtlLA9jczH0
0x00000230 (00560)   2b67552b 75546a47 58636f68 35613634   +gU+uTjGXcoh5a64
0x00000240 (00576)   46445061 2f72374c 61767947 4675382f   FDPa/r7LavyGFu8/
0x00000250 (00592)   4c745954 32576863 63686e67 3d         LtYT2Whcchng=

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   34                                    4

0x00000000 (00000)   ba                                    .

0x00000000 (00000)   7f                                    .

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a 3234352e 3135323a   ache....245.152:
0x000000f0 (00240)   38302c32 332e332e 39382e31 303a3830   80,23.3.98.10:80
0x00000100 (00256)   2c736361 6e207479 70653a20 53594e     ,scan type: SYN

0x00000000 (00000)   6f                                    o

0x00000000 (00000)   53                                    S

0x00000000 (00000)   b1                                    .

0x00000000 (00000)   47                                    G

0x00000000 (00000)   89                                    .

0x00000000 (00000)   7b                                    {

0x00000000 (00000)   9d                                    .

0x00000000 (00000)   6e                                    n

0x00000000 (00000)   38                                    8

0x00000000 (00000)   69                                    i

0x00000000 (00000)   72                                    r

0x00000000 (00000)   a3                                    .

0x00000000 (00000)   c7                                    .

0x00000000 (00000)   ab                                    .

0x00000000 (00000)   85                                    .


Strings