Analysis Date2014-01-22 01:51:31
MD5a3841da5f1147af46d86dd2107347f82
SHA1f242cbfdec672d949df39e7a1462929c48440a16

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4a086fd06147ddebf84a60d8ccae55a2 sha1: c40c9381907f6c0f503758e0703f4dcca4bcc5f6 size: 45056
Section.rdata md5: ad3bbf60df8396c5d77d898fc7fa0155 sha1: 3c25d58135ea7022c8d31f71f4d033830a9a5e0f size: 13824
Section.data md5: d35a715a39a776158270f18b1df08067 sha1: 6c9bc6eecdef544c44c15e1898f3b4cee4179464 size: 5120
Sectionidata md5: 7ec682a9df4d53793ad88691f7138c4c sha1: 51c29cc196b00795eb1b7e29f47e66b9008c6ccf size: 5632
Sectionedata md5: e0821514e29bf0afa5ceb90667d5dadd sha1: b1bf42e1d76ce00e3212970a3af60cd799e8f133 size: 1024
Section.rsrc md5: 76e7b6d04ed87c8375e93ddf4f5b07f4 sha1: ee9d2a0ca12286de469f2612b31a4e5c187799b9 size: 167936
Timestamp2011-12-03 14:45:41
PEhash9530835e6aa830763f42456b24eef63f8ed5b09d
AVavgWin32/Sality
AVaviraW32/Sality.AW
AVmcafeeW32/Sality.gen.z
AVmsseVirus:Win32/Sality.gen!Q

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\wegmozvikzea ➝
C:\Documents and Settings\Administrator\wegmozvikzea.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_CURRENT_USER\Software\Fobvexllmtqkq\-993627007\1768776769 ➝
87
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Fobvexllmtqkq\A1_0 ➝
1311129193
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\robertmcintyre.com[2].htm
Creates FileC:\WINDOWS\129e9
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wildrosemarketing[1].htm
Creates FileC:\temp\files\AcroRd32.exe
Creates FileC:\Documents and Settings\Administrator\wegmozvikzea.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thesergery[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\istanbultarim.com[1].htm
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\temp\monitor.exe
Creates FileC:\temp\files\winspty.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winspty.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\childscope[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\spiti[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leadershipforum[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\easygen[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thesergery[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\brookfarm.com[1].htm
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FilePIPE\SfcApi
Creates FileC:\temp\files\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\robertmcintyre.com[1].htm
Deletes FileC:\WINDOWS\129e9
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wildrosemarketing[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\leadershipforum[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thesergery[2].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\easygen[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thesergery[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\istanbultarim.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\brookfarm.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\winspty.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\childscope[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\spiti[1].htm
Creates MutexuxJLpe1m
Creates Mutexservices.exeM_616_
Creates MutexWininetConnectionMutex
Creates Mutexmalware.exeM_1228_
Creates Mutexalg.exeM_1840_
Creates Mutexlsass.exeM_628_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexwegmozvikzea
Creates Mutexsvchost.exeM_844_
Creates Mutexuserinit.exeM_196_
Creates Mutexsvchost.exeM_796_
Creates Mutexreader_sl.exeM_928_
Creates Mutexexplorer.exeM_276_
Creates Mutexmonitor.exeM_1108_
Creates Mutexsmss.exeM_496_
Creates Mutexsvchost.exeM_1012_
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexsvchost.exeM_1096_
Creates Mutexsvchost.exeM_1116_
Creates Mutexcsrss.exeM_548_
Creates Mutexwinlogon.exeM_572_
Creates Mutexspoolsv.exeM_1304_
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexsvchost.exeM_1204_
Winsock DNSrobertmcintyre.com.au
Winsock DNSchildscope.com
Winsock DNSthesergery.com
Winsock DNSbrookfarm.com.au
Winsock DNSosouji-school.com
Winsock DNSmanuyantralaya.com
Winsock DNSeasygen.com
Winsock DNSlink-list-uk.com
Winsock DNSyamamoto-sr.com
Winsock DNSeyggroup.com
Winsock DNSszostka.com
Winsock DNSdbcomponents.com
Winsock DNStoutenmeuse.com
Winsock DNSleadershipforum.us
Winsock DNSspiti.org
Winsock DNSwildrosemarketing.com
Winsock DNSistanbultarim.com.tr
Winsock DNSsspackaginggroup.com

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates MutexuxJLpe1m
Creates Mutexuserinit.exeM_196_

Process
↳ C:\WINDOWS\Explorer.EXE

Creates MutexuxJLpe1m
Creates Mutexexplorer.exeM_276_

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates MutexuxJLpe1m
Creates Mutexreader_sl.exeM_928_

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.96.11
DNSsmtp.live.com
Type: A
DNSleadershipforum.us
Type: A
Flows TCP192.168.1.1:1037 ➝ 65.55.96.11:25

Raw Pcap

Strings
 About
&About
&Exit
&File
&Help
MS Sans Serif
&Open
&Save
Text
0)8J+{
0kKcS:
1ju+}#
1K:|X7
1/o&eGi
1+yTx<
{&?^)2
23ttaw
2gt{pl
2I>oQ[v
~=@2W!r
3IAt~#
@3[:<l
3/lU*n
3#m*#d
(]3:mO
%3Pr$d
`+<3#?W
3y:0K  
407^m)$5z
[!4~9(
4bumh#+
4DKis0
4e=[T<
[4<F ][
4Q>.T;
4wfsI`k
56'5W[y
5B;QsM7
5NX~z=
5;uqA;
6%4;rq
6\}C!+
6]Dm0esnt
-6$:KP;d
|6\':T7
6uH[r#
7aRpmt
7]m~$3)
[7'uGN
7vkG_C
80xipd
\=8h:)
	,@9!:`;
,9|dkA
$[9LNc
}A>/~8`
`Ad}P~6
]_aqCs
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
a\t[kn?
AucsWba
B7UoY	S>C{
_#@^BBs:
BD0UE(
BI0	:i
bIk:6D
b*i`la
bO'vD$
bqlDZb
<Bqoc+
button
{!BW8;S
BwyT?v
c1vA_?
cc?7WC
cdiy;A
cjGw~A:
CkI+;+
c$-kmD
clarnet
CloseHandle
+c,*mm\!
-cO'1e
CreateFileA
CreateWindowExA
:C?U#!
$c]uE]
Cu\][l
c!)x?V
d0JAt:r,;
D4S"PD
D`~7Nv
[dDF$~@@
+De	cd\C
DefWindowProcA
DeleteFileA
DestroyWindow
dGqZ=] 
:D:H|+
]DH# b
:d~Hkn7
D}i.>d
DispatchMessageA
DlT@uT
%DM2LZ
-dM85+
dmjS;'
^;d/.[O
dpIU"l]!_~
@(!dV@
dvKD@R
dXa?qR
dYH]a,
DZb6q>
e/58tz
^e >6%`
?E'A+,
EBc'-bd
e-bdn5
@EBIh3
E~,/cB"
E i[:j
EI%}sD
Elephant
eM&d*H<:l
EVzl&bF
EZz &z
FF.K]'?
ff:,k,L
}fft!m
@=fFy#
>\(F{h
	|FH$|
FHzjOw
F"*ibX
:F-%KM
{^FMPm
FormatMessageA
fTivW	
FtY1Lz}+
fW%r}S
f-Y8#X
[>Gc;J
	-"`G:d
_G!'eqtR
GetCommandLineA
GetLastError
GetMessageA
GetModuleHandleA
GetWindowRect
GGGGBBBBIu
g:'k&_#U5
	gt45{
Gy-htmh
\h1)T+
%h%+d$
hErlO[
h]FF[J
HFKMh2
h_hE2.
HIQ=4^
}-H^mC
%h\me&Fb
h<]mv'Ta
H^-r<@
HV3<s?
h~WU;[
HYh;F$
,h\ZSW
i0BG)N
i^3(V	9
i-G/t;
{iK]*g
\I#N#8(
I*O*H<
[ioV8@
IZGwv]z
izmPh<
j;9@v[
J:AGf'%D
?jB^Pm
;)%jC q~
)j}gi<>
j{H*K|
%+]Jk*n
JoZMr]
J(p3Zhl
JpIiYH
*j	P:j
%jS/3nX
jT YK#
J]y`<ER!
_*K0W9
k]3}FE
$,K:!4
|K40!gg
kernel32.dll
KEU[aF
Kf)T*E
]^(k#I
KillTimer
KNtsz|
Kowa09
kr/v1(
kw&vC+h*
l1pfkg*
=L:2y9
L|=4xgz
$L5Li(
}\+L7(t
|l~8!]
)L*c<%3 
Lc/Kow
-L:<E5MHd
Lf1e0z
_"+L}h
lK]|@@
l- kkC
&[lLQa\
l?,m25
lmPevd
:lNX41@
LoadCursorA
LoadIconA
]m^!$/
=m1C R8
m;8J!n
Mb2.*\,
m.e\B5;&
\MeB8E<
m(Ebds
Mg[).B"
mh]mT@
&MKQ'-
M}[l~&X0
MXl)?5R
/N2+5D
n88-~P
n!#Cz-
]NI/80?
[NROw<_
[NuHm:
[n<uL;8
[*Nv/j*
nYdAor8
$&+O|$
$O[18:
O#8vG*
on/5=~
Op$q@@
o^"R$}p
ovO7M`
}p+\7U
pAO#ry
PAx<=>
P<djN!
PF#!7.
pffOmh
:{Pjm!@
polkin
PostQuitMessage
##p!p9
+'Q5|0s
qEdnu2|
Qe:+KH
@qo<7-
\QsI7KI
^qSz|J
Q>^wP'>
'?q)+X
?Q(ZA1
R;55]1(
%R72A{
RalPqsf
	RB^!,9	#(
.rdata
RegisterClassExA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
return castle
^|Rich
RK)1-d
]>r]llHp
r>p $bXO
R<?t*F
RW|ff-
rY>PbA
$R.ZfS?
rZYsY}
s3dp8+
@S4&d<l
S+.54w
s;7&MY
!+sdV8
    </security>
    <security>
SendMessageA
sertion
SetWindowPos
ShowWindow
s	:)ID>rlq
SJF|;q
Sk98bN
static
?Sy\^E
t7Tiv=
T8t$[+
=Tc2qb
!This program cannot be run in DOS mode.
&tiL$g
t~ms_X
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
?+',Tt 
T`(tONfn
tXfQY%.
TX <r$]
t'Y]~1
t:#?#[zNY
*|u/:0*z
ua2Wjmu
uBvU1O
ub\@,w
uHT07m
#]U	kF
u@K'v7
U):l@@
u:>n?GH
UpdateWindow
@@?UP{g
upmKl 
user32.dll
UtQ;D/0
u(U>pp
\^#V[3
v<6xK.
VbHD:C
(@V($f
_vn<4s
#VOqp`
|Vq]I2
v*=v+\
\V>w"-b
;vYheiy
W1UBb9
\w5*Y>'S^U<
Wa,?ah
W\eE6%
w~ErK@
W=FXK 
W?lQOrH
"?w]:v
WVV|!1
W<x[/F
'X *.|
X8->kU
x,8,MN
xddp3h
|x~E\U
xKFq8d
 XlA`@
x_NSPG
xpe$fP
X%pT&b
]xQo;'L
xtyper
Xu-(La
\y2Ap2
Y::A"Kj
_?y{cG
|y{D%o
 Y|\!e
~=Y]F6
yfEA);
yh.(a#
.y+K@@
y:<KJi
yLp&!W&~
>y+n@@
YN d]\fy
yNSdqm
YTk.?<
Y[tu#_
"yypbo
})Z[ >
zcV?M	
zCZU}t
Z{es8Uo
,(zJ{ 
&Zk|Vn
_Zo5o.
z:q`p+%H
zUyOYw
zu<yrQ@