Analysis Date2015-10-01 14:34:58
MD5150fb818cd3f3058b0ece98ff65aa48a
SHA1f57e3072f3de523dd306c6d43cb5382c586c39e6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e5555ca3af2fa92c0a4a4dbead83af47 sha1: b7e27d49f57bed785a96b34da8d597e5b8636870 size: 843264
Section.rdata md5: 1677abdb566fdeccae7e055952bb5439 sha1: 80134e17fb9aa7783fc2ee29c424af04bd158c9c size: 334336
Section.data md5: 306f3d9bf325e9e632d671608c621308 sha1: a3c14e6a4289755c124c15c0aa9d71ae7d7394bf size: 8192
Timestamp2015-03-13 07:44:33
PackerMicrosoft Visual C++ ?.?
PEhash55ce7741a130d6435e9b798ad6e993ddcf7e1145
IMPhash7c8785d1f3bfcbd230fa27d8c7ae017a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Zusy.133308
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVBullGuardGen:Variant.Zusy.133308
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Kryptik.Win32.767475
AVEmsisoftGen:Variant.Zusy.133308
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004cd0081 )
AVBitDefenderGen:Variant.Zusy.133308
AVFortinetW32/Kryptik.DDQD!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.DDQD
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Zusy.133308
AVTwisterno_virus
AVAvira (antivir)TR/Agent.1186816.27
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zgsrimm1loerj8ztnspjku.exe
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zgsrimm1loerj8ztnspjku.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zgsrimm1loerj8ztnspjku.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Quality Net.Tcp Shell PNRP Topology Machine ➝
C:\WINDOWS\system32\bfmtwotkclo.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\bfmtwotkclo.exe
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\lck
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\tst
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\bfmtwotkclo.exe
Creates ServiceGrouping Update Background File Search Window - C:\WINDOWS\system32\bfmtwotkclo.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1120

Process
↳ C:\WINDOWS\system32\bfmtwotkclo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\run
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\cfg
Creates FileC:\WINDOWS\TEMP\zgsrimm1tjtrj8z.exe
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\lck
Creates FileC:\WINDOWS\system32\nfwrycyptn.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\rng
Creates ProcessC:\WINDOWS\TEMP\zgsrimm1tjtrj8z.exe -r 49108 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\bfmtwotkclo.exe"

Process
↳ C:\WINDOWS\system32\bfmtwotkclo.exe

Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\bfmtwotkclo.exe"

Creates FileC:\WINDOWS\system32\ayonnlnrgmtlm\tst

Process
↳ C:\WINDOWS\TEMP\zgsrimm1tjtrj8z.exe -r 49108 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSwalkword.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSdrinkbreak.net
Type: A
104.219.40.157
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSmonthnext.net
Type: A
DNSstoryocean.net
Type: A
DNSdecemberknew.net
Type: A
DNSmouthgray.net
Type: A
DNSfridayloss.net
Type: A
DNSeggbraker.com
Type: A
DNSdrinkhers.net
Type: A
DNSwifehers.net
Type: A
DNSdrinkprove.net
Type: A
DNSwifeprove.net
Type: A
DNSwifebreak.net
Type: A
DNSknowfine.net
Type: A
DNSablefine.net
Type: A
DNSknownice.net
Type: A
DNSablenice.net
Type: A
DNSknowelse.net
Type: A
DNSableelse.net
Type: A
DNSknowimportant.net
Type: A
DNSableimportant.net
Type: A
DNSpickfine.net
Type: A
DNSsongfine.net
Type: A
DNSpicknice.net
Type: A
DNSsongnice.net
Type: A
DNSpickelse.net
Type: A
DNSsongelse.net
Type: A
DNSpickimportant.net
Type: A
DNSsongimportant.net
Type: A
DNSroomfine.net
Type: A
DNSsignfine.net
Type: A
DNSroomnice.net
Type: A
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=041&sox=4b205a01&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=041&sox=4b205a01&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=041&sox=4b205a01&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=041&sox=4b205a01&lenhdr
User-Agent:
HTTP GEThttp://walkword.net/index.php?method=validate&mode=sox&v=041&sox=4b205a01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=041&sox=4b205a01&lenhdr
User-Agent:
HTTP GEThttp://drinkbreak.net/index.php?method=validate&mode=sox&v=041&sox=4b205a01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1043 ➝ 104.219.40.157:80

Raw Pcap

Strings