Analysis Date2016-01-15 09:02:01
MD5582de418ba65783d7d744aad738b3a51
SHA1f6106597c19d6d21623f64bed9bb3669c8e7a32e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 49eab18854424f46e222870acf0da885 sha1: fbb73c532ccd97319545882e1587f86deefc75f1 size: 151552
Section.rsrc md5: 5411110bba6c54dbfeabd902f1eeb622 sha1: 89a54592b02c2f1e89cd49ad6badf45da1887320 size: 1536
Section.reloc md5: 870315c84d5a816a7b26b2b6868bbc4b sha1: 5a06d6627904a137f02f6981a0bf2f33eda22961 size: 512
Timestamp2013-05-06 04:36:17
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash0adc22c733dd86b1664fe8e0d2e0b7b8521cb536
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Dropper.MSIL.Gen
AVTwisterTrojan.3FB141FA26C60E56
AVAd-AwareGen:Variant.Kazy.172192
AVAlwil (avast)Downloader-TFL [Trj]
AVEset (nod32)MSIL/Injector.LNH
AVGrisoft (avg)Dropper.Generic8.ADYX
AVSymantecTrojan.Gen
AVFortinetMSIL/Injector.KFU!tr
AVBitDefenderGen:Variant.Kazy.172192
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicroWorld (escan)Gen:Variant.Kazy.172192
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkaruspossible.Threat.HackTeam.ZWT
AVEmsisoftGen:Variant.Kazy.172192
AVZillya!Downloader.Andromeda.Win32.3345
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)Worm.Gamarue.r3
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.172192
AVArcabit (arcavir)Gen:Variant.Kazy.172192
AVClamAVNo Virus
AVDr. WebBackDoor.Comet.152
AVF-SecureGen:Variant.Kazy.172192

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Program Files\Keygen.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\PrintConfig.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cmiadapter.exe
Creates Process"C:\Program Files\Keygen.exe"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\cmiadapter.exe
Creates Process"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"

Process
↳ cmd /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v Shell /d C:\WINDOWS\explorer.exe, C:\Documents and Settings\Administrator\Local Settings\Temp\cmiadapter.exe /f

Process
↳ "C:\Program Files\Keygen.exe"

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\cmiadapter.exe

Creates Processcmd /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v Shell /d C:\WINDOWS\explorer.exe, C:\Documents and Settings\Administrator\Local Settings\Temp\cmiadapter.exe /f
Creates Processdw20.exe -x -s 276

Process
↳ "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ dw20.exe -x -s 276

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1A0BF.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msxqkia.com\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msxqkia.com
Deletes FileC:\WINDOWS\MICROS~1.NET\FRAMEW~1\V20~1.507\APPLAU~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwww.update.microsoft.com
Type: A
DNScatswillruletheworld.in
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.50.190:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53

Raw Pcap

Strings