Analysis Date2014-01-02 07:59:01
MD5afd88a19e2b7e5a247f8b97bf338f538
SHA1fbcdfc85f8941681c0c49a8037ea7f6a67a286dd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f4d98291e95807436f8cfda913af6a47 sha1: 39478dfc441fd405fdd3c52f382d7c21f3e7e832 size: 19456
Section.data md5: addf5108dc171943f568e821305870c3 sha1: 6d13071a95e98f48d8db230920ff5541079da196 size: 512
Section.rsrc md5: 2d7363b8c59c5aedcd74f0bf269f77fb sha1: 54c3759dce7ccb92c7f9614a04c339f0974d73dc size: 43008
Timestamp2008-12-07 04:12:59
Pdb pathdb
VersionLegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: samlock.exe
FileVersion: 5.1.2600.0 (xpclient.010817-1148)
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 5.1.2600.0
FileDescription: SAM Lock Tool
OriginalFilename: samlock.exe
PEhash3bb46c49f4c6aa05d27b18e422d4550f396b596e
AVavgWin32/Virut.dropper
AVmcafeeW32/Virut.n.gen
AVmsseVirus:Win32/Virut.BN
AVaviraW32/Virut.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\samr
Creates FilePIPE\lsarpc

Network Details:


Raw Pcap

Strings
080404B0
5.1.2600.0
5.1.2600.0 (xpclient.010817-1148)
 A: 
 A:  
A:\StartKey.Key
(&C):
(C) Microsoft Corporation. All rights reserved.
CompanyName
ControlSet001\Control\Lsa
ControlSet002\Control\Lsa
(&D)
Default
(&E)
FileDescription
FileVersion
InternalName
(&L)
LegalCopyright
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
(&P)
(&P):
ProductName
ProductVersion
(&S)
samlock.exe
SAM Lock Tool
SecureBoot
Select
 StartKey.Bak
 StartKey.Key 
StringFileInfo
System\CurrentControlSet\Control\Lsa
Translation
(&U)
VarFileInfo
VS_VERSION_INFO
(&W):
 Windows XP 
Windows XP 
yA:\StartKey.Bak
|~]?!|
0123456789abcdef
3333333
333338
	_4!fbJ
4g):T-
5a&!h#
^7bpenc
&8\cFF
9"9%(yzi
_adjust_fdiv
ADVAPI32.dll
A:\startkey.key
auk!#6
azOH7.
B6UhTi
bV^J^1E
b#}Z$r
_cexit
_c_exit
CheckDlgButton
CloseHandle
#Co+iF
_controlfp
CreateFileA
CreateFileW
CtWehgJ
`.data
DDDDDD@
DDDDDDD
DeleteFileW
DH}SA$
DialogBoxParamW
DqxDvY=oZ
e:K_.Y
EnableWindow
EndDialog
eQcknx
eQS_MR(ueg
_except_handler3
ExitProcess
FormatMessageW
fprintf
FQ397G
Fs:Qzl
Gb[4Dr{P
;G$@:)c|Z 2\
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetCursorPos
GetDiskFreeSpaceW
GetDlgItem
GetDlgItemTextW
GetLastError
GetLocalTime
GetMessageTime
GetModuleHandleA
GetModuleHandleW
GetTickCount
GetUserNameA
GetWindowLongW
GlobalMemoryStatus
GrafBlumGroup
`	gS_MR
H0A"3JM
H;F.qw
HSVWtGHt
I][~F3
_initterm
I|pucMF
IsDlgButtonChecked
It@It,IuH
^JooIl=
KERNEL32.dll
kwWV S
l@]9V;
/LnI.D
LoadCursorW
LoadImageW
LoadStringW
Lookup
LsaClose
LsaFreeMemory
LsaOpenPolicy
LsaQueryInformationPolicy
ly+0^j
#Mc %%
MessageBoxW
MoveFileW
msvcrt.dll
n7)rJa
!-N%b)
ntdll.dll
NTDLL.DLL
N/:;X~
+=o9(I1wh
OX[0Rq
OX[(Wq
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Pattern
__p__commode
__p__fmode
PjHj@j
P>s1@5
=qfUcS9
QueryPerformanceCounter
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryValueExW
RegSetValueExA
RegSetValueExW
RtlInitUnicodeString
RtlLengthSid
RtlNtStatusToDosError
SamCloseHandle
SamConnect
SamiGetBootKeyInformation
SamiSetBootKeyInformation
SAMLIB.dll
SamOpenDomain
SendMessageW
__set_app_type
SetCursor
SetDlgItemTextW
SetErrorMode
SetFocus
__setusermatherr
SetWindowLongW
Sj@j@WWS
SkewMatrix
syskey.pdb
_t+9>r'
!This program cannot be run in DOS mode.
towupper
t"zP\?
u26]zz
USER32.dll
u(SjhV
\]ve_l
 '}Vi(
VjHj@j
w!~~"\
-W66T9
wcscmp
__wgetmainargs
(W,g:g
__winitenv
WriteFile
wsprintfW
wwwwwww
wwwwwwww
wwwwwwwww
WWWWWWWWW
wwwwwwwwww
wwwwwwwwwwp
wwwwwwwwwww
wwwwwwwwwwww
_XcptFilter
x# #E+ 
ykw!'~thf
Z~ k&?
Z'R.ED
z`|s~U