Analysis Date2013-12-13 16:33:49
MD58545b1bf543a55e55c501d33787a737b
SHA1fbeb19a1366b093f07fb1a25684e60a820f5c1f2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 87e5aa640cac4e757b8da7e77d141643 sha1: a3f0b94728d70deb3f6eb19dcfec90f983546368 size: 29696
Section.reloc md5: 9a2da250a59d3c4ed7297e470b491d59 sha1: 2f93d777b09f724bb4132ee2be21c6b7fcad8e38 size: 512
Timestamp2013-12-06 18:20:51
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashc672385eae894396a7ae3fba8699287b887814bc
AVavgILCrypt
AVaviraTR/Dropper.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\dae31c02cb06222e776b9ccb9207edb1\US ➝
!\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\system.exe
Creates Process"C:\Documents and Settings\Administrator\Application Data\system.exe"

Process
↳ "C:\Documents and Settings\Administrator\Application Data\system.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 ➝
"C:\Documents and Settings\Administrator\Application Data\system.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 ➝
"C:\Documents and Settings\Administrator\Application Data\system.exe" ..\\x00
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe
Creates Processdw20.exe -x -s 284
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Application Data\system.exe" "system.exe" ENABLE

Process
↳ dw20.exe -x -s 284

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1C6B6.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Application Data\system.exe" "system.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL

Network Details:


Raw Pcap

Strings
server, version=0.0.0.0, culture=neutral, publickeytoken=null
72-~[i
7 4~3J
add_AssemblyResolve
AppDomain
Assembly
AssemblyName
BinaryReader
bY5m1mH
c2VydmVyLCB2ZXJzaW9uPTAuMC4wLjAsIGN1bHR1cmU9bmV1dHJhbCwgcHVibGlja2V5dG9rZW49bnVsbA==
CompressionMode
Convert
_CorExeMain
DeflateStream
Dispose
Encoding
Evidence
ExecuteAssemblyByName
GetBytes
get_CurrentDomain
get_Default
GetExecutingAssembly
GetManifestResourceStream
get_Name
IDisposable
IntPtr
IP0RK&
luuD9lpNIEiY9z2AvG6ujg==
<Module>
mscoree.dll
mscorlib
Object
O/d8opLO90i1O1IBo6u8Lw==
onRL^c
:[Or#F
Q0oJPuDYV0mF4fkxWmsKwg==
ReadBytes
ReadInt32
`.reloc
ResolveEventArgs
ResolveEventHandler
ServerLoader
STAThreadAttribute
Stream
String
#Strings
System
System.IO
System.IO.Compression
System.Reflection
System.Security.Policy
System.Text
!This program cannot be run in DOS mode.
tMm20+u8qku+AtDM35n1qQ==
ToBase64String
ToLowerInvariant
U^gmU7
v2.0.50727
x1}IS.H
X|d~=Y)
Xz#Pij