Analysis Date2015-11-01 15:58:54
MD5e1e321d0bbde1766dbec51571c87645a
SHA1fd8072c1c14907f14b9da09555fc92155b7a4f87

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 189723eadb57725352d47e5ec415a83e sha1: dd3e5a40dc9708792a69cf204f3a4aecaa7360f2 size: 105984
Section.rdata md5: 43b5258b1dc54cedb7feef2dc16ec81d sha1: 493ae960e1b46bb59a32e28d4da8495588e2c6a3 size: 40448
Section.data md5: 77deecbb5131ed83941c747ea93174e7 sha1: b0f15944fe4feb73bbc9a1afbaa19c14815f850b size: 36352
Section.rsrc md5: d13e2b41d5035ec79adb6f85156c5674 sha1: a7a55ef7a7fcb5066a253afa341207de6ec69de1 size: 112640
Timestamp2015-10-20 07:17:37
PackerMicrosoft Visual C++ ?.?
PEhash8d2b48706516bbe8f221a44a17cc3441663e2b22
IMPhash39fe88d86e979c953ab37a866df5dc08
AVAd-AwareTrojan.GenericKDZ.30724
AVGrisoft (avg)Crypt_r.AFQ
AVCAT (quickheal)no_virus
AVIkarusTrojan.Win32.Injector
AVAvira (antivir)TR/AD.Crowti.Y.451
AVK7Trojan ( 004cef571 )
AVClamAVno_virus
AVKasperskyTrojan-Ransom.Win32.Cryptodef.aaeu
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVDr. WebTrojan.DownLoader16.45853
AVMcafeeGamarue-FDC!E1E321D0BBDE
AVBitDefenderTrojan.GenericKDZ.30724
AVMicrosoft Security EssentialsRansom:Win32/Crowti
AVEmsisoftTrojan.GenericKDZ.30724
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVPadvishno_virus
AVEset (nod32)Win32/Injector.BNHS
AVRisingno_virus
AVBullGuardTrojan.GenericKDZ.30724
AVFortinetW32/Kryptik.EASA!tr
AVSymantecno_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVTwisterno_virus
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVF-SecureTrojan.GenericKDZ.30724
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScurlmyip.com
Winsock DNSmyexternalip.com
Winsock DNSpeegas.ru
Winsock DNSmartinelacasse.ca
Winsock DNSdkforma.ru
Winsock DNSz-en.ru
Winsock DNSip-addr.es

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80

Raw Pcap

Strings