Analysis Report

Overview

General Information

Analysis ID:45855
Start time:14:14:49
Start date:07/08/2014
Overall analysis duration:0h 2m 41s
Report type:full
Sample file name:894c20f0d97c5a1dee106331e00abd48.exe
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:true
HCA success:
  • true, ratio: 97%
  • Number of executed functions: 27
  • Number of non-executed functions: 177


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\WINDOWS\system32\ping.exe

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 894c20f0d97c5a1dee106331e00abd48
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 894c20f0d97c5a1dee106331e00abd48
Drops PE files to the user root directory (C:\Documents and Settings\User or C:\Users\User)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Drops PE files to the user directory (C:\Documents and Settings\)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041F19A LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0041F19A
PE file contains an invalid checksumShow sources
Source: initial sampleStatic PE information: real checksum: 0x1815c should be: 0x67433

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00405880 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary,1_2_00405880

System Summary:

barindex
Contains functionality for error loggingShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00402860 lstrlenA,lstrcpynA,GetStockObject,LoadCursorA,GetLastError,FormatMessageA,CreateWindowExA,GetClassInfoA,SetWindowLongA,SendMessageA,1_2_00402860
Contains functionality to access the windows certificate storeShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00406690 Sleep,CertOpenSystemStoreA,GetLastError,CertCreateCertificateContext,CertCloseStore,CreateThread,CertAddCertificateContextToStore,GetLastError,TerminateThread,CertFreeCertificateContext,CertCloseStore,1_2_00406690
Contains functionality to enum processes or threadsShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0040D5D0 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_0040D5D0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041751C GetStartupInfoW,GetFileType,InitializeCriticalSectionAndSpinCount,GetStdHandle,GetFileType,InitializeCriticalSectionAndSpinCount,LockResource,1_2_0041751C
Creates files inside the user directoryShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Executable uses VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeSection loaded: C:\WINDOWS\system32\msvbvm60.dll
Executes batch filesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\WINDOWS\system32\cmd.exe cmd /c C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.bat
Reads ini filesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeFile read: C:\Documents and Settings\Administrator\My Documents\desktop.ini
Spawns processesShow sources
Source: unknownProcess created: C:\894c20f0d97c5a1dee106331e00abd48.exe
Source: unknownProcess created: C:\894c20f0d97c5a1dee106331e00abd48.exe
Source: unknownProcess created: C:\WINDOWS\system32\cmd.exe
Source: unknownProcess created: C:\WINDOWS\system32\ping.exe
Source: unknownProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Source: unknownProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\894c20f0d97c5a1dee106331e00abd48.exe C:\894c20f0d97c5a1dee106331e00abd48.exe
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\WINDOWS\system32\cmd.exe cmd /c C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.bat
Source: C:\WINDOWS\system32\cmd.exeProcess created: C:\WINDOWS\system32\ping.exe ping -n 1 localhost
Source: C:\WINDOWS\system32\cmd.exeProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess created: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
Enables driver privilegesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess token adjusted: Load Driver

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0040D2D0 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeLibrary,1_2_0040D2D0
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_004060D0 GetModuleFileNameA,KillTimer,ShellExecuteA,PostQuitMessage,ShellExecuteA,PostQuitMessage,1_2_004060D0
Injects a PE file into a foreign processesShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeMemory written: C:\894c20f0d97c5a1dee106331e00abd48.exe base: 400000 value starts with: 4D5A
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeMemory written: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeThread register set: target process: 3488

Anti Debugging and Sandbox Evasion:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041B1D4 SetUnhandledExceptionFilter,1_2_0041B1D4
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00410A4E
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041695A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0041695A
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_1_0041B1D4 SetUnhandledExceptionFilter,1_1_0041B1D4
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_1_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_00410A4E
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_1_0041695A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_0041695A
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeCode function: 5_2_0041B1D4 SetUnhandledExceptionFilter,5_2_0041B1D4
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeCode function: 5_2_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00410A4E
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeCode function: 5_2_0041695A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0041695A
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00410A4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00410A4E
Contains functionality to dynamically determine API callsShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0041F19A LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0041F19A
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_0040C850 Sleep,RasEnumEntriesA,RasEnumEntriesA,GetProcessHeap,HeapAlloc,RasEnumEntriesA,RasGetEntryPropertiesA,RasSetEntryPropertiesA,GetProcessHeap,HeapFree,1_2_0040C850
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeMemory protected: page read and write and page guard

Virtual Machine Detection:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00405880 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,RegOpenKeyExA,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,lstrcatA,RegOpenKeyExA,RegCloseKey,RegCloseKey,RegCloseKey,RegQueryValueExA,RegCloseKey,RegCloseKey,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,LoadLibraryA,SetCurrentDirectoryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindFirstFileA,FreeLibrary,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,FreeLibrary,1_2_00405880
Queries a list of all running processesShow sources
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information queried: ProcessInformation

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exeProcess information set: NOOPENFILEERRORBOX
Deletes itself after installationShow sources
Source: C:\WINDOWS\system32\cmd.exeFile deleted: c:\894c20f0d97c5a1dee106331e00abd48.exe

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\894c20f0d97c5a1dee106331e00abd48.exeCode function: 1_2_00411553 GetSystemTimeAsFileTime,1_2_00411553

Yara Overview

No Yara matches

Screenshot

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.bat
  • Type: ASCII text, with CRLF line terminators
  • MD5: D1C03BFDCC8411B9475F5853B4181794
  • SHA: 7B08E10D36D19E74C95FBF8FC5B8EEFB1395F73C
  • SHA-256: 6CA61E83124B3A859E30FECDA890BA15CD1546738F5A240E6944ED745369085A
  • SHA-512: 2617C134C5F6FD784D9507244E37CC515FC012FF6F439E8B1CC318C97E2029A21CB7850B4BB91AB2D293B2AB137CCD068269EBACA21A5AB05F4145A7EB87868D
C:\Documents and Settings\All Users\894c20f0d97c5a1dee106331e00abd48.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 894C20F0D97C5A1DEE106331E00ABD48
  • SHA: 3C748800EF937E690D6779E4424CE30F7CA12911
  • SHA-256: 6AEF8BF0505A203D9A63A8EA0711C98C8AAD5B6EDE641FE11EE42402D0D10A54
  • SHA-512: E22CB8D5E54079797EE02B86EBA152E39C37350202E83155D8A8AD6A02380F5747F4183CBD449A79A8FEB6665BDDC2888779606A8306432B1100294246D724A0
\Device\Null
  • Type: ASCII text, with CRLF, CR line terminators
  • MD5: E33CC7998AEDAA2E2E6A52CB06F1CA2E
  • SHA: D950B332D697BA3B19B9F56393D50D7DE650EEA6
  • SHA-256: E1A2C6E7C7DA582CEDB448BD0A078501C1B02F858FBBCE4A53699F3381E4D269
  • SHA-512: C5A6453BB93D3E5DDB79B54D042A8653CC0283ECE8D9EAF6883F8BBCC3D711F03FF9A8431FAE44BE3D78A95C61E1C87C5B8F6BDB4DF48B3B0E9D2833784C42A9

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:894c20f0d97c5a1dee106331e00abd48.exe
File size:359678
MD5:894c20f0d97c5a1dee106331e00abd48
SHA1:3c748800ef937e690d6779e4424ce30f7ca12911
SHA256:6aef8bf0505a203d9a63a8ea0711c98c8aad5b6ede641fe11ee42402d0d10a54
SHA512:e22cb8d5e54079797ee02b86eba152e39c37350202e83155d8a8ad6a02380f5747f4183cbd449a79a8feb6665bddc2888779606a8306432b1100294246d724a0

File Icon

Static PE Info

General

Entrypoint:0x4015fc
Entrypoint Section:.text
Digitally signed:true
Signature Valid:
Signature Issuer:
Signature Validation Error:
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x53CDECFE [Tue Jul 22 04:47:58 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0

Entrypoint Preview

Instruction
push 004018ACh
call 00007F1DD0A322C3h
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+3A7882A7h], bl
js 00007F1DD0A32341h
dec esi
mov ecx, BB0995D4h
or ecx, dword ptr [edx]
pop ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jne 00007F1DD0A3233Ch
jne 00007F1DD0A3234Bh
je 00007F1DD0A322D2h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], cl
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [esi-08h], al
fstcw word ptr [edi]
lodsb
imul dword ptr [ebx+4501B143h]
xor cl, bh
or byte ptr [esi+00000001h], FFFFFF98h
add byte ptr [eax], al
add byte ptr [eax+01000000h], ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+6Fh], al
insb
outsd
jc 00007F1DD0A32338h
jne 00007F1DD0A3233Eh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ah, cl
in eax, dx
movsb
and edx, dword ptr [ebp+60h]
dec esp
mov byte ptr [A5C5307Dh], al
imul ecx, esp, 4Dh
or dl, byte ptr [ebx+ebp*2+6Ah]
dec esp
add al, 8Eh
dec edi
mov ah, 8Bh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xd0840x3c.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x8d8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x50000000x505
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x30
IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000xc8000xd0004.48505293235False0.334097055288dataIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xe0000x26340x10000.0False0.00634765625dataIMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x110000x8d80x10001.96916043516False0.170654296875dataIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryNbr Of FunctionsXored PE
RT_ICON0x117a80x130data0False
RT_ICON0x114c00x2e8data0False
RT_ICON0x113980x128GLS_BINARY_LSB_FIRST0False
RT_GROUP_ICON0x113680x30MS Windows icon resource - 3 icons, 32x32, 2-colors0False
RT_VERSION0x111500x218dataEnglishUnited States0False

Imports

DLLImport
USER32.DLLCallWindowProcA
MSVBVM60.DLL__vbaVarSub, __vbaVarTstGt, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaLenBstrB, __vbaVargVarCopy, _adj_fdiv_m32, __vbaVarXor, __vbaAryDestruct, __vbaExitProc, __vbaVarForInit, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR4, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, __vbaFpUI1, __vbaRedimPreserve, __vbaLbound, _adj_fpatan, __vbaFixstrConstruct, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaStr2Vec, __vbaUI1I4, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarAdd, __vbaAryLock, __vbaVarDup, __vbaStrToAnsi, __vbaVarMod, __vbaVarCopy, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, __vbaStrVarCopy, _allmul, _CItan, __vbaUI1Var, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeStr

Version Infos

DescriptionData
Translation0x0409 0x04b0
InternalName544
FileVersion8.01.0001
CompanyNamebhhyvcde
ProductNamenbhvgtcxwqa
ProductVersion8.01.0001
OriginalFilename544.exe

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Hooks - Code Manipulation Behavior

System Behavior