* Arcade    FAQSearchLogin
Register
It is currently Sat Jul 04, 2009 7:49 pm

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: mmcodecs.com/download/47jxf/mmcodec.exe
PostPosted: Wed Apr 09, 2008 11:13 pm 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://mmcodecs.com/download/47jxf/mmcodec.exe

File Name: mmcodec.exe

VirusTotal Result: 12/32 (37.5%)
AntiVir 7.6.0.81 2008.04.09 TR/Crypt.XDR.Gen
Avast 4.8.1169.0 2008.04.09 Win32:Burner-E
AVG 7.5.0.516 2008.04.09 Downloader.Zlob.VKU
BitDefender 7.2 2008.04.09 MemScan:Adware.Hoax.Renos.AP
Fortinet 3.14.0.0 2008.04.09 W32/Dloader.XWH!tr
Ikarus T3.1.1.26.0 2008.04.09 Trojan.Crypt.XDR
Kaspersky 7.0.0.125 2008.04.09 not-virus:Hoax.Win32.Burner.a
Norman 5.80.02 2008.04.09 W32/Renos.QJ.dropper
Panda 9.0.0.4 2008.04.08 Suspicious file
Prevx1 V2 2008.04.09 Trojan.Ecodec
Sophos 4.28.0 2008.04.09 Mal/EncPk-CO
Webwasher-Gateway 6.6.2 2008.04.09 Trojan.Crypt.XDR.Gen

File nfo:
File size: 169984 bytes
MD5...: df6b1c191764ef62a751a2e6ca6fda96
SHA1..: df767c72ae5f9599714283df3e2c1ca90b9c289a
SHA256: 4e9e0697658095ec3315577052166bb7ffb8d33f6175d513a744fd51474de126
SHA512: b4cea3554054b92339cd48cef49ca60e6ada8327c438b3b58216d56d27d6ad9d
6495a9ff2b8c03ee15ca0e628c6ac4df2752ce79753c39a32d7cf7367dd9becc

PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0002
Time/Date stamp: 47F99438
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 0103
Magic: 010B
Linker version (major): 08
Linker version (minor): 00
Size of code: 00021A00
Size of initialized data: 00000200
Size of uninitialized data: 00000000
Address of entry point: 00001000
Base of code: 00001000
Base of data: 00023000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00024000
Size of headers: 00000400
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0600
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
.text 000219FC 00001000 00021A00 00000400 E0000020
.rdata 00000166 00023000 00000200 00021E00 40000040

Import table (libraries: 2)
ntdll.dll (imports: 6)
wcslen
_wcsicmp
NtProtectVirtualMemory
NtUnmapViewOfSection
NtMapViewOfSection
memcpy
KERNEL32.dll (imports: 4)
GetProcAddress
LoadLibraryW
GetCurrentProcess
GetModuleHandleA

.text:00401000 ; Format : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size : 00026000 ( 155648.)
.text:00401000 ; Section size in file : 00025800 ( 153600.)
.text:00401000 ; Offset to raw data for section: 00000400
.text:00401000 ; Flags E0000020: Text Executable Readable Writable
.text:00401000 ; Alignment : default
.text:00401000
.text:00401000 .686p
.text:00401000 .mmx
.text:00401000 .model flat

Load Time DLL:
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000
C:\WINDOWS\system32\user32.dll 0x7E410000 0x00090000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000
C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00815000
C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000
C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000

Run Time DLL:
Module Name Base Address Size
C:\WINDOWS\system32\iertutil.dll 0x42990000 0x00045000
C:\WINDOWS\system32\urlmon.dll 0x42CF0000 0x00124000
C:\WINDOWS\system32\ieframe.dll 0x42EF0000 0x005CB000
C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000
C:\WINDOWS\system32\netapi32.dll 0x5B860000 0x00054000
C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004B000
C:\WINDOWS\system32\msctfime.ime 0x755C0000 0x0002E000
C:\WINDOWS\system32\PSAPI.DLL 0x76BF0000 0x0000B000
C:\WINDOWS\system32\CLBCATQ.DLL 0x76FD0000 0x0007F000
C:\WINDOWS\system32\COMRes.dll 0x77050000 0x000C5000
C:\WINDOWS\system32\OLEAUT32.DLL 0x77120000 0x0008B000
C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
C:\WINDOWS\system32\SETUPAPI.dll 0x77920000 0x000F3000
C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000
C:\WINDOWS\system32\version.dll 0x77C00000 0x00008000

Popup WIndow:
Window Name Window Text
Runtime error OK Unsupported Operating System Version

Registry Changes:
Key Name New Value
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Desktop C:\Documents and Settings\All Users\Desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Documents C:\Documents and Settings\All Users\Documents
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\ {d14d83ce-7d74-11dc-97e2-806d6172696f}\ BaseClass Drive
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\ {d14d83cf-7d74-11dc-97e2-806d6172696f}\ BaseClass Drive
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Desktop C:\Documents and Settings\user\Desktop
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal C:\Documents and Settings\user\My Documents
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AutoDetect 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IntranetName 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ProxyBypass 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UNCAsIntranet 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\1.bat 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\comsysobj.exe comsysobj
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\hllibex.exe hllibex
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\shellexcon.exe shellexcon
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\win32st.exe win32st
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\ C:\WINDOWS\winstrse.exe winstrse

Registry Reads:
Key Name Value Times
HKLM\SOFTWARE\CLASSES\.ADE Access.ADEFile.11 6
HKLM\SOFTWARE\CLASSES\.ADP Access.Project.11 6
HKLM\SOFTWARE\CLASSES\.ASP aspfile 6
HKLM\SOFTWARE\CLASSES\.BAT batfile 8
HKLM\SOFTWARE\CLASSES\.CER CERFile 5
HKLM\SOFTWARE\CLASSES\.CHM chm.file 5
HKLM\SOFTWARE\CLASSES\.CMD cmdfile 5
HKLM\SOFTWARE\CLASSES\.COM comfile 5
HKLM\SOFTWARE\CLASSES\.CPL cplfile 5
HKLM\SOFTWARE\CLASSES\.CRT CERFile 5
HKLM\SOFTWARE\CLASSES\.EXE exefile 11
HKLM\SOFTWARE\CLASSES\BATFILE\SHELL\OPEN\COMMAND "%1" %* 2
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 %SystemRoot%\system32\SHELL32.dll 2
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 C:\WINDOWS\system32\urlmon.dll 2
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 ThreadingModel Both 1
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32 C:\WINDOWS\system32\ieframe.dll 2
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32 ThreadingModel Apartment 1
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELLFOLDER WantsParseDisplayName 1
HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32 shell32.dll 6
HKLM\SOFTWARE\CLASSES\DIRECTORY AlwaysShowExt 1
HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} DriveMask 32 6
HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND "%1" %* 10
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnablePunycode 1 1
HKLM\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 C:\WINDOWS\system32\ieframe.dll 1
HKLM\Software\Microsoft\COM3 Com+Enabled 1 4
HKLM\Software\Microsoft\COM3 REGDBVersion 0x0f00000000000000 4
HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation CutList 0x4100700070006c00690063006100740069006f006e002000460069006c00 12
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {AEB6717E-7E19-11d0-97EE-00C04FD91972} 6
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Desktop %ALLUSERSPROFILE%\Desktop 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Documents %ALLUSERSPROFILE%\Documents 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related http 4 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ExecutableTypes 0x410044004500000041004400500000004200410053000000420041005400 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers TransparentEnabled 1 6
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 2
HKLM\System\Setup SystemSetupInProgress 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ ShellState 0x2400000033880000000000000000000000000000010000000d0000000000 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced DontPrettyPath 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Filter 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideIcons 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced MapNetDrvBtn 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced NoNetCrawling 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SeparateProcess 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowCompColor 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowInfoTip 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced WebView 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83ce-7d74-11dc-97e2-806d6172696f}\ Data 0x000000005c005c003f005c0049004400450023004300640052006f006d00 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83ce-7d74-11dc-97e2-806d6172696f}\ Generation 1 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83cf-7d74-11dc-97e2-806d6172696f}\ Data 0x000000005c005c003f005c00530054004f00520041004700450023005600 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\ {d14d83cf-7d74-11dc-97e2-806d6172696f}\ Generation 1 6
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Desktop %USERPROFILE%\Desktop 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Personal %USERPROFILE%\My Documents 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ @ivt 1 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ file 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ftp 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ http 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ https 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ shell 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1806 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Flags 33 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Flags 475 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Flags 71 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Flags 1 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Flags 3 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached {871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401 0x01000000310032003a893fef1312c801 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam USER 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache LangID 0x0904

Monitored Registry Values:
Key Name Watch subtree Notify Filter Count
HKLM\Software\Classes 1 Key Change,Value Change 6
HKLM\Software\Classes\CLSID 1 Key Change,Value Change 4
HKLM\Software\Microsoft\COM3 1 Key Change,Value Change 12
HKU 1 Key Change,Value Change 6

Files Created:
C:\1.bat
C:\WINDOWS\comsysobj.exe
C:\WINDOWS\config.ini
C:\WINDOWS\cracrwinz.exe
C:\WINDOWS\hllibex.exe
C:\WINDOWS\shellexcon.exe

Files Read:
C:\1.bat
C:\Documents and Settings\All Users\Documents\desktop.ini
C:\Documents and Settings\user\My Documents\desktop.ini
C:\WINDOWS\Registration\R00000000000f.clb
PIPE\lsarpc
PIPE\wkssvc

Files Monitored:
MountPointManager
PIPE\lsarpc
PIPE\wkssvc

FileSystem Control Communication:
PIPE\wkssvc 0x0011C017 1
PIPE\lsarpc 0x0011C017 10

Device Control Communication:
File Control Code Times
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} 0x004D0008 1
MountPointManager 0x006D0008 2
STORAGE#Volume#1&30a96598&0&Signature95619561Offset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} 0x004D0008 1
MountPointManager 0x006D0034 4
WMIDataDevice 0x00228144 2

Memory Mapped:
File Name
C:\WINDOWS\system32\Msimtf.dll
C:\WINDOWS\system32\rpcss.dll

Process Created:
Executable Command Line
C:\WINDOWS\comsysobj.exe "C:\WINDOWS\comsysobj.exe"
C:\WINDOWS\hllibex.exe "C:\WINDOWS\hllibex.exe"
C:\WINDOWS\shellexcon.exe "C:\WINDOWS\shellexcon.exe"
C:\WINDOWS\win32st.exe "C:\WINDOWS\win32st.exe"
C:\WINDOWS\winstrse.exe "C:\WINDOWS\winstrse.exe"

Mutex Created:
CTF.TimListCache.FMPDefaultS-1-5-21- 1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21- 1229272821-1004336348-527237240-1003
Local\ZoneAttributeCacheCounterMutex
MSCTF.Shared.MUTEX.AN

Process Started:
Filename: comsysobj.exe
MD5: 17195c2104aee64b598aa815332bb6a4
SHA-1: 803d471f7b2c03f185c74444dd01309e82afe55c
File Size: 25600 Bytes
Command Line: "C:\WINDOWS\comsysobj.exe"

Registry Changes:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALWORKSTARTER "C:\WINDOWS\comsysobj.exe"

File Read:
C:\WINDOWS\config.ini

Process Started:
Filename: hllibex.exe
MD5: 744fc079a188122a3710c1722cf30f55
SHA-1: 9468c1ccc72d1347b885ce17b1a8757ea4fc5b0e
File Size: 20992 Bytes
Command Line: "C:\WINDOWS\hllibex.exe"

Process Started:
Filename: shellexcon.exe
MD5: 3fe0e32201f34616edb7447e976df470
SHA-1: 8bf1aaa5468b8ad3def3feb7c1337509ed98f51b
File Size: 29184 Bytes
Command Line: "C:\WINDOWS\shellexcon.exe"

Registry Changes:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALWORKERSTART "C:\WINDOWS\shellexcon.exe"

Registry Read:
HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime

File Read:
C:\WINDOWS\config.ini

Process Started:
Filename: win32st.exe
MD5: 7dfb42300357f7b50ba763497e6c41c7
SHA-1: 12da99a05a8dd561b44dce911251f517b0b3b149
File Size: 36864 Bytes
Command Line: "C:\WINDOWS\win32st.exe"

Registry Changes:
Key Name New Value
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALSTARTER "C:\WINDOWS\win32st.exe"

Registry Changes:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SMSERIALWORKERSTARTER "C:\WINDOWS\winstrse.exe"

File Read:
C:\WINDOWS\config.ini

Process Started:
Filename: cmd.exe
MD5: eeb024f2c81f0d55936fb825d21a91d6
SHA-1: dd47ff16176412ec2e170cda441b4a220ff52f46
File Size: 388608 Bytes
Command Line: cmd /c ""C:\1.bat" C:\sample.exe"

Registry Reads:
Key Name Value Times
HKLM\Software\Microsoft\Command Processor AutoRun 1
HKLM\Software\Microsoft\Command Processor CompletionChar 64 1
HKLM\Software\Microsoft\Command Processor DefaultColor 0 1
HKLM\Software\Microsoft\Command Processor EnableExtensions 1 1
HKLM\Software\Microsoft\Command Processor PathCompletionChar 64 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers DefaultLevel 262144 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers PolicyScope 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemData 0x5eab304f957a49896a006c1c31154015 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemSize 779 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemData 0x67b0d48b343a3fd3bce9dc646704f394 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemSize 517 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemData 0x327802dcfef8c893dc8ab006dd847d1d 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemSize 918 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemData 0xbd9a2adb42ebd8560e250e4df8162f67 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemSize 229 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} HashAlg 32771 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemData 0x386b085f84ecf669d36b956a22c01e80 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemSize 370 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} SaferFlags 0 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ItemData %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* 1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} SaferFlags 0 1
HKLM\System\CurrentControlSet\Control\Nls\Language Groups 1 1 1
HKLM\System\CurrentControlSet\Control\Nls\Locale 00000409 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor CompletionChar 9 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor DefaultColor 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor EnableExtensions 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files 1

Files Read:
C:\1.bat

Files Deleted:
C:\1.bat
C:\sample.exe

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by Freeforums.org