wildfire_report.pdf

WildFire Analysis Report

Table of Contents

1. File Information ................................................................... 22. Dynamic Analysis ................................................................. 2

2.1. VM1 (Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007) ................................ 22.1.1. Behavioral Summary ............................................................. 22.1.2. Network Activity ................................................................ 22.1.3. Host Activity .................................................................. 6

Process Activity ................................................................... 6"C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe" -child .................................... 6"C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat" ............................ 8"C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe" ...................................... 8sample.exe .................................................................... 10

Event Timeline ................................................................... 112.2. VM2 (Windows 7, Adobe Reader 11, Flash 11, Office 2010) .................................. 25

2.2.1. Behavioral Summary ............................................................ 252.2.2. Network Activity ............................................................... 252.2.3. Host Activity ................................................................. 25

Process Activity .................................................................. 26"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 26"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 26"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 26"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 26sample.exe .................................................................... 26"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 27"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 27"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 28"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 28"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 28"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 28"C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat" .............................. 28"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 29"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 29"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 29"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" ............................................. 29

Event Timeline ................................................................... 30

1 / 32

1 File Information

File Type PEFile SignerSHA-256 247bd80b23fbe7499b3348748e15d8937d6c720fc787b8318446434e980ffdbaMD5 cd7fec5998c24960e9248653c246b653File Size 295108 bytesFirst Seen Timestamp 2014-05-09 02:39:20 PSTVerdict MalwareAntivirus Coverage VirusTotal Information

2 Dynamic Analysis

2.1. VM1 (Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007)

2.1.1. Behavioral Summary This sample was found to be malware on this virtual machine.

Behavior Created a file in the Windows folder Used the POST method in HTTP Created an executable file in the Windows system folder Created an executable file in a user document folder Started a process from a user document folder Spawned new processes Deleted itself Injected code into another process Started or stopped a system service Registered a file as auto-start from a local directory Modified registries or system configuration to enable auto start capablity Modified Windows registries Changed security settings of Internet Explorer Changed the proxy settings for Internet Explorer Modified the network connections setting for Internet Explorer Created or modified files Attempted to sleep for a long period Disabled Safe Mode by modifying safe boot registries

2.1.2. Network Activity

DNS Queries

Domain Name Query Type DNS Responsemolinaderrec.com A 185.11.80.74google.nl NS ns3.google.comgoogle.com NS ns1.google.comgoogle.com A 173.194.113.7www.google.nl A 173.194.44.23molinaderrec.com NS ns3.andreia.rugoogle.com A 173.194.113.4ssl.gstatic.com A 173.194.113.23molinaderrec.com NS ns4.impis.rugoogle.com A 173.194.113.5molinaderrec.com A 31.8.219.66www.google.nl A 173.194.44.24google.com A 173.194.113.2google.nl NS ns2.google.commolinaderrec.com A 71.197.189.135

2 / 32

http://www.virustotal.com/latest-report.html?resource=247bd80b23fbe7499b3348748e15d8937d6c720fc787b8318446434e980ffdba

molinaderrec.com NS ns4.andreia.rugoogle.com NS ns4.google.commolinaderrec.com A 78.137.47.140google.com A 173.194.113.3www.google.nl A 173.194.44.31clients1.google.nl A 173.194.113.31google.com A 173.194.113.0google.com NS ns2.google.comgoogle.com A 173.194.113.1molinaderrec.com NS ns1.andreia.rugstatic.com NS ns2.google.commolinaderrec.com NS ns2.impis.russl.gstatic.com A 173.194.113.31clients1.google.nl A 173.194.113.23gstatic.com NS ns3.google.commolinaderrec.com A 46.118.77.80molinaderrec.com A 194.44.119.181molinaderrec.com NS ns3.impis.rumolinaderrec.com A 31.28.251.147molinaderrec.com A 95.67.81.31molinaderrec.com A 68.174.185.19molinaderrec.com NS ns1.impis.rumolinaderrec.com NS ns2.andreia.russl.gstatic.com A 173.194.113.24google.nl NS ns4.google.comgoogle.com A 173.194.113.8molinaderrec.com A 46.211.67.170gstatic.com NS ns1.google.commolinaderrec.com A 94.41.83.192google.com A 173.194.113.9google.com NS ns3.google.comclients1.google.nl A 173.194.113.24google.com A 173.194.113.14gstatic.com NS ns4.google.comgoogle.com A 173.194.113.6ssl.gstatic.com A 173.194.113.15google.nl NS ns1.google.com

HTTP Requests

HTTP Method URL User-AgentGET google.com/ Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;

SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/144C9D01734BFB6C31A107F3 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET google.com/ Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)



POST molinaderrec.com/b/opt/EABFE97F75FAEE40371012DF Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET www.google.nl/?gws_rd=cr&ei=76JsU63QPIPlOsiRgfAD Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR

3 / 32

3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET www.google.nl/?gws_rd=cr&ei=haJsU9O5B8SPOKHPgYgC Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/3EEDAFF950B3AB7E125957E1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


GET www.google.nl/?gws_rd=cr&ei=zKJsU8yDCYvYPKjsgbAG Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


GET www.google.nl/?gws_rd=cr&ei=uqJsU9aiG8SwPOaHgfgP Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


GET www.google.nl/?gws_rd=cr&ei=TaNsU47eBoWqPPCGgPAD Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


GET clients1.google.nl/generate_204 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET ssl.gstatic.com/gb/js/scm_2b9edb365d122da01f5cf2b5a536cae8.js Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/C8B5F767804344B2C2A9B82D Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET www.google.nl/?gws_rd=cr&ei=FqNsU_o-xvc79fCB0Ag Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET www.google.nl/?gws_rd=cr&ei=caNsU-yUNsbjOtrIgfAK Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


GET www.google.nl/?gws_rd=cr&ei=KKNsU_7_GYXuOeHdgfAB Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET www.google.nl/images/srpr/nav_logo80.png Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;

4 / 32

.NET4.0E)GET www.google.nl/?gws_rd=cr&ei=OqNsU7blJ4aXPeuSgJgD Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;

SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/44DFB48F29646D0D6B8E9192 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/C3B267273F1D9D547DF761CB Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/74AE238F49A32A870B49D618 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET molinaderrec.com/b/eve/d2ba060f9050fa90f0326845 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/AF508E8EF8599C6DBAB360F2 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


GET www.google.nl/?gws_rd=cr&ei=X6NsU-7MHcPuOvqDgfgP Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


POST molinaderrec.com/b/opt/FD514D30402872AB02C28E34 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/A72E0EC28DBE8707CF547B98 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET www.google.nl/?gws_rd=cr&ei=A6NsU7vuJIrEPKHJgPgC Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

GET www.google.nl/?gws_rd=cr&ei=3qJsU77yDsfiOtKLgJAE Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)

POST molinaderrec.com/b/opt/0E02CB9E9605AA93D4EF560C Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C;.NET4.0E)


Connections

Host Port Protocol Country173.194.113.24 80 TCP US173.194.113.31 80 TCP US

5 / 32

173.194.113.8 80 TCP US46.118.77.80 80 TCP UA173.194.44.23 80 TCP US

2.1.3. Host ActivityProcess Name - "C:\Documents and Settings\Administrator\ApplicationData\Myysry\enyzolq.exe" -child(command: "C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe" -child)

File Activity

File ActionC:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt CreateC:\Documents and Settings\Administrator\Cookies\administrator@google[2].txt CreateC:\Documents and Settings\Administrator\Cookies\administrator@google[3].txt CreateC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF1LSW9G\google[1] CreateC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF1LSW9G\google[1].htm CreateC:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\K1XHOOEA\chrome-48[2].png

Create

C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\LDKH2A5D\nav_logo80[2].png

Create

C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\VPKKM73P\rs=AItRSTPqPxPQq9apHYeYn61I89z9NOuesQ[1]

Create

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VPKKM73P\logo9w[1].png CreateC:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\K1XHOOEA\scm_2b9edb365d122da01f5cf2b5a536cae8[1].js

Create

C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt Delete

Registry Activity

Registry Key Value ActionHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Create

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Create

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Create

HKEY_CURRENT_USER\SOFTWARE\Microsoft\InternetExplorer\Security\P3Global

Create

HKEY_CURRENT_USER\SOFTWARE\Microsoft\InternetExplorer\Security\P3Sites

Create

HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Extensions\CmdMapping

Create

HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing CreateHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Create

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\windows\CurrentVersion\Internet Settings

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\windows\CurrentVersion\Intern

Create

6 / 32

et Settings\ConnectionsHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings

Create

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Create

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

C:\Documents and Settings\Administrator\Application Data Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\enyzolq.exe

11001 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

C:\Documents and Settings\Administrator\LocalSettings\Temporary Internet Files

Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory

C:\Documents and Settings\Administrator\LocalSettings\Temporary Internet Files\Content.IE5

Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths

4 Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath

C:\Documents and Settings\Administrator\LocalSettings\Temporary Internet Files\Content.IE5\Cache1

Set



Set



Set



Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit

163724 Set


163724 Set


163724 Set


163724 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

C:\Documents and Settings\Administrator\Cookies Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History

C:\Documents and Settings\Administrator\LocalSettings\History

Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@xpsp3res.dll

-20001 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

1 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

1 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

1 Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

C:\Documents and Settings\All Users\Application Data Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy

1 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

0 Set

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

0 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

NULL Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-6820 C:\Documents and Settings\Administrator\Local Set

7 / 32

03330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData

Settings\Application Data

Created Mutexes

Mutex NameLocal\{A3C4EA23-1B1A-AD61-B859-15889600F576}<NULL>MSIMGSIZECacheMutex

Process Name - "C:\WINDOWS\system32\cmd.exe" /c"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat"(command: "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat")

File Activity

File Actionc:\documents and settings\administrator\sample.exe DeleteC:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat Delete

Process Name - "C:\Documents and Settings\Administrator\ApplicationData\Myysry\enyzolq.exe"(command: "C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe")

Process Activity

Child Process Action"C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe" -child Create

File Activity

File ActionC:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt CreateC:\Documents and Settings\Administrator\Cookies\administrator@google[2].txt CreateC:\Documents and Settings\Administrator\Cookies\administrator@google[3].txt CreateC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LDKH2A5D\google[1].htm CreateC:\Documents and Settings\Administrator\Cookies\administrator@google[2].txt DeleteC:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt DeleteC:\Documents and Settings\Administrator\Cookies\administrator@google[3].txt DeleteC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LDKH2A5D\google[1].htm Delete

Registry Activity


Create


Create

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems

Create

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Create

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Create

8 / 32

HKEY_LOCAL_MACHINE\SOFTWARE\uQjb6Q CreateHKEY_CURRENT_USER\SOFTWARE\uQjb6Q CreateHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing CreateHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Create

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\windows\CurrentVersion\Internet Settings

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

Create

HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings

Create

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Create

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

Create

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData


\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems\Windows

NULL Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

C:\Documents and Settings\Administrator\LocalSettings\Temporary Internet Files

Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inenedpyaqwyipq

"C:\Documents and Settings\Administrator\ApplicationData\Myysry\enyzolq.exe"

Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inenedpyaqwyipq

"C:\Documents and Settings\Administrator\ApplicationData\Myysry\enyzolq.exe"

Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory

C:\Documents and Settings\Administrator\LocalSettings\Temporary Internet Files\Content.IE5

Set

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths

4 Set



Set



Set



Set



Set


163724 Set


163724 Set


163724 Set


163724 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

C:\Documents and Settings\Administrator\Cookies Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History

C:\Documents and Settings\Administrator\LocalSettings\History

Set

\REGISTRY\MACHINE\SOFTWARE\uQjb6Q\Tasks NULL Set\REGISTRY\USER\S-1-5-21-2052111302-1214440339-6820 NULL Set

9 / 32

03330-500\Software\uQjb6Q\Tasks\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

C:\Documents and Settings\All Users\Application Data Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy

1 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

0 Set

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

0 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

NULL Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

1 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

1 Set

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

1 Set

Created Mutexes

Mutex NameLocal\{A3C4EA23-1B1A-AD61-B859-15889600F576}Local\{88628F11-7E28-86C7-B859-15889600F576}Global\{A4BBAF3C-5E05-AA1E-FCAE-E722D2F707DC}Global\{E9843906-C83F-E721-B859-15889600F576}c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!c:!documents and settings!administrator!cookies!c:!documents and settings!administrator!local settings!history!history.ie5!WininetConnectionMutex<NULL>Global\{A4BBAF3C-5E05-AA1E-8CAC-E722A2F507DC}

Process Name - sample.exe(command: c:\documents and settings\administrator\sample.exe)

Process Activity

Child Process Action"C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe" Create"C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat" Create

File Activity

File ActionC:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe CreateC:\WINDOWS\Tasks\Security Center Update - 4194332589.job CreateC:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat Create

Registry Activity


Create

10 / 32


Create

HKEY_LOCAL_MACHINE\SOFTWARE\Mrdfiiithk CreateHKEY_CURRENT_USER\SOFTWARE\Mrdfiiithk Create\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData


\REGISTRY\MACHINE\SOFTWARE\Mrdfiiithk\License 444 Set\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Mrdfiiithk\License

444 Set

Created Services

Service Name Parent ProcessSecurityCenterServer4194332589 "C:\WINDOWS\system32\viebfomibu.exe" -service "C:\Documents

and Settings\Administrator\Application Data\Myysry\enyzolq.exe"

Created Mutexes

Mutex NameGlobal\{19DDCF68-3E51-1778-B859-15889600F576}

Event Timeline

1 Created Process c:\documents and settings\administrator\sample.exe2 Set key

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\AppData to value C:\Documents and Settings\Administrator\Application Data

3 Created mutex Global\{19DDCF68-3E51-1778-B859-15889600F576}4 Created file C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe5 Created file C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe6 Created file C:\WINDOWS\Tasks\Security Center Update - 4194332589.job7 Created service SecurityCenterServer4194332589 from "C:\WINDOWS\system32\viebfomibu.exe" -service "C:\Documents and

Settings\Administrator\Application Data\Myysry\enyzolq.exe"8 Set key \REGISTRY\MACHINE\SOFTWARE\Mrdfiiithk\License to value 4449 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Mrdfiiithk\License to value 44410 Created Process "C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe"11 Set key


12 Created mutex Local\{A3C4EA23-1B1A-AD61-B859-15889600F576}13 Created file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat14 Created mutex Local\{88628F11-7E28-86C7-B859-15889600F576}15 Created mutex Global\{A4BBAF3C-5E05-AA1E-FCAE-E722D2F707DC}16 Created mutex Global\{E9843906-C83F-E721-B859-15889600F576}17 Created file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat18 Set key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems\Windows to value NULL19 Set key

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

20 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inenedpyaqwyipq to value "C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe"

21 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inenedpyaqwyipq to value "C:\Documents andSettings\Administrator\Application Data\Myysry\enyzolq.exe"


23 Created Process "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat"24 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory to value

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE525 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths to value 426 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath to

value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache127 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath to

11 / 32



value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache430 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit to

value 16372431 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit to



value 16372434 Set key

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cookies to value C:\Documents and Settings\Administrator\Cookies



37 Set key\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\History to value C:\Documents and Settings\Administrator\Local Settings\History

38 Created mutex c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!39 Created mutex c:!documents and settings!administrator!cookies!40 Created mutex c:!documents and settings!administrator!local settings!history!history.ie5!41 Created mutex WininetConnectionMutex42 Created mutex43 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen

edpyaqwyipq to value "C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe"44 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inenedpyaqwyipq to value "C:\Documents and

Settings\Administrator\Application Data\Myysry\enyzolq.exe"45 Created Process "C:\Documents and Settings\Administrator\Application Data\Myysry\enyzolq.exe" -child46 Deleted file c:\documents and settings\administrator\sample.exe47 Set key \REGISTRY\MACHINE\SOFTWARE\uQjb6Q\Tasks to value NULL48 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\uQjb6Q\Tasks to value NULL49 Deleted file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp781f8c98.bat50 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen


Settings\Administrator\Application Data\Myysry\enyzolq.exe"52 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen


Settings\Administrator\Application Data\Myysry\enyzolq.exe"54 Set key


55 Created mutex Local\{A3C4EA23-1B1A-AD61-B859-15889600F576}56 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Internet

Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\enyzolq.exe to value 1100157 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen


Settings\Administrator\Application Data\Myysry\enyzolq.exe"59 Set key

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

60 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory to valueC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

61 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths to value 462 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath to




value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4

12 / 32

66 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit tovalue 163724




70 Set key\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cookies to value C:\Documents and Settings\Administrator\Cookies

71 Set key\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\History to value C:\Documents and Settings\Administrator\Local Settings\History

72 Created mutex73 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\

@xpsp3res.dll to value -2000174 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\ProxyBypass to value 175 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\IntranetName to value 176 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\UNCAsIntranet to value 177 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\ProxyBypass to value 178 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\IntranetName to value 179 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\UNCAsIntranet to value 180 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen




Settings\Administrator\Application Data\Myysry\enyzolq.exe"84 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData to value

C:\Documents and Settings\All Users\Application Data85 Set key


86 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\MigrateProxy to value 1

87 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyEnable to value 0

88 Set key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\InternetSettings\ProxyEnable to value 0

89 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Connections\SavedLegacySettings to value NULL










13 / 32
























122 Created file C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt123 Created file C:\Documents and Settings\Administrator\Cookies\administrator@google[2].txt124 Deleted file C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt125 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen






Settings\Administrator\Application Data\Myysry\enyzolq.exe"131 Created file C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt132 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen


Settings\Administrator\Application Data\Myysry\enyzolq.exe"134 Created file C:\Documents and Settings\Administrator\Cookies\administrator@google[3].txt135 Deleted file C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt

14 / 32

136 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF1LSW9G\google[1]137 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF1LSW9G\google[1].htm138 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF1LSW9G\google[1].htm139 Created mutex MSIMGSIZECacheMutex140 Set key

\REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Local AppData to value C:\Documents and Settings\Administrator\Local Settings\Application Data





145 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\K1XHOOEA\chrome-48[2].png







152 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\LDKH2A5D\nav_logo80[2].png







159 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\VPKKM73P\rs=AItRSTPqPxPQq9apHYeYn61I89z9NOuesQ[1]

160 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\VPKKM73P\rs=AItRSTPqPxPQq9apHYeYn61I89z9NOuesQ[1]



163 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VPKKM73P\logo9w[1].png164 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen






Settings\Administrator\Application Data\Myysry\enyzolq.exe"170 Created mutex Global\{A4BBAF3C-5E05-AA1E-8CAC-E722A2F507DC}171 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen


Settings\Administrator\Application Data\Myysry\enyzolq.exe"

15 / 32

173 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\K1XHOOEA\scm_2b9edb365d122da01f5cf2b5a536cae8[1].js

174 Created file C:\Documents and Settings\Administrator\Local Settings\Temporary InternetFiles\Content.IE5\K1XHOOEA\scm_2b9edb365d122da01f5cf2b5a536cae8[1].js

































16 / 32



































17 / 32



































18 / 32



































19 / 32



































20 / 32



































21 / 32



































22 / 32



































23 / 32





























473 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\System32\logon.scr to value Logon Screen Saver

474 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\SessionInformation\ProgramCount to value 2475 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\SessionInformation\ProgramCount to value 3476 Set key \REGISTRY\USER\S-1-5-21-2052111302-1214440339-682003330-500\Software\Microsoft\Windows\CurrentVersion\Run\Inen




Settings\Administrator\Application Data\Myysry\enyzolq.exe"

24 / 32






















Report truncated due to excessive length. 2.2. VM2 (Windows 7, Adobe Reader 11, Flash 11, Office 2010)

2.2.1. Behavioral Summary This sample was found to be malware on this virtual machine.

Behavior Created a file in the Windows folder Created or modified files Spawned new processes Deleted itself Started or stopped a system service Registered a file as auto-start from a local directory Modified registries or system configuration to enable auto start capablity Modified Windows registries Created an executable file in a user document folder Attempted to sleep for a long period

2.2.2. Network Activity

No network data available.

25 / 32

2.2.3. Host ActivityProcess Name - "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"(command: "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe")

Created Mutexes

Mutex NameLocal\{9404519C-19F2-AD61-01A8-E27B2162028A}Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}

Process Name - "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"(command: "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe")

Created Mutexes

Mutex NameLocal\{9404519C-19F2-AD61-01A8-E27B2162028A}Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}


Created Mutexes



Created Mutexes


Process Name - sample.exe(command: C:\Users\Administrator\sample.exe)

26 / 32

Process Activity

Child Process Action"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe" Create"C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat" Create

File Activity

File ActionC:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe CreateC:\Windows\Tasks\Security Center Update - 3118959435.job CreateC:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat Create

Registry Activity

Registry Key Value ActionHKEY_LOCAL_MACHINE\SOFTWARE\Xjhyfzdocs CreateHKEY_CURRENT_USER\SOFTWARE\Xjhyfzdocs Create\REGISTRY\MACHINE\SOFTWARE\Xjhyfzdocs\License 444 Set\REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Xjhyfzdocs\License

444 Set

Created Services

Service Name Parent ProcessSecurityCenterServer3118959435 "C:\Windows\system32\kaawali.exe" -service

"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"

Created Mutexes

Mutex NameGlobal\{2E1D74D7-3CB9-1778-01A8-E27B2162028A}


Created Mutexes



Created Mutexes

Mutex NameLocal\{9404519C-19F2-AD61-01A8-E27B2162028A}Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}

27 / 32

Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}


Created Mutexes



Created Mutexes



Created Mutexes



Created Mutexes


28 / 32

Process Name - "C:\Windows\system32\cmd.exe" /c"C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat"(command: "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat")

File Activity

File ActionC:\Users\Administrator\sample.exe DeleteC:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat Delete


Created Mutexes



Created Mutexes



Created Mutexes



Created Mutexes

29 / 32


Event Timeline

1 Created Process C:\Users\Administrator\sample.exe2 Created mutex Global\{2E1D74D7-3CB9-1778-01A8-E27B2162028A}3 Created file C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe4 Created file C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe5 Created file C:\Windows\Tasks\Security Center Update - 3118959435.job6 Created service SecurityCenterServer3118959435 from "C:\Windows\system32\kaawali.exe" -service

"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"7 Set key \REGISTRY\MACHINE\SOFTWARE\Xjhyfzdocs\License to value 4448 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Xjhyfzdocs\License to value 4449 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"10 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}11 Created file C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat12 Created file C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat13 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}14 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}15 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}16 Created Process "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat"17 Deleted file C:\Users\Administrator\sample.exe18 Deleted file C:\Users\ADMINI~1\AppData\Local\Temp\tmp21df0dae.bat19 Created mutex20 Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Woakygemhet to value

"C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"21 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Run\Woa

kygemhet to value "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"22 Created mutex ALTTAB_RUNNING_MUTEX23 Created mutex24 Created mutex25 Created mutex26 Created mutex27 Created mutex28 Created mutex29 Created mutex30 Created mutex31 Created mutex32 Created mutex33 Created mutex34 Created mutex35 Created mutex36 Created mutex37 Created mutex38 Created mutex39 Created mutex40 Created mutex41 Created mutex42 Created mutex43 Created mutex CDBurnNotify44 Created mutex Global\CDBurnExclusive45 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"46 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}47 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}48 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}49 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}50 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}51 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"52 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}53 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}54 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}

30 / 32

55 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}56 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}57 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"58 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}59 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}60 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}61 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}62 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}63 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"64 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}65 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}66 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}67 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}68 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}69 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"70 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}71 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}72 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}73 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}74 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}75 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"76 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}77 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}78 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}79 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}80 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}81 Created mutex82 Created mutex83 Created mutex84 Created mutex85 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"86 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}87 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}88 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}89 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}90 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}91 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"92 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}93 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}94 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}95 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}96 Created mutex Global\{64E4C08E-88E0-5D81-9C23-E721BCE907D0}97 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting to value NULL98 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting to value NULL99 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting to value NULL100 Created file C:\Users\Administrator\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock101 Deleted file C:\Users\Administrator\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock102 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting to value NULL103 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting to value NULL104 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting to value NULL105 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"106 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}107 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}108 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}109 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}110 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42\CheckSetting to value NULL111 Set key \REGISTRY\USER\S-1-5-21-3965103109-1166398021-282280064-500\Software\Microsoft\Windows\CurrentVersion\Action

Center\Checks\{945a8954-c147-4acd-923f-40c45405a658}.check.42\CheckSetting to value NULL112 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"113 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}114 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}

31 / 32

115 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}116 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}117 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"118 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}119 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}120 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}121 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}122 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"123 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}124 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}125 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}126 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}127 Created Process "C:\Users\Administrator\AppData\Roaming\Etuqedi\acysn.exe"128 Created mutex Local\{9404519C-19F2-AD61-01A8-E27B2162028A}129 Created mutex Global\{DE4482B9-CAD7-E721-01A8-E27B2162028A}130 Created mutex Local\{BFA234AE-7CC0-86C7-01A8-E27B2162028A}131 Created mutex Global\{64E4C08E-88E0-5D81-EC21-E721CCEB07D0}

Powered by TCPDF (www.tcpdf.org)

32 / 32

http://www.tcpdf.org

wildfire_report.pdf

Documents

network activity

host activity

process activity

adobe reader

behavioral summary

vm2 windows

dynamic analysis

event timeline