VMRay Analyzer Report for Sample #268671 VMRay Analyzer 1.11.0 Process 2004 cb91b8695d3990b5b5eae8a714bd357e.exe 1376 cb91b8695d3990b5b5eae8a714bd357e.exe "C:\Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe" C:\Users\hJrD1KOKY DS8lUjv\Desktop c:\users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe Opened Opened Opened Opened Moved Opened File users\hjrd1k~1\appdata\local\temp\c293.tmp users\hjrd1k~1\appdata\local\temp\c293.tmp c:\ c:\users\hjrd1k~1\appdata\local\temp\c293.tmp tmp File users\hjrd1k~1\appdata\local\temp\3bd8.tmp users\hjrd1k~1\appdata\local\temp\3bd8.tmp c:\ c:\users\hjrd1k~1\appdata\local\temp\3bd8.tmp tmp File c: File \device\harddisk0\dr0 File users\hjrd1k~1\appdata\local\temp\3bd8.tmp users\hjrd1k~1\appdata\local\temp\3bd8.tmp c:\ c:\users\hjrd1k~1\appdata\local\temp\3bd8.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Moved_To File users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe c:\ c:\users\hjrd1koky ds8lujv\desktop\cb91b8695d3990b5b5eae8a714bd357e.exe exe Moved_From File Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe C:\ C:\Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe exe Process 372 wininit.exe 316 wininit.exe wininit.exe C:\Windows\system32 c:\windows\system32\wininit.exe Opened File Windows\system32\wininit.exe Windows\system32\wininit.exe C:\ C:\Windows\system32\wininit.exe exe Process 412 winlogon.exe 364 winlogon.exe winlogon.exe C:\Windows\system32 c:\windows\system32\winlogon.exe Opened File Windows\system32\winlogon.exe Windows\system32\winlogon.exe C:\ C:\Windows\system32\winlogon.exe exe Process 468 services.exe 372 services.exe C:\Windows\system32\services.exe C:\Windows\system32 c:\windows\system32\services.exe Opened File Windows\system32\services.exe Windows\system32\services.exe C:\ C:\Windows\system32\services.exe exe Process 484 lsass.exe 372 lsass.exe C:\Windows\system32\lsass.exe C:\Windows\system32 c:\windows\system32\lsass.exe Opened File Windows\system32\lsass.exe Windows\system32\lsass.exe C:\ C:\Windows\system32\lsass.exe exe Process 492 lsm.exe 372 lsm.exe C:\Windows\system32\lsm.exe C:\Windows\system32 c:\windows\system32\lsm.exe Opened File Windows\system32\lsm.exe Windows\system32\lsm.exe C:\ C:\Windows\system32\lsm.exe exe Process 592 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32 c:\windows\system32\svchost.exe Opened File Windows\system32\svchost.exe Windows\system32\svchost.exe C:\ C:\Windows\system32\svchost.exe exe Process 660 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32 c:\windows\system32\svchost.exe Opened Process 708 svchost.exe 468 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32 c:\windows\system32\svchost.exe Opened File Windows\System32\svchost.exe Windows\System32\svchost.exe C:\ C:\Windows\System32\svchost.exe exe Process 776 logonui.exe 412 logonui.exe "LogonUI.exe" /flags:0x0 C:\Windows\system32 c:\windows\system32\logonui.exe Opened File Windows\system32\LogonUI.exe Windows\system32\LogonUI.exe C:\ C:\Windows\system32\LogonUI.exe exe Process 828 svchost.exe 468 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32 c:\windows\system32\svchost.exe Opened Process 884 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32 c:\windows\system32\svchost.exe Created Created Created Created Created Opened Opened Opened Opened Read_From Process 1292 ping.exe 884 ping.exe C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t C:\Windows\system32 c:\windows\syswow64\ping.exe File \device\000001a9\0d24eb7c\lsash.xp Mutex Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145 Mutex Global\C3819288-93FA-4E29-A254-BD9476B53C20 Mutex Global\6C29A0C8-62C6-415C-9538-B87690BC58D2 Mutex Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9 Mutex Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9 WinRegistryKey software\classes\http\shell\open\command HKEY_LOCAL_MACHINE File \\?\globalroot\device\000001a9\0d24eb7c\cfg.ini Process 964 audiodg.exe 708 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2b0 C:\Windows c:\windows\system32\audiodg.exe Opened File Windows\system32\AUDIODG.EXE Windows\system32\AUDIODG.EXE C:\ C:\Windows\system32\AUDIODG.EXE EXE Process 296 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32 c:\windows\system32\svchost.exe Opened Process 540 dllhost.exe 592 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} C:\Windows\system32 c:\windows\system32\dllhost.exe Opened File Windows\system32\DllHost.exe Windows\system32\DllHost.exe C:\ C:\Windows\system32\DllHost.exe exe Process 956 userinit.exe 412 userinit.exe C:\Windows\system32\userinit.exe C:\Windows\system32 c:\windows\system32\userinit.exe Opened File Windows\system32\userinit.exe Windows\system32\userinit.exe C:\ C:\Windows\system32\userinit.exe exe Process 320 explorer.exe 956 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32 c:\windows\explorer.exe Opened File Windows\Explorer.EXE Windows\Explorer.EXE C:\ C:\Windows\Explorer.EXE EXE Process 1060 dwm.exe 828 dwm.exe "C:\Windows\system32\Dwm.exe" C:\Windows\system32 c:\windows\system32\dwm.exe Opened File Windows\system32\Dwm.exe Windows\system32\Dwm.exe C:\ C:\Windows\system32\Dwm.exe exe Process 1112 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32 c:\windows\system32\svchost.exe Opened Process 1232 runonce.exe 320 runonce.exe C:\Windows\SysWOW64\runonce.exe /Run6432 C:\Windows\SysWOW64 c:\windows\syswow64\runonce.exe Opened File Windows\SysWOW64\runonce.exe Windows\SysWOW64\runonce.exe C:\ C:\Windows\SysWOW64\runonce.exe exe File windows\syswow64\ntdll.dll windows\syswow64\ntdll.dll c:\ c:\windows\syswow64\ntdll.dll dll Process 1292 ping.exe 884 ping.exe C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t C:\Windows\system32 c:\windows\syswow64\ping.exe Created Created Created Created Created Created Created Created Wrote_To Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Read_From Connected_To Connected_To Connected_To File windows\syswow64\kernel32.dll windows\syswow64\kernel32.dll c:\ c:\windows\syswow64\kernel32.dll dll File windows\syswow64\mswsock.dll windows\syswow64\mswsock.dll c:\ c:\windows\syswow64\mswsock.dll dll File windows\syswow64\ws2_32.dll windows\syswow64\ws2_32.dll c:\ c:\windows\syswow64\ws2_32.dll dll File windows\syswow64\wsock32.dll windows\syswow64\wsock32.dll c:\ c:\windows\syswow64\wsock32.dll dll File windows\syswow64\dnsapi.dll windows\syswow64\dnsapi.dll c:\ c:\windows\syswow64\dnsapi.dll dll File windows\syswow64\wininet.dll windows\syswow64\wininet.dll c:\ c:\windows\syswow64\wininet.dll dll File \device\000001a9\0d24eb7c\bckfg.tmp File STD_OUTPUT_HANDLE Mutex Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9 Mutex Global\C3819288-93FA-4E29-A254-BD9476B53C20 Mutex Global\6C29A0C8-62C6-415C-9538-B87690BC58D2 WinRegistryKey SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE DefaultTTL WinRegistryKey software\classes\http\shell\open\command HKEY_LOCAL_MACHINE WinRegistryKey .DEFAULT\software\microsoft\internet explorer\international HKEY_USERS acceptlanguage WinRegistryKey S-1-5-19\software\microsoft\internet explorer\international HKEY_USERS acceptlanguage WinRegistryKey S-1-5-20\software\microsoft\internet explorer\international HKEY_USERS acceptlanguage WinRegistryKey S-1-5-21-1463843789-3877896393-3178144628-1000\software\microsoft\internet explorer\international HKEY_USERS acceptlanguage WinRegistryKey S-1-5-21-1463843789-3877896393-3178144628-1000_Classes\software\microsoft\internet explorer\international HKEY_USERS acceptlanguage WinRegistryKey S-1-5-18\software\microsoft\internet explorer\international HKEY_USERS acceptlanguage WinRegistryKey software\microsoft\internet explorer\main\featurecontrol\FEATURE_BROWSER_EMULATION HKEY_CURRENT_USER ping.exe 8888 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings HKEY_CURRENT_USER maxhttpredirects 9999 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings HKEY_CURRENT_USER enablehttp1_1 1 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER currentlevel 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1601 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1400 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1A10 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER {AEBA21FA-782A-4A90-978D-B72164C80120} WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER {A8A88C49-5EB2-4990-A1A2-0876022C854F} WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1001 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1200 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1208 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1209 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 1405 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\windows\currentversion\internet settings\zones\3 HKEY_CURRENT_USER 2000 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey software\microsoft\internet explorer\international HKEY_CURRENT_USER acceptlanguage en-us REG_SZ File Windows\SysWOW64\ping.exe Windows\SysWOW64\ping.exe C:\ C:\Windows\SysWOW64\ping.exe exe File Windows\SysWOW64\ntdll.dll Windows\SysWOW64\ntdll.dll C:\ C:\Windows\SysWOW64\ntdll.dll dll File Windows\syswow64\kernel32.dll Windows\syswow64\kernel32.dll C:\ C:\Windows\syswow64\kernel32.dll dll File Windows\SysWOW64\mswsock.DLL Windows\SysWOW64\mswsock.DLL C:\ C:\Windows\SysWOW64\mswsock.DLL DLL File Windows\syswow64\WS2_32.dll Windows\syswow64\WS2_32.dll C:\ C:\Windows\syswow64\WS2_32.dll dll File Windows\SysWOW64\wsock32.DLL Windows\SysWOW64\wsock32.DLL C:\ C:\Windows\SysWOW64\wsock32.DLL DLL File Windows\SysWOW64\dnsapi.DLL Windows\SysWOW64\dnsapi.DLL C:\ C:\Windows\SysWOW64\dnsapi.DLL DLL File Windows\syswow64\WININET.dll Windows\syswow64\WININET.dll C:\ C:\Windows\syswow64\WININET.dll dll DNSRecord 127.0.0.1 URI 127.0.0.1 SocketAddress 6zrt3vuwf-39qwkam.com 80 TCP NetworkSocket 6zrt3vuwf-39qwkam.com 80 TCP Contains SocketAddress 6zrt3vuwf-39qwkam.com 80 NetworkConnection HTTP 6zrt3vuwf-39qwkam.com 80 URI http://6zrt3vuwf-39qwkam.com/evh0yGtD7e5QO1U4Y2xrPTMuNyZiaWQ9bm9uYW1lJmFpZD02NjY3MSZzaWQ9MCZyZD0xNDgxMDE2OTc037x Contains URI 6zrt3vuwf-39qwkam.com Process 1300 spoolsv.exe 468 spoolsv.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32 c:\windows\system32\spoolsv.exe Opened File Windows\System32\spoolsv.exe Windows\System32\spoolsv.exe C:\ C:\Windows\System32\spoolsv.exe exe Process 1316 conhost.exe 324 conhost.exe \??\C:\Windows\system32\conhost.exe C:\Windows\system32 c:\windows\system32\conhost.exe Opened File Windows\system32\conhost.exe Windows\system32\conhost.exe C:\ C:\Windows\system32\conhost.exe exe Process 1332 dllhost.exe 592 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} C:\Windows\system32 c:\windows\system32\dllhost.exe Opened Process 1400 taskhost.exe 468 taskhost.exe "taskhost.exe" C:\Windows\system32 c:\windows\system32\taskhost.exe Opened File Windows\system32\taskhost.exe Windows\system32\taskhost.exe C:\ C:\Windows\system32\taskhost.exe exe Process 1456 svchost.exe 468 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32 c:\windows\system32\svchost.exe Opened Process 1528 jusched.exe 1232 jusched.exe "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" C:\Windows\SysWOW64 c:\program files (x86)\common files\java\java update\jusched.exe Opened Opened Opened WinRegistryKey SYSTEM\CurrentControlSet\Control\FileSystem HKEY_LOCAL_MACHINE Win31FileSystem File Program Files (x86)\Common Files\Java\Java Update\jusched.exe Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe exe Process 1928 taskhost.exe 468 taskhost.exe taskhost.exe SYSTEM C:\Windows\system32 c:\windows\system32\taskhost.exe Opened Process 840 dllhost.exe 592 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} C:\Windows\system32 c:\windows\system32\dllhost.exe Opened Analyzed Sample #268671 Malware Artifacts 268671 Sample-ID: #268671 Job-ID: #726140 This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 7 system 100 VTI Score based on VTI Database Version 2.4 Metadata of Sample File #268671 Submission-ID: #268671 C:\Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe exe MD5 cb91b8695d3990b5b5eae8a714bd357e SHA1 3cd6ef10dd6cbe6f158a360cf5b112cef2e18304 SHA256 eec6bfe112155ab94029f0f8f27a484edf35b5d743503e0199637084d9520ebc Opened_By VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READWRITE"). Allocate a page with write and execute permissions Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve more than 50 APIs. Dynamic API usage Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Allocate a page with write and execute permissions Device VTI rule match with VTI rule score 2/5 vmray_access_physical_drive Access physical drive "\device\harddisk0\dr0". Access physical drive Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\C3819288-93FA-4E29-A254-BD9476B53C20". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\6C29A0C8-62C6-415C-9538-B87690BC58D2". Create system object Anti Analysis VTI rule match with VTI rule score 1/5 vmray_delay_execution_by_sleep One thread sleeps more than 5 minutes. Delay execution Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9". Create system object Network VTI rule match with VTI rule score 1/5 vmray_request_dns_by_name Resolve "127.0.0.1". Perform DNS request Browser VTI rule match with VTI rule score 3/5 vmray_modify_browser_security_zone Change settings for the Security Zone "internet". Change security related browser settings Device VTI rule match with VTI rule score 5/5 vmray_write_mbr_by_ginformation Write 512 bytes to master boot record (MBR). Write master boot record (MBR) Kernel VTI rule match with VTI rule score 3/5 vmray_kernelcode_execution Execute code with kernel privileges. Execute code with kernel privileges Network VTI rule match with VTI rule score 1/5 vmray_tcp_out_connection Outgoing TCP connection to host "6zrt3vuwf-39qwkam.com:80". Connect to remote host Network VTI rule match with VTI rule score 1/5 vmray_download_data_http_request Url "http://6zrt3vuwf-39qwkam.com/evh0yGtD7e5QO1U4Y2xrPTMuNyZiaWQ9bm9uYW1lJmFpZD02NjY3MSZzaWQ9MCZyZD0xNDgxMDE2OTc037x". Download data Network VTI rule match with VTI rule score 1/5 establish_http_connection Remote address "6zrt3vuwf-39qwkam.com". Connect to HTTP server Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 4 byte(s) at mswsock.dll (0x757441a7) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 1 byte(s) at mswsock.dll (0x757441ab) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 4 byte(s) at mswsock.dll (0x75742bf9) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 1 byte(s) at mswsock.dll (0x75742bfd) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 4 byte(s) at winmm.dll:waveOutOpen+0x0 (0x7581451e) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 1 byte(s) at winmm.dll:waveOutOpen+0x4 (0x75814522) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 4 byte(s) at ole32.dll:CoCreateInstance+0x0 (0x75da9d0b) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 1 byte(s) at ole32.dll:CoCreateInstance+0x4 (0x75da9d0f) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 4 byte(s) at user32.dll:GetCursorPos+0x0 (0x75aa1218) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 1 byte(s) at user32.dll:GetCursorPos+0x4 (0x75aa121c) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 4 byte(s) at user32.dll:WindowFromPoint+0x0 (0x75abed12) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 1 byte(s) at user32.dll:WindowFromPoint+0x4 (0x75abed16) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 4 byte(s) at user32.dll:GetForegroundWindow+0x0 (0x75aa2320) Overwrite code Process VTI rule match with VTI rule score 2/5 vmray_overwrite_code Overwrite 1 byte(s) at user32.dll:GetForegroundWindow+0x4 (0x75aa2324) Overwrite code