Flattr this analysis!

Tags: cryptolocker

Analysis

Category Started Completed Duration
FILE 2013-10-15 17:57:31 2013-10-15 17:57:48 17 seconds

File Details

File Name upd.exe
File Size 149188 bytes
File Type MS-DOS executable
MD5 2344f984703d86b955c3ff91df3684b0
SHA1 f22894bec094feb6ef1d85fc97e2677dd1c45a3a
SHA256 7d760a5406e9179c8be8437f0738b44ba15df5c2d5713096ce509f16aa92dfbc
SHA512 05e21db0559f438974606083ca6b477206fa8266bd7cacd168cc9967101cdf33401a00f9056eb141eb845662d615287b2736087cc8e17f1eb88ffdb34a6f0e32
CRC32 79568CA8
Ssdeep 3072:iJS4YluHH5340ErMX+vS5etf6vCqDFw6wDeadPW+fPhhojH:YoeLjOvS5gf6vCqDF7cLdPWk4H
Yara None matched
You need to login

Signatures

Creates an Alternate Data Stream (ADS)
file: \DosDevices\A:
Installs itself for autorun at Windows startup

Screenshots


Hosts

No hosts contacted.

Domains

No domains contacted.


Summary

C:\WINDOWS\_default.pif
\DosDevices\A:
\DosDevices\B:
C:\MSDOS.SYS
C:\IO.SYS
C:\WINDOWS\system32\ntio.sys
C:\WINDOWS\system32\ntdos.sys
C:\
C:\WINDOWS\SYSTEM32\CONFIG.NT
C:\WINDOWS\TEMP\scs3.tmp
C:\WINDOWS\TEMP\SCS3.TMP
C:\WINDOWS\SYSTEM32\HIMEM.SYS
C:\WINDOWS\SYSTEM32\COUNTRY.SYS
\DosDevices\C:
C:\WINDOWS\SYSTEM32\COMMAND.COM
C:\WINDOWS\SYSTEM32
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT
C:\WINDOWS\TEMP\scs4.tmp
C:\WINDOWS\TEMP\SCS4.TMP
C:\Documents and Settings
C:\Documents and Settings\All Users
C:\Documents and Settings\User\Application Data
C:\Program Files
C:\Program Files\Common Files
MSCDEXNT.EXE
C:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
REDIR">>>
C:\WINDOWS\SYSTEM32\REDIR.EXE
DOSX">>>
C:\WINDOWS\SYSTEM32\DOSX.EXE
C:\WINDOWS\SYSTEM.INI
C:\DOCUME~1\User\LOCALS~1\Temp
C:\DOCUME~1\USER\LOCALS~1\TEMP\UPD.EXE
A:
B:
E:
F:
G:
H:
I:
J:
K:
L:
M:
N:
O:
P:
Q:
R:
S:
T:
U:
V:
W:
X:
Y:
Z:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
OOPS! No static analysis available, probably it's not a supported file format.
!This program cannot be run in DOS mode.
wYpGwYpGwYpGP
GaYpGP
G@YpGP
V-GrYpGwYqG
GvYpGP
GvYpGP
GvYpGRichwYpGPEL
.text,S
`.rdata&M
@@.data
t*97u&j
"""""R9z8
RRRRRRRR
M0Rf2)
8BBBB""""+
4?oBBBBB
8,.ult
BBBBBB
""""C|
CRRRR""""%Z
zE(J{e'@
P?gPbS@
l""""""
["""""c
X"/""""RRRRbt
WU"""""
LRRRRR
[$uW $
8)""""
xRRRBa3H
(mA""""BBBB
R(Xd V
sI]2M2
LCaCR""""
F"""""
&xB3nE
qWRRRR
BBBBBR
'>BBBB
<RRRRm
RRR"""""
<)b^rUY
64C53F
""""1\
RRRRRz
FZBBBB
_P""""""""
""""B3
RRRRRs
BBBRRRRRzP']6
BBBB=J
BBBBBW
shV`oH
"BBBBB
""""""""
"RRRRR
xRRRBBBBB
RRRRRn
^?""""
"""""R
RRRR""""
C{RRRR\
]/""""
De>RRRRR
f"""""
RRRRRP,
lBBB"""""
p""""""
RRRR""""
_"9I{9j3
R(=9tR!
"""BBBBB
zjRRR[4b
""""L&
RRRRR2{uS
"""""R
RRRBBBBB
`{""""
""""-]
"""""h{
.O"""""
"""BBBBB"u
rJBBBBB
RN&d-5H
""""ss&>
:gRRRRR"
k""""S1
i"L>:"""
""""RRRR
+iRRRRRRRR
^"""""
O!"""""
4|q7'I
]8@0BBBBB
$P4LM$
9RRRmne\<
RRRRKMb?
RRRRRg
"""""R7
J RBBBBB
"""""^
RBBBBB
"""""l
RRRR""""d
"""""^i2u
h'"""""
ky7BBB
"l"""""vE:`
K"""""
x"RRRR
uRuInRRR"T+
P""""""
""""BBBB_
"RRRRR
"jRRRR
"Ur]l{k
R"""""
BBBBB#+puU
BBBBv[}f
BBBBBy
RRRRR#{
!F""""
BBBBBg;\
RRRRRV
3BBBBB
FDFD)$
$/BBBB
6E"""""
"""","/
"""""""" !
yRRRRR}
RRRR"0
`coBBBB
""""""9
""""""""BE
!BBBBBt
gGBRRRRR
""""ah}
"""""X
"""""0f
{PRmz0R;P
RRRRRO
"""""h5F
"""""X=%
BBBBRRRR
}"""""
BBBBBV=
UWBBBBB
.S7k#L
!RRRRG
]\CcD|
O]S"""
BBBB}B5
zvBBBBB
BBBBB"
,,g(zh/4
67,0hE
RRRBBBBB
"""""R
"""""a
RRRRR!
B"""""P
&y"""""+
"""""{
{DERRR
y=qekQ
N$$VLL
Ymn"""""
""""qv);-"B
B7GXv;
"]Zw"""
RRRRR6
WMRRRR
BBBBBB
R?RGA-
/K""""
>'3_wV
"gEL"""
"""""1
YJ"BBBBB
LoaRRR
RRRRR4
TRRR"4
BBBBRRRR
(""""G!E
]RTmMA<
""""bF
P"""""
O""""x
BBBBBd4
RRRR6j
iO0K&!""""
>7K"l8z""""""
BBB"""""G
Ld.]R;
@$$CpN$
DjQ^$$
!RRRRlw
RRRRR"
{"""""
{t^"~^("""
RRRRRH
x,Kofz
%""""""""_
RRRRLc
|45BBBB
Pq$ARW
cI']BBB"""""
a`"z.yr
"""""^
%MIs:.
BBBBBz9
0uBBBB
R|-~RRR
"""".u-
BBBBBf
"lV|"""
""""wE*PA
Bi.A*od
"""""R
Rc5V"?
RRRRBBBB
h$$wc$
^I"]z-
RRRRRR
P""""5y
]d#`De
"""""""""
blI"uoZ
RRR"""""
BBBBBR
n*T,dT3
mu/N$x
OrzRRRR
BBBB]D
B{M>tdBBB
@BBBBB]I
H1=p.!
""""sfw
d""""BBBB
Skp{U.>n
G"]NvBBBBB
BBBBkr
"BBBBB
RRRRRW
""""""""
"""""V
BBBBB5
0lBBBB3
"""""Sh
=#RRRR
"""""e
C`BBBBBIz/
qBSXPU
RRRRR0
"GE@s"
70m"s`
"""""g[
"2@S"""R
BBB"""""
RRRRR=Ufa(
g""""""G
`a#""""~
""""6
RRRRRA
R"""""
L-JRRRRR
.6""""
yBBBBBR
Lj!5
xVV.v9
RRRRX*_
RRRR""""
E`RRRRw
RRRRR@
BBBB9c]
BBBBBz8
;K"{hbl
"""RRRRR
""""""""
FY""""^I[Bk t
RRRRRRRR
6,VE*,
]""""/
RRRRR"*
Uk""""
BBBBl}
""""RRRR
BBBB*L
I8,T'y
g@VRRR
IRRRRci
<"""""
RRRR"""""U
-k]w4?
oRRRRR
RRRRRRe
""""""""g0
R <[.RR
""""BBBBEek
BBBBBH
BBBBB"
7"""""R
RRRR=e
7TK(\,
%""""""Q
5BBBBB
"""RRRRR
Cv(RS<
BBBBB3
RRRRRq
b$[RRRr
0]RRRRed51
R"""""
"""RRRRR
"""""rH
BHIRRRR
vYO_GQ
B"""""
(8RRRR
"""""n?
"""""\
$bBCxc
"eQ_?,""""""_B
G_D-BBBBB
B"""""
H"""""
"'1c`@
""""BBBB
D`!hp`:g"""""R
yRRRRR
)_p!^+
`1PC2X,
[RRRRR
exBBBB
_n""""
"""""B
_UBBBBE
#BrcxM
_0BBBB^
RRRR"d
TM$$6oO
D*""""""""
""""":
H`jdd<
""""""""
"""RRRRRI
RRRRRRRR
RRRRRH
""""""""
""""tb]
""""W_
*WRRR"""""z
B>\GLBBBBm
RBBBB'
"RRRRR
hu"^"""""
jBBBB\
p`RRR
RRRRRRRR
:BBBv.O
"""BBBBB
}mRE[!,{O%n
RRRRR"
|8{"""""
RRRRRR'
RRRRR}
5;ZB($
[`"n!~hI
""""BBBB-
b88im`
Q:DR(?
R6(hz3R
JURRRR
RRRRRqF
p,{86F
_=|`sQ
"""""$
"""""]p
RRRRRvL
Q"""""
q"""""
RRRRRi
_/_"Rp
R""""V*
{"`A":
OU"RRRRR
vl3PRRRRR
_HO>h:
RRRRRR:
"RRRRR
6RRRRRRRR
""""""r{
iRRRR!!
e*&"""BBBBB
B/"""""
2"""""B
""""RRRR!
km6"[C9"""
lb;BBBBB
s"oiN6
"""""*T
RRRRRRS(=
B4""""
k`eJy|]
RRRR7Si
BBBBBR
"""""R
1T""""
X93g-:RRRR
RRRR[2}3
Vy/RRRRR
tJ"""""
9l""""J
RRR"""""
hr""""
<URRRR
WW{1RRRRR
sBBBBB
qBA"""""B
ZBBBB""""
d9V')]y#
`.R"""""
cmY?S'
"""""Y
BBBB""""/
/b'7]"""
BBBBB"-
"RRRRRR
QRRRRR
1N.HrE
BBBBB"
BBBBBx
z""""-S
XwY\V*
c!/RE6
*KRRRRRRQ
""""#&8
l)"""""
RRR"""""
%!O"@FB
$ $D$$$L8
&?""""
RRRRR|S
n>RvR9
RBBBBB
RRRRR-
BBBBB!
RRRBBBBB
PRBBBBB
!bN"BBBBBR
e~RRRRcx|
""""dPZ\"
"i(_@H"
*'dglC
p:@_z'
""""""^
X"_9ei]
RRRRRd-
vsIZ9v
RRRRR"
$"""""
""""""5
""""""
Nl>s(J
""""""
rB"""""
."""""
"""""{M
."RRRRR
#""""czic
83R"""""j
RRRRRRNo
V"""""@
RRRRR4
8fGj*Q
L.vBBB
"""""B
BBBBBh
"""9A[
BBBBBh
Yag)pLA
""""*C
S"""""\
3rD]jh
wBBBBB
iRRRRxQsN
R=BBBB
RRRRZ|
<`TV$hU4
pq""""
""""RRRR
)kfFyBBBBB.
6^RRRRR
BBBBBBBB
gBBBBBRU\
LXRRRR
h"""""
GDEjYh
RRRR=`E
RRRRIBn
9X,V5_
RRRRRR9
S/{RRRRR
""""vr
6""""9
B"n{e"
5""""""""
RRRRRJ
{bRRRRR
R"""""
^RRRRR
;cZ(La9
mEbu/^
`vLhWmQ
1t6f-h
woB"ui
yL28!e
"BBBBB
*xDUVj
RRRRRB
"""""^
f"""""
&ABBB>2%[
."?;W"
+X@zg~
"""""o
pqTBBB
(z:BBBB
BBBBBB"eJG
BBBBB#
""""""
vbGm{B3
JRE>mR
?_+!Y*$
""""""""
mP)*"R
,XeRb0<K
<\""""""
s"RWZ{"
^$y$wj
@BBBBB
RRRRR7
<j{wNDr
tO:i<"BBBBB
lg"""""
k""""hbs5
ev&""""
@NB J<B
9|{27B
RRRR"6@
du5aQQF
B"""""
kHHgZ/
0URRRRRYj
%T"""""
BBBBBq:)
NBBBB|i
"""RRRRR
iet^8p
RRR"""""
+$Ljj+$
}$e"<GpO
RRRRRgWm(
"""""E
_A2Fv6
"=y'"z
RRRRR7
C9f[ZR
e"""""
RRR"""""
K"""")D
e"""""
RRRRR$t
N"""""
RRRRRG
1O%E4/
{""""""""
-BBBB""""2K
x0"BZ~
VYU"""
S"60{o
Antivirus Signature
MicroWorld-eScan Clean
nProtect Clean
CAT-QuickHeal Clean
McAfee Clean
Malwarebytes Clean
TheHacker Clean
K7GW Clean
K7AntiVirus Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
Norman Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Agnitum Clean
ViRobot Clean
ByteHero Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Clean
AntiVir Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Sophos Clean
Jiangmin Clean
Panda Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
SUPERAntiSpyware Clean
GData Clean
Commtouch Clean
AhnLab-V3 Clean
VBA32 Clean
PCTools Clean
ESET-NOD32 Clean
Rising Clean
Ikarus Clean
Fortinet Clean
AVG Clean
Baidu-International Clean

  • ntvdm.exe 1088
ntvdm.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

Domains

No domains contacted.

Hosts

No hosts contacted.

HTTP Requests

No HTTP requests performed.

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

File name scs4.tmp
File Size 1670 bytes
File Type DOS batch file, ASCII text, with CRLF line terminators
MD5 71f4b39c5eb73df738ad3e0dacd89057
SHA1 8565ed558ad273232104e0b10cd87cff723a1eca
SHA256 d504b1c272cd0c92c4a365086cf884a4889653c89d5602b6dadeffb33b83951d
CRC32 57C5BF94
Ssdeep 24:FdM2fMOL31HImyqulppIqZYGZ+Dg8pAcM3s+5slwQT3eAbntJPFBfPCZ:wTOIqu5/Z+K7slwQTvntJPPPCZ
Yara None matched
File name scs3.tmp
File Size 2686 bytes
File Type ASCII English text, with CRLF line terminators
MD5 4a587187d760161311010b03417b3c3f
SHA1 863bbf5f7f4114a1307c6bad5dd89224d511fed5
SHA256 b7792de7a6d7abb649a8a22e9048d0468b604ca98b8978bdd1171356af6d5f49
CRC32 7F49CEE2
Ssdeep 48:OxFSPnXOoz6xGGBkIV2SVFI8Ag52hG4VYEz/ss10hdmDpaQcaJ0jpn:im9OGGqcxF3whG8YEz/UmXzJ0jpn
Yara None matched
Bummer! No comments yet.

You have to login to comment.