Trojan.GenericKD.4586128_74c660426e – Adaware

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.4586128 (B) (Emsisoft), Trojan.GenericKD.4586128 (AdAware)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 74c660426e6ad01904cf0c4321675097

SHA1: 8c559ec0e4bd4ae1d09c7f4d835d3251d9356168

SHA256: 9db86a5816ab429b4726cd64a8c394f369d77a6db62bb1518dc806d673ffc8ff

SSDeep: 24576:EaXNVojWEdAxIHJRyiKps0TErCgxjyAdSx/qSboroFNRJaYfi:Euzoj5JgjEr/dyqSbo0cY

Size: 1454080 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: appinstall d2

Created at: 2017-03-13 05:22:53

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1792
%original file name%.exe:2176

The Trojan injects its code into the following process(es):

SearchProtocolHost.exe:1900
SearchFilterHost.exe:1780
wininit.exe:360
winlogon.exe:416
services.exe:460
lsm.exe:476
svchost.exe:580
svchost.exe:648
svchost.exe:700
svchost.exe:820
svchost.exe:860
svchost.exe:1032
SearchIndexer.exe:1100
svchost.exe:1112
spoolsv.exe:1224
svchost.exe:1260
svchost.exe:1664
wmiprvse.exe:1816
taskhost.exe:1940
taskeng.exe:2000
Dwm.exe:2008
Explorer.EXE:2024
svchost.exe:2340
conhost.exe:3904
taskhost.exe:3572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1792 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\Documents\Delay.txt (32 bytes)

The process %original file name%.exe:2176 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Monitor\Screenshots\03-26-2017\3.35 AM (47 bytes)

Registry activity

The process %original file name%.exe:2176 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software]
"prc" = "2176"
"auKBM NbrgFiv3UGmZkr Q==" = "BYOZMbcHdwFtgYglTiC u9sOgGxp/ZCC9VBKAcbgz8s="
"pth" = "c:\%original file name%.exe"
"6pprwpp0CBdleLjPr/lihg==" = "gHz0ziJAt86V3 qIMpS9A=="
"MTX" = "59a9161a78a3483a2edcdc3fb582650a1c3d25a6"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwQuerySystemInformation

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1792
%original file name%.exe:2176
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\Documents\Delay.txt (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Monitor\Screenshots\03-26-2017\3.35 AM (47 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Pantaray Research Ltd.
Product Name: Diagnostic HUB
Product Version: 12.0.0.0
Legal Copyright: Copyright (C) 2002-2017
Legal Trademarks:
Original Filename: Project1.exe
Internal Name:
File Version: 12.0.0.5
File Description: Diagnostic HUB
Comments:
Language: English (United States)

Company Name: Pantaray Research Ltd.Product Name: Diagnostic HUBProduct Version: 12.0.0.0Legal Copyright: Copyright (C) 2002-2017Legal Trademarks: Original Filename: Project1.exeInternal Name: File Version: 12.0.0.5File Description: Diagnostic HUBComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	1451140	1451520	4.39925	8d7f1f1ed29fe6c9000fec4d8730ec68
.rsrc	1466368	1536	1536	2.75144	49849b48188e9f40acc0e6260275ca29
.reloc	1474560	12	512	0.070639	8607f77b215816cfa92bb1b9a31350e3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
dns.msftncsi.com
time.windows.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

SearchProtocolHost.exe_1900:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

%s(%d)

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

0xx%p%S%d

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchProtocolHost.exe_1900_rwx_0077D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

SearchFilterHost.exe_1780:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

%S(%d)

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_1780_rwx_0067D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

wininit.exe_360_rwx_0027D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

winlogon.exe_416_rwx_0053D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

C:\Windows\system32\winlogon.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

services.exe_460_rwx_0008D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

lsm.exe_476_rwx_0024D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_580_rwx_001CD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_648_rwx_0017D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_700_rwx_002ED000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

.ja-JP

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_820_rwx_0015D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_860_rwx_005BD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1032_rwx_0009D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

SearchIndexer.exe_1100_rwx_00E0D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1112_rwx_00DBD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

spoolsv.exe_1224_rwx_006CD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1260_rwx_003AD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1664_rwx_001ED000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

wmiprvse.exe_1816_rwx_0021D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

taskhost.exe_1940_rwx_0037D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

C:\Windows\system32\taskhost.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

taskeng.exe_2000_rwx_002DD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

Dwm.exe_2008_rwx_004CD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

C:\Windows\system32\Dwm.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

Explorer.EXE_2024_rwx_02D6D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

C:\Windows\Explorer.EXE

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_2340_rwx_0014D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

conhost.exe_3904_rwx_0010D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

C:\Windows\system32\conhost.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

taskhost.exe_3572_rwx_0062D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps

Related articles