Analysis Summary:
Analysis Date 6/17/2007 3:25:22 AM
Sandbox Version 1.115
Filename d384995272b28711c62bdfb52eecc8c1.exe
Technical Details:
Analysis Number 1
Parent ID 0
Process ID 1372
Filename c:\d384995272b28711c62bdfb52eecc8c1.exe
Filesize 2287365 bytes
MD5 d384995272b28711c62bdfb52eecc8c1
Start Reason AnalysisTarget
Termination Reason Timeout
Start Time 00:00.078
Stop Time 01:00.266
COM COM Create Instance: C:\WINDOWS\system32\shdocvw.dll, ProgID: (Shell.Explorer.2), Interface ID: ({00000112-0000-0000-C000-000000000046})
COM Create Instance: shell32.dll, ProgID: (lnkfile), Interface ID: ({000214EE-0000-0000-C000-000000000046})
COM Create Instance: shell32.dll, ProgID: (lnkfile), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: C:\WINDOWS\system32\mlang.dll, ProgID: (), Interface ID: ({275C23E1-3747-11D0-9FEA-00AA003F8646})
COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
DLL-Handling Loaded DLLs
c:\d384995272b28711c62bdfb52eecc8c1.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\version.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\winmm.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\Secur32.dll
NTDLL.DLL
ADVAPI32.DLL
kernel32.dll
user32.dll
oleaut32.dll
advapi32.dll
version.dll
gdi32.dll
ole32.dll
comctl32.dll
wininet.dll
wsock32.dll
winmm.dll
shell32.dll
c:\d384995272b28711c62bdfb52eecc8c1.ENU
c:\d384995272b28711c62bdfb52eecc8c1.EN
olepro32.dll
UxTheme.dll
uxtheme.dll
Comctl32.dll
RichEd20.dll
comctl32.dll
SHELL32.dll
SHELL32.DLL
WININET.dll
c:\Ic32.dll
RASAPI32.DLL
RTUTILS.DLL
USERENV.dll
netapi32.dll
appHelp.dll
OLEAUT32.dll
urlmon.dll
C:\WINDOWS\system32\shdoclc.dll
COMCTL32.dll
xpsp2res.dll
URLMON.DLL
WS2_32.dll
MLANG.dll
Filesystem New Files
c:\Ic32.dll
\Device\RasAcd
c:\Local.cfg
Opened Files
\\.\Scsi0:
\\.\SICE
\\.\NTICE
\\.\SIWVID
C:\WINDOWS\Registration\R000000000008.clb
c:\d384995272b28711c62bdfb52eecc8c1.exe
\\.\PIPE\lsarpc
c:\autoexec.bat
c:\Local.cfg
Deleted Files
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\Upgrader3.exe
Chronological order
Open File: \\.\Scsi0: (OPEN_EXISTING)
Find File: c:\Key.reg
Open File: \\.\SICE (OPEN_EXISTING)
Open File: \\.\NTICE (OPEN_EXISTING)
Open File: \\.\SIWVID (OPEN_EXISTING)
Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000008.clb (OPEN_EXISTING)
Open File: c:\d384995272b28711c62bdfb52eecc8c1.exe (OPEN_EXISTING)
Find File: c:\Ic32.dll
Create File: c:\Ic32.dll
Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\Upgrader3.exe
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\system32\Ras\*.pbk
Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Create File: c:\Local.cfg
Find File: c:\Local.cfg
Open File: c:\Local.cfg (OPEN_EXISTING)
INI Files Read INI File
c:\User.ini [´«Ææ] =
c:\User.ini [´«Ææ] ÎäÁÖ¾ÅÇø(4ÔÂ5ºÅ¿ª·Å) =
WIN.INI [windows] DragScrollInset =
WIN.INI [windows] DragScrollDelay =
WIN.INI [windows] DragDelay =
WIN.INI [windows] DragScrollInterval =
Read INI File
c:\User.ini [] =
Mutexes Creates Mutex: D384995272B28711C62BDFB52EECC8C1.EXE
Creates Mutex: RasPbFile
Registry Changes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Enable" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Size" = [REG_DWORD, value: 0000000A]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "InitHits" = [REG_DWORD, value: 00000064]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Factor" = [REG_DWORD, value: 00000014]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International "W2KLpk" = [REG_DWORD, value: 00000001]
Reads
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager "ColorName"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00021401-0000-0000-c000-000000000046}\InProcServer32 ""
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
_HKEY(2016)_ "NumShape"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Enable"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Size"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\Language Groups "a"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International "W2KLpk"
Process Management Enum Processes
Enum Modules - Target PID: (1336)
Service Management Open Service Manager - Name: "SCM"
System Info Get System Directory
Get Computer Name
Get System Time
User Management Impersonate User - Domain: () User: (Sandbox)
Impersonate User - Domain: () User: (Sandbox)
Get User Name
Window Find Window - Class Name (TAPPBUILDER) Window Name ()
Find Window - Class Name (MS_AutodialMonitor) Window Name ()
Find Window - Class Name (MS_WebcheckMonitor) Window Name ()
Enum Windows
Network Activity DNS Lookup
Host Name IP Address
172.16.1.154
update.7wcq.com 0.0.0.0
ASANDBOXEN 172.16.1.154
125.91.15.56 125.91.15.56
count.7wcq.com 0.0.0.0
port.7wcq.com 0.0.0.0
cc0.7wcq.com 0.0.0.0
cc1.7wcq.com 0.0.0.0
cc2.7wcq.com 0.0.0.0
cc3.7wcq.com 0.0.0.0
cc4.7wcq.com 0.0.0.0
cc5.7wcq.com 0.0.0.0
cc6.7wcq.com 0.0.0.0
cc7.7wcq.com 0.0.0.0
cc8.7wcq.com 0.0.0.0
cc9.7wcq.com 0.0.0.0
UDP Connections
Download URLs
http://61.151.239.33/601086888.zip (61.151.239.33)
http://60.191.129.104/ (60.191.129.104)
Outgoing connection to remote server: 61.151.239.33 TCP port 80
Outgoing connection to remote server: 125.91.15.56 TCP port 7005
Outgoing connection to remote server: 60.191.129.104 TCP port 80
Analysis Number 2
Parent ID 0
Process ID 712
Filename
Filesize -1 bytes
MD5
Start Reason SCM
Termination Reason Unknown
Start Time 00:02.328
Stop Time 00:00.000
Analysis Number 3
Parent ID 0
Process ID 712
Filename
Filesize -1 bytes
MD5
Start Reason SCM
Termination Reason Unknown
Start Time 00:02.344
Stop Time 00:00.000
Analysis Number 4
Parent ID 0
Process ID 712
Filename
Filesize -1 bytes
MD5
Start Reason SCM
Termination Reason Unknown
Start Time 00:02.656
Stop Time 00:00.000
Analysis Number 5
Parent ID 0
Process ID 712
Filename
Filesize -1 bytes
MD5
Start Reason SCM
Termination Reason Unknown
Start Time 00:07.000
Stop Time 00:00.000 |
楼主: Anti@9.cn
楼主
发表于 2007-6-17 18:00:38
发表于 2007-6-17 19:53:25
