Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 271872 KB
File Type : Portable Executable 32
File Name

New Order_PDF.exe

MD5

b3e9bdabad08d6776cbbd179e68092b8

SHA1

7b5038ebc7bf9ecec45bf3aff94c1e44d586bccc

SHA256

771fd7d9681e80b14a3bf8af03c49da7bb0eec47274543b7f6

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\Sample\b3e9bdabad08d6776cbbd179e68092b8.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "HWID=7B42454430393036302D374243412D343943432D383038442D3043364135354533304443387D" in key HKEY_CURRENT_USER\software\WinRAR
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "RegAsm.exe=RegAsm.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\Microsoft.NET\Framework\v2.0.50727
binary data=520065006700410073006D002E006500780065000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000

Changes to filesystem:

* Modifies file (empty) C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Network services:

* Queries DNS "cx16455.twsite.de".
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Connects to "5.23.50.3" on port 80 (TCP - HTTP).
* Downloads file from "google.com/".
* Downloads file from "cx16455.twsite.de /mosihc/gate.php".
* Uses POST methods in HTTP.

Process/window/string information:

* Gets user name information.
* Gets volume information.
* Checks for debuggers.
* Creates an event named "Global\CorDBIPCSetupSyncEvent_1564".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "mEGywqwH8eVl".
* Creates process "C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe, , null".
* Injects code into process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe".
* Enables privilege SeImpersonatePrivilege.
* Enables privilege SeTcbPrivilege.
* Enables privilege SeChangeNotifyPrivilege.
* Enables privilege SeCreateTokenPrivilege.
* Enables privilege SeBackupPrivilege.
* Enables privilege SeRestorePrivilege.
* Enables privilege SeIncreaseQuotaPrivilege.
* Enables privilege SeAssignPrimaryTokenPrivilege.
* Creates a mutex "Local\!IETld!Mutex".
* Creates process "null, "C:\Users\cognus\AppData\Local\Temp\4517742.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" , C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\Sample".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Enables process privileges.
* Sleeps 29 seconds.

Additional Information:

How To Remove New Order_PDF.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where New Order_PDF.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top