MalAgent.H_18036 is a Virus. Virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive
Mutexes created
Directory level activity- create - dir - c:\windows\mui\
File level activity- write - file - c:\windows\internat.exe
- write - file - c:\windows\mui\modem.sys
- write - file - c:\windows\lsass32.exe
- write - file - c:\windows\userun32.exe
- write - file - c:\windows\calc.exe
- write - file - c:\windows\regedit2.exe
- write - file - c:\windows\regedit.exe
- write - file - c:\Documents and Settings\All Users\Start Menu\Programs\Startup\msoffice.scr
- write - file - c:\windows\mui\modem.sys
Registry level activity- write - registry - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6ABE4A8-C73A-305A-BFEF-E4FA2BC9D8A9}ThisEXE
- write - registry - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6ABE4A8-C73A-305A-BFEF-E4FA2BC9D8A9}VerProg
- write - registry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runinternat
- write - registry - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Runinternat
- write - registry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesinternat
- write - registry - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runlsass32
- write - registry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Runuserun32
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatDependOnGroup
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatDependOnService
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatDescription
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatDisplayName
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatGroup
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatObjectName
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatImagePath
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatErrorControl
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatPlugPlayServiceType
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatStart
- write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\internatType
Library level activity- load - library - KERNEL32.DLL
- load - library - advapi32.dll
- load - library - gdi32.dll
- load - library - mpr.dll
- load - library - oleaut32.dll
- load - library - shell32.dll
- load - library - user32.dll
- load - library - wsock32.dll
- load - library - wininet.dll
- load - library - viaud.dll
- load - library - ole32.dll
Process API calls used
- NtFreeVirtualMemory
- NtFreeVirtualMemory
Registry API calls used
- RegOpenKeyExA
- RegQueryValueExA
- RegCloseKey
- RegCreateKeyExA
- RegSetValueExA
- RegDeleteValueA
- NtOpenKey
- NtQueryValueKey
- RegCloseKey
System API calls used
- LdrLoadDll
- LdrGetProcedureAddress
- NtDelayExecution
- NtDelayExecution
Filesystem API calls used
- NtOpenFile
- NtCreateFile
- CreateDirectoryW
- NtReadFile
- CopyFileA
- NtSetInformationFile
- NtQueryInformationFile
- NtWriteFile
- FindFirstFileExW
- NtOpenFile
Network
UDP source >> destination
- 192.168.30.254 >> 192.168.30.6
- 192.168.30.6 >> 192.168.30.255
TCP source >> destination
- 192.168.30.6 >> 192.168.30.254
Domains:
DNS Request:
HTTP Request:
DLL related data
Number of DLL's imported = 8
- KERNEL32.DLL
- advapi32.dll
- gdi32.dll
- mpr.dll
- oleaut32.dll
- shell32.dll
- user32.dll
- wsock32.dll
|
