SonicWALL Security Center

Sonicwall Signatures

Go to All Categories list.

Dropper.A_11222

Dropper.A_11222 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created

DC::DAEC2C149D
DBWinMutex
0343850B:SIMULATEEXPIRED
RAL0343850B
0343850B::WK

Directory level activity

create - dir - C:\Documents and Settings\All Users\Application Data\TEMP

File level activity

write - file - PIPE\lsarpc
write - file - PIPE\lsarpc

Registry level activity

write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\ParametersTrapPollTimeMilliSecs
write - registry - HKEY_LOCAL_MACHINE\Software\Licenses{R7C0DB872A3F777C0}
write - registry - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName{K7C0DB872A3F777C0}
write - registry - HKEY_CLASSES_ROOT\CLSID\{F557BA3D-A7B9-82B1-467C-B49AA78208E8}
write - registry - HKEY_CLASSES_ROOT\CLSID\{F557BA3D-A7B9-82B1-467C-B49AA78208E8}InprocServer32
write - registry - HKEY_CLASSES_ROOT\CLSID\{F557BA3D-A7B9-82B1-467C-B49AA78208E8}InprocServer32ThreadingModel
write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData
write - registry - HKEY_LOCAL_MACHINE\Software\Licenses{IF41747BB2672C200}
write - registry - HKEY_LOCAL_MACHINE\Software\Licenses{0F41747BB2672C200}
write - registry - HKEY_CURRENT_USER\Software\VB and VBA Program Settings\tob\xx

Library level activity

load - library - KERNEL32.DLL
load - library - kernel32.dll
load - library - User32.dll
load - library - WININET.dll
load - library - COMCTL32.dll
load - library - KERNEL32.dll
load - library - USER32.dll
load - library - GDI32.dll
load - library - comdlg32.dll
load - library - ADVAPI32.dll
load - library - SHELL32.dll
load - library - ole32.dll
load - library - OLEAUT32.dll
load - library - KERNEL32
load - library - C:\WINDOWS\system32\rpcss.dll
load - library - C:\WINDOWS\system32\winlogon.exe
load - library - xpsp2res.dll
load - library - CLBCATQ.DLL
load - library - C:\WINDOWS\system32\wbem\wbemprox.dll
load - library - oleaut32.dll
load - library - wmisvc.dll
load - library - OLE32
load - library - OLE32.DLL
load - library - C:\WINDOWS\system32\wbem\wbemsvc.dll
load - library - C:\WINDOWS\system32\wbem\fastprox.dll
load - library - Kernel32.dll
load - library - ws2_32.dll
load - library - inetmib1.dll
load - library - snmpapi.dll
load - library - MPRAPI.dll
load - library - shell32.dll
load - library - user32.dll
load - library - MSVBVM60.DLL
load - library - advapi32.dll
load - library - C:\WINDOWS\system32\uxtheme.dll
load - library - uxtheme.dll
load - library - OLEAUT32.DLL
load - library - SXS.DLL
load - library - USER32
load - library - C:\WINDOWS\system32\MSVBVM60.DLL
load - library - user32
load - library - C:\WINDOWS\system32\asycfilt.dll
load - library - User32.dll

Process API calls used

NtFreeVirtualMemory
VirtualProtectEx
NtOpenSection
NtCreateSection
ZwMapViewOfSection
NtFreeVirtualMemory

Registry API calls used

RegOpenKeyExW
RegQueryValueExW
RegCloseKey
NtOpenKey
NtQueryValueKey
RegCreateKeyExW
RegCreateKeyExA
RegSetValueExW
RegOpenKeyExA
RegSetValueExA
RegQueryValueExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegCloseKey

System API calls used

LdrGetDllHandle
LdrGetProcedureAddress
LdrLoadDll
NtDelayExecution
IsDebuggerPresent
SetWindowsHookExA
NtDelayExecution

Filesystem API calls used

FindFirstFileExW
NtCreateFile
NtSetInformationFile
NtWriteFile
NtReadFile
NtQueryInformationFile
NtOpenFile
NtDeviceIoControlFile
CreateDirectoryW
NtQueryDirectoryFile
NtQueryInformationFile

Network

UDP source >> destination

192.168.30.254 >> 192.168.30.4
192.168.30.4 >> 192.168.30.255

TCP source >> destination

192.168.30.4 >> 192.168.30.254

Domains:

DNS Request:

HTTP Request:

DLL related data
Number of DLL's imported = 3

KERNEL32.dll
USER32.dll
GDI32.dll

Relevant Information