Dropper.A_11222 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.
Mutexes created
- DC::DAEC2C149D
- DBWinMutex
- 0343850B:SIMULATEEXPIRED
- RAL0343850B
- 0343850B::WK
Directory level activity- create - dir - C:\Documents and Settings\All Users\Application Data\TEMP
File level activity- write - file - PIPE\lsarpc
- write - file - PIPE\lsarpc
Registry level activity- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\ParametersTrapPollTimeMilliSecs
- write - registry - HKEY_LOCAL_MACHINE\Software\Licenses{R7C0DB872A3F777C0}
- write - registry - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName{K7C0DB872A3F777C0}
- write - registry - HKEY_CLASSES_ROOT\CLSID\{F557BA3D-A7B9-82B1-467C-B49AA78208E8}
- write - registry - HKEY_CLASSES_ROOT\CLSID\{F557BA3D-A7B9-82B1-467C-B49AA78208E8}InprocServer32
- write - registry - HKEY_CLASSES_ROOT\CLSID\{F557BA3D-A7B9-82B1-467C-B49AA78208E8}InprocServer32ThreadingModel
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData
- write - registry - HKEY_LOCAL_MACHINE\Software\Licenses{IF41747BB2672C200}
- write - registry - HKEY_LOCAL_MACHINE\Software\Licenses{0F41747BB2672C200}
- write - registry - HKEY_CURRENT_USER\Software\VB and VBA Program Settings\tob\xx
Library level activity- load - library - KERNEL32.DLL
- load - library - kernel32.dll
- load - library - User32.dll
- load - library - WININET.dll
- load - library - COMCTL32.dll
- load - library - KERNEL32.dll
- load - library - USER32.dll
- load - library - GDI32.dll
- load - library - comdlg32.dll
- load - library - ADVAPI32.dll
- load - library - SHELL32.dll
- load - library - ole32.dll
- load - library - OLEAUT32.dll
- load - library - KERNEL32
- load - library - C:\WINDOWS\system32\rpcss.dll
- load - library - C:\WINDOWS\system32\winlogon.exe
- load - library - xpsp2res.dll
- load - library - CLBCATQ.DLL
- load - library - C:\WINDOWS\system32\wbem\wbemprox.dll
- load - library - oleaut32.dll
- load - library - wmisvc.dll
- load - library - OLE32
- load - library - OLE32.DLL
- load - library - C:\WINDOWS\system32\wbem\wbemsvc.dll
- load - library - C:\WINDOWS\system32\wbem\fastprox.dll
- load - library - Kernel32.dll
- load - library - ws2_32.dll
- load - library - inetmib1.dll
- load - library - snmpapi.dll
- load - library - MPRAPI.dll
- load - library - shell32.dll
- load - library - user32.dll
- load - library - MSVBVM60.DLL
- load - library - advapi32.dll
- load - library - C:\WINDOWS\system32\uxtheme.dll
- load - library - uxtheme.dll
- load - library - OLEAUT32.DLL
- load - library - SXS.DLL
- load - library - USER32
- load - library - C:\WINDOWS\system32\MSVBVM60.DLL
- load - library - user32
- load - library - C:\WINDOWS\system32\asycfilt.dll
- load - library - User32.dll
Process API calls used
- NtFreeVirtualMemory
- VirtualProtectEx
- NtOpenSection
- NtCreateSection
- ZwMapViewOfSection
- NtFreeVirtualMemory
Registry API calls used
- RegOpenKeyExW
- RegQueryValueExW
- RegCloseKey
- NtOpenKey
- NtQueryValueKey
- RegCreateKeyExW
- RegCreateKeyExA
- RegSetValueExW
- RegOpenKeyExA
- RegSetValueExA
- RegQueryValueExA
- RegDeleteKeyA
- RegDeleteValueA
- RegEnumKeyExA
- RegEnumValueA
- RegCloseKey
System API calls used
- LdrGetDllHandle
- LdrGetProcedureAddress
- LdrLoadDll
- NtDelayExecution
- IsDebuggerPresent
- SetWindowsHookExA
- NtDelayExecution
Filesystem API calls used
- FindFirstFileExW
- NtCreateFile
- NtSetInformationFile
- NtWriteFile
- NtReadFile
- NtQueryInformationFile
- NtOpenFile
- NtDeviceIoControlFile
- CreateDirectoryW
- NtQueryDirectoryFile
- NtQueryInformationFile
Network
UDP source >> destination - 192.168.30.254 >> 192.168.30.4
- 192.168.30.4 >> 192.168.30.255
TCP source >> destination - 192.168.30.4 >> 192.168.30.254
Domains: DNS Request: HTTP Request: DLL related data Number of DLL's imported = 3
- KERNEL32.dll
- USER32.dll
- GDI32.dll
|