Full Analysis Report of sdb9npz-107-26-174669.exe

Summary:

  • Summary of the findings

      No. What's been found Severity

Technical details:

  • General

    • User : \\TEST-R7CHD9Q826\Administrator
    • Application type : Windows application
    • Priority : Normal
    • Size : 1244120
    • Path : C:\Samples\sdb9npz-107-26-174669.exe
    • Command : "C:\Samples\sdb9npz-107-26-174669.exe"
    • MD5: 23cc18a5eca132ba3c1b49d82aa41cd5
    • SHA1: 7e91103757dfd725f93d8629643d3de1c3b72646
    • Alias

      • Trojan.Generic.11179194 [Ad-Aware]
      • PUA.Agent! [Agnitum]
      • TR/Dldr.Megone.tga [AntiVir]
      • Riskware[not-a-virus]/Win32.NsisDowloader.gen [Antiy-AVL]
      • NSIS:Downloader-AAY [Trj] [Avast]
      • Trojan.NSIS.Grinidou.E [Baidu-International]
      • Trojan.Generic.11179194 [BitDefender]
      • Adware.Siggen.31075 [DrWeb]
      • NSIS/TrojanDownloader.Grinidou.F [ESET-NOD32]
      • Trojan.Generic.11179194 (B) [Emsisoft]
      • Trojan.Generic.11179194 [F-Secure]
      • W32/StartPage.NY!tr [Fortinet]
      • Trojan.Generic.11179194 [GData]
      • Trojan-Downloader ( 004976411 ) [K7AntiVirus]
      • Trojan-Downloader ( 004976411 ) [K7GW]
      • Trojan.Chad [Malwarebytes]
      • Artemis!56593DBD03A5 [McAfee]
      • Heuristic.BehavesLike.Win32.Suspicious-PKR.G [McAfee-GW-Edition]
      • Trojan.Generic.11179194 [MicroWorld-eScan]
      • TrojanDownloader:Win32/Hicrazyk.A [Microsoft]
      • Trojan.Nsis.Agent.cvzngl [NANO-Antivirus]
      • Win32/Trojan.Dropper.c9f [Qihoo-360]
      • Troj/StartP-HV [Sophos]
      • WS.Reputation.1 [Symantec]
      • TROJ_GEN.R0CBC0PD514 [TrendMicro]
      • TROJ_GEN.R0CBC0PD514 [TrendMicro-HouseCall]
      • suspected of Trojan.Downloader.gen.h [VBA32]
      • Trojan.Win32.Generic!BT [VIPRE]
    • Version details

      • Company :
      • File version :
      • Product version :
      • Desciption :
      • Product name :
      • Legal copyright :
      • Internal name :
    • File times

      • Creation time : Saturday, May 17, 2014 - 19:39:00
      • Modification time : Saturday, May 17, 2014 - 19:39:20
      • Last access time : Tuesday, May 20, 2014 - 17:48:14
    • Process times

      • Start time : 17 : 48 : 14
      • Exit time : - : - : -
      • Kernel time : 0.125000 (s)
      • User time : 0.000000 (s)
    • IO counters

      • Read operation : 158
      • Write operation : 27
      • Other operation : 1172
      • Read transfer : 2319529
      • Write transfer : 1256108
      • Other transfer : 15620
    • Memory details

      • Page fault count : 1121
      • Page file usage : 0
      • Peak page file usage : 1572864
      • Peak working set size : 4153344
      • Quota non paged pool usage : 0
      • Quota paged pool usage : 0
      • Quota peak non paged pool usage : 2888
      • Quota peak paged pool usage : 67036
      • Working set size : 28672
    • Process privileges

      • SeChangeNotifyPrivilege
      • SeSecurityPrivilege
      • SeBackupPrivilege
      • SeRestorePrivilege
      • SeSystemtimePrivilege
      • SeShutdownPrivilege
      • SeRemoteShutdownPrivilege
      • SeTakeOwnershipPrivilege
      • SeDebugPrivilege
      • SeSystemEnvironmentPrivilege
      • SeSystemProfilePrivilege
      • SeProfileSingleProcessPrivilege
      • SeIncreaseBasePriorityPrivilege
      • SeLoadDriverPrivilege
      • SeCreatePagefilePrivilege
      • SeIncreaseQuotaPrivilege
      • SeUndockPrivilege
      • SeManageVolumePrivilege
      • SeImpersonatePrivilege
      • SeCreateGlobalPrivilege
  • Events statistics

      Event Count
      OpenKey 3
      SetValueKey 11
      CreateFile 4
      CreateFolder 1
      WriteFile 24
      Process Create 1
      Thread Create 1
      Thread Exit 1
      Load Image 26
  • Modules

      Index Name Path Load Address Image Size Entry Point Version Size Company Description

       

  • File system modifications

    • The following files were created by W32/StartPage.NY!tr

      • %Temp%nsz176.tmp
      • %Temp%pyl177.tmp
      • %Temp%nso178.tmp
      • %Temp%nso178.tmp\System.dll
    • The following folders were created by W32/StartPage.NY!tr

      • %Temp%nso178.tmp
    • The following files were modified by W32/StartPage.NY!tr

      • %Temp%pyl177.tmp
      • %Temp%nso178.tmp\System.dll
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

  • Memory modifications

  • Registry modifications

    • The following Registry value was modified:

      • HKEY_LOCAL_MACHINE\software\microsoft\cryptography\rng\seed = DB A3 34 97 EB 93 38 AF ...
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db21b9c4-ec68-11e1-844d-806e6f6e6963}\baseclass = "Drive"
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db21b9c1-ec68-11e1-844d-806e6f6e6963}\baseclass = "Drive"
      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db21b9c0-ec68-11e1-844d-806e6f6e6963}\baseclass = "Drive"
  • Network activity

  • How to get rid of W32/StartPage.NY!tr

    • Remove these following files:

      • C:\Documents and Settings\Administrator\Local Settings\Temp\nsz176.tmp
      • C:\Documents and Settings\Administrator\Local Settings\Temp\pyl177.tmp
    • Remove these following folders:

      • C:\Documents and Settings\Administrator\Local Settings\Temp\nsz176.tmp
  • How to protect yourself in the future

This report was created with Ax3soft Scout.