MD5: 74c660426e6ad01904cf0c4321675097
SHA1: 8c559ec0e4bd4ae1d09c7f4d835d3251d9356168
SHA256: 9db86a5816ab429b4726cd64a8c394f369d77a6db62bb1518dc806d673ffc8ff
SSDeep: 24576:EaXNVojWEdAxIHJRyiKps0TErCgxjyAdSx/qSboroFNRJaYfi:Euzoj5JgjEr/dyqSbo0cY
Size: 1454080 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: appinstall d2
Created at: 2017-03-13 05:22:53
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1792
%original file name%.exe:2176

The Trojan injects its code into the following process(es):

SearchProtocolHost.exe:1900
SearchFilterHost.exe:1780
wininit.exe:360
winlogon.exe:416
services.exe:460
lsm.exe:476
svchost.exe:580
svchost.exe:648
svchost.exe:700
svchost.exe:820
svchost.exe:860
svchost.exe:1032
SearchIndexer.exe:1100
svchost.exe:1112
spoolsv.exe:1224
svchost.exe:1260
svchost.exe:1664
wmiprvse.exe:1816
taskhost.exe:1940
taskeng.exe:2000
Dwm.exe:2008
Explorer.EXE:2024
svchost.exe:2340
conhost.exe:3904
taskhost.exe:3572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\Documents\Delay.txt (32 bytes)

The process %original file name%.exe:2176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Monitor\Screenshots\03-26-2017\3.35 AM (47 bytes)

Registry activity

The process %original file name%.exe:2176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software]
"prc" = "2176"
"auKBM NbrgFiv3UGmZkr Q==" = "BYOZMbcHdwFtgYglTiC u9sOgGxp/ZCC9VBKAcbgz8s="
"pth" = "c:\%original file name%.exe"
"6pprwpp0CBdleLjPr/lihg==" = "gHz0ziJAt86V3 qIMpS9A=="
"MTX" = "59a9161a78a3483a2edcdc3fb582650a1c3d25a6"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwQuerySystemInformation

Propagation

VersionInfo

Company Name: Pantaray Research Ltd.
Product Name: Diagnostic HUB
Product Version: 12.0.0.0
Legal Copyright: Copyright (C) 2002-2017
Legal Trademarks:
Original Filename: Project1.exe
Internal Name:
File Version: 12.0.0.5
File Description: Diagnostic HUB
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
dns.msftncsi.com
time.windows.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchProtocolHost.exe_1900_rwx_0077D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

SearchFilterHost.exe_1780:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_1780_rwx_0067D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

wininit.exe_360_rwx_0027D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

winlogon.exe_416_rwx_0053D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

C:\Windows\system32\winlogon.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

services.exe_460_rwx_0008D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

lsm.exe_476_rwx_0024D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_580_rwx_001CD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_648_rwx_0017D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_700_rwx_002ED000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

.ja-JP

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_820_rwx_0015D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_860_rwx_005BD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1032_rwx_0009D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

SearchIndexer.exe_1100_rwx_00E0D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1112_rwx_00DBD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

spoolsv.exe_1224_rwx_006CD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1260_rwx_003AD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_1664_rwx_001ED000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

wmiprvse.exe_1816_rwx_0021D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

taskhost.exe_1940_rwx_0037D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

C:\Windows\system32\taskhost.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

taskeng.exe_2000_rwx_002DD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

Dwm.exe_2008_rwx_004CD000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

C:\Windows\system32\Dwm.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

Explorer.EXE_2024_rwx_02D6D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

C:\Windows\Explorer.EXE

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

svchost.exe_2340_rwx_0014D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

conhost.exe_3904_rwx_0010D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

C:\Windows\system32\conhost.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

taskhost.exe_3572_rwx_0062D000_00007000:

Bv.SCv

GetProcessWindowStation

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

ntdll.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1792
   %original file name%.exe:2176
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\Documents\Delay.txt (32 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Monitor\Screenshots\03-26-2017\3.35 AM (47 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.