HPsus/Matsnu-A

Category: Suspicious Behavior and Files Protection available since:08 Aug 2012 16:18:40 (GMT)
Type: Suspicious file Last Updated:28 Aug 2012 22:46:30 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

HPsus/Matsnu-A exhibits suspicious behaviour normally associated with that of a family of ransomware.

Examples of HPsus/Matsnu-A include:

Example 1

File Information

Size
35K
SHA-1
3097d2c3467b44bbeb43aba6477bba71bd65c1ae
MD5
a6baa4294b5743cb9e0755b8043b1c72
CRC-32
bcf59764
File type
Windows executable
First seen
2012-05-26

Other vendor detection

Avira
TR/Crypt.ZPACK.Gen
Kaspersky
HEUR:Trojan.Win32.Generic
Trend
PAK_Generic.001

Runtime Analysis

Processes Created
  • c:\windows\system32\svchost.exe

Example 2

File Information

Size
115K
SHA-1
9705b91c2e781088a13fee58be91e8f8b2c26be0
MD5
8feebe3368d32a6faf85be2f949d0be0
CRC-32
9c4aa585
File type
Windows executable
First seen
2012-06-17

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\95A07017601F769F748A.exe
  • c:\Documents and Settings\test user\Application Data\Rhttcaal\25715511601F769FE6EA.exe
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableTaskMgr
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
    Debugger
    P9KDMF.EXE
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    601F769F
    c:\Documents and Settings\test user\Application Data\Rhttcaal\25715511601F769FE6EA.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegedit
    0x00000001
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\95A07017601F769F748A.exe,
Processes Created
  • c:\docume~1\support\locals~1\temp\vptrrgffnb.pre
  • c:\windows\system32\ctfmon.exe
  • c:\windows\system32\reg.exe
HTTP Requests
  • http://dns-servicefree.com/images/a.php
DNS Requests
  • dns-servicefree.com

Example 3

File Information

Size
59K
SHA-1
a1636e8ded78365d7be45cd8fdb3b57e940c3ffa
MD5
62e5ab1b7f28bbdd6104bff5aebdb852
CRC-32
ae111ae9
File type
Windows executable
First seen
2012-06-14

Other vendor detection

Kaspersky
Trojan-Ransom.Win32.Gimemo.uws

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\Inbqjoqyy\dtxdcfbvmu.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\601F769F.mktr
    Size
    662
    SHA-1
    542d0e724a48ad60f5f202c9e0a6729a88ab9020
    MD5
    d62e35e39ac6e07df0249bd7a7f091e5
    CRC-32
    63714752
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-06-07
  • c:\Documents and Settings\test user\Local Settings\Temp\Desk.$00
    Size
    17
    SHA-1
    3b9b54efdb30c0c0266471236eae157c47e1d753
    MD5
    6651b78a7f101206a66ec3219066301d
    CRC-32
    f76066e3
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2012-05-15
  • c:\Documents and Settings\test user\Local Settings\Temp\601F769F000043500000.$$0
    Size
    821K
    SHA-1
    b3e2ba4c347c830e5cfd8649a703fd058d242aef
    MD5
    20c668f8a5f15820d35352668c4984c9
    CRC-32
    652d37d6
    File type
    Unspecified binary - probably data
    First seen
    2012-06-08
  • c:\Documents and Settings\test user\Local Settings\Temp\601F769F0000435000007573
    Size
    1.1K
    SHA-1
    fc07eb10e39eb4cfe396f242fa47dead71e448d9
    MD5
    e94c2bb4c66771d842db6dbb0eb6b7a4
    CRC-32
    5432ba42
    File type
    Unspecified binary - probably data
    First seen
    2012-05-01
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
    Debugger
    P9KDMF.EXE
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegedit
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
    Debugger
    P9KDMF.EXE
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    601F769F
    C:\DOCUME~1\support\LOCALS~1\Temp\Inbqjoqyy\dtxdcfbvmu.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableTaskMgr
    0x00000001
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
Processes Created
  • c:\docume~1\support\locals~1\temp\mhxtfycell.pre
  • c:\windows\system32\reg.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://lickes-shops.com/forum/a.php
DNS Requests
  • lickes-shops.com

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information