Troj/Ransom-ADN

Category: Viruses and Spyware Protection available since:07 Nov 2013 02:47:21 (GMT)
Type: Trojan Last Updated:19 Mar 2014 22:18:41 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Ransom-ADN include:

Example 1

File Information

Size
193K
SHA-1
0257832cd586b769304f6e354dd09d3ded2b6772
MD5
d4800c60fbc93f01917deeed368c69da
CRC-32
caf5a7b0
File type
Windows executable
First seen
2013-10-22

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\PXKxWc1LO\2ii1tyw8.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\PXKxWc1LO\2ii1tyw8.dll
    Size
    193K
    SHA-1
    64d997f776e6c4eeae6c142ef21f9b70083698db
    MD5
    ccbb2224ac72d8f13f597b15d7b20b36
    CRC-32
    51b0cd9b
    File type
    Windows executable
    First seen
    2013-10-23
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    2ii1tyw8.exe
    "c:\Documents and Settings\test user\Local Settings\Application Data\PXKxWc1LO\2ii1tyw8.exe"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    2ii1tyw8.exe
    "c:\Documents and Settings\test user\Local Settings\Application Data\PXKxWc1LO\2ii1tyw8.exe"
  • HKCU\Software\Microsoft\Command Processor
    Autorun
    "c:\Documents and Settings\test user\Local Settings\Application Data\PXKxWc1LO\2ii1tyw8.exe"
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Command Processor
    AutoRun
    "c:\Documents and Settings\test user\Local Settings\Application Data\PXKxWc1LO\2ii1tyw8.exe"
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    cmd.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    cmd.exe
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://isqsllbqxl.at/
  • http://notazdtjir.at/
  • http://trsumoaxst.at/
  • http://waryxnhzzf.at/
DNS Requests
  • isqsllbqxl.at
  • notazdtjir.at
  • trsumoaxst.at
  • waryxnhzzf.at

Example 2

File Information

Size
159K
SHA-1
07bbb750dd2a1157babc14b804a9603746b2fa9f
MD5
cae07925b0f61567cb5eee8ee92b9277
CRC-32
295714cd
File type
Windows executable
First seen
2013-10-31

Example 3

File Information

Size
150K
SHA-1
164ffc7211ca719b02b537492d833a85806d6a3b
MD5
bfc4395c8dbed5ce2b6d24e23ce0c9a9
CRC-32
a73eac7c
File type
Windows executable
First seen
2013-10-07

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Application Data\9Gg2hQ9V\bTUuadH4.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Application Data\9Gg2hQ9V\bTUuadH4.dll
    Size
    150K
    SHA-1
    d9a40ac6ac249e8d2b599d381512befb9a018735
    MD5
    14eea5c84f338f6fb6c142637ed7a771
    CRC-32
    90400613
    File type
    Windows executable
    First seen
    2013-10-07
Registry Keys Created
  • HKCU\Software\Microsoft\Command Processor
    Autorun
    "c:\Documents and Settings\test user\Local Settings\Application Data\9Gg2hQ9V\bTUuadH4.exe"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    bTUuadH4.exe
    "c:\Documents and Settings\test user\Local Settings\Application Data\9Gg2hQ9V\bTUuadH4.exe"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    bTUuadH4.exe
    "c:\Documents and Settings\test user\Local Settings\Application Data\9Gg2hQ9V\bTUuadH4.exe"
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Command Processor
    AutoRun
    "c:\Documents and Settings\test user\Local Settings\Application Data\9Gg2hQ9V\bTUuadH4.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    cmd.exe
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    cmd.exe
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://bbbmjbnnnt.at/
  • http://cwmxtmwwqj.at/
  • http://eegnajbttr.at/
  • http://nmramdtuuk.at/
  • http://oyfowtkygc.at/
  • http://sbmecwntcy.at/
  • http://zfjbybcfiu.at/
DNS Requests
  • bbbmjbnnnt.at
  • cwmxtmwwqj.at
  • eegnajbttr.at
  • nmramdtuuk.at
  • oyfowtkygc.at
  • sbmecwntcy.at
  • zfjbybcfiu.at

download Try Sophos products for free
Download now