Troj/Ransom-EKK

Category: Viruses and SpywareProtection available since:07 Apr 2017 21:17:20 (GMT)
Type: TrojanLast Updated:07 Apr 2017 21:17:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Ransom-EKK exhibits the following characteristics:

File Information

Size
388K
SHA-1
57d634bc17435c1cc08a6f00b2a7857c897dceda
MD5
024766f170b9e49f5f4941e867569942
CRC-32
165886d7
File type
Windows executable
First seen
2017-04-07

Runtime Analysis

Registry Keys Created
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Account Manager
    Default LDAP Account
    Active Directory GC
  • HKEY_USERS\S-1-5-18\Software\Microsoft\WAB
    Server ID
    0x000001f5
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
    LDAP Logo
    %ProgramFiles%\Common Files\Services\verisign.bmp
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
    LDAP Search Base
    NULL
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter
    EnabledV9
    0x00000000
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    SeparateProcess
    0x00000000
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□□□□@□□ □□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\WAB\WAB4\Wab File Name
    (Default)
    C:\Documents and Settings\Default User\Application Data\Microsoft\Address Book\SYSTEM.wab
  • HKEY_USERS\S-1-5-18\Software\Microsoft\WAB\WAB4
    OlkFolderRefresh
    0x00000000
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
    ShellState
    $□□□□□□(□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    SeparateProcess
    0x00000000
  • HKEY_USERS\.DEFAULT\Identities
    Default User ID
    {0FE910F5-4BBD-4576-BCA1-54A7F8C66688}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□□□□@□□ □□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\PhishingFilter
    EnabledV9
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    eloqebih
    "C:\WINDOWS\alwkyfum.exe"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\WAB\WAB4\Wab File Name
    (Default)
    C:\Documents and Settings\Default User\Application Data\Microsoft\Address Book\SYSTEM.wab
  • HKEY_USERS\S-1-5-18\Identities\{0FE910F5-4BBD-4576-BCA1-54A7F8C66688}
    Directory Name
    0x0fe910f5
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
    LDAP Logo
    %ProgramFiles%\Common Files\Services\verisign.bmp
  • HKEY_USERS\.DEFAULT\Software\Microsoft\WAB\WAB4
    OlkFolderRefresh
    0x00000000
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager\Accounts
    PreConfigVerNTDS
    0x00000001
  • HKEY_USERS\.DEFAULT\Identities\{0FE910F5-4BBD-4576-BCA1-54A7F8C66688}
    Directory Name
    0x0fe910f5
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager
    Default LDAP Account
    Active Directory GC
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
    LDAP Search Base
    NULL
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer
    ShellState
    $□□□□□□(□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\WAB
    Server ID
    0x000001f5
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Account Manager\Accounts
    PreConfigVerNTDS
    0x00000001
  • HKEY_USERS\S-1-5-18\Identities
    Default User ID
    {0FE910F5-4BBD-4576-BCA1-54A7F8C66688}
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
    LDAP Logo
    %ProgramFiles%\Common Files\Services\whowhere.bmp
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
    LDAP Logo
    %ProgramFiles%\Common Files\Services\bigfoot.bmp
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
    LDAP Logo
    %ProgramFiles%\Common Files\Services\whowhere.bmp
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
    LDAP Logo
    %ProgramFiles%\Common Files\Services\bigfoot.bmp
Registry Keys Modified
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
    c:\Documents and Settings\test user\Local Settings\Temporary Internet Files
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Identities
    Last User ID
    {0FE910F5-4BBD-4576-BCA1-54A7F8C66688}
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Cache
    c:\Documents and Settings\test user\Local Settings\Temporary Internet Files
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\.DEFAULT\Identities
    Last User ID
    {0FE910F5-4BBD-4576-BCA1-54A7F8C66688}
Processes Created
  • c:\windows\explorer.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://ipecho.net/plain
  • http://myexternalip.com/raw
  • http://wtfismyip.com/text
IP Connections
  • 163.172.185.132:443
  • 46.183.218.199:9001
DNS Requests
  • apagyqyf.elsont.org
  • bzip.elsont.org
  • dxomtsymels.elsont.org
  • egono.elsont.org
  • eqanofopoq.elsont.org
  • imel.elsont.org
  • ipecho.net
  • ixoxejopqt.elsont.org
  • myexternalip.com
  • vtifib.elsont.org
  • wtfismyip.com