Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile Hash
1 %AppData%\winlogon.exe 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %Temp%\HipsTray.exe 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
3 %Windir%\downsystem.exe 2,300,130 bytes MD5: 0x2362D1919DD358CF864C043CF4663DAD
SHA-1: 0x84B3681FCF46D3ABAB34AF44A38D2E0F90B766A7
4 %Windir%\Tasks\DeviceReport.job 292 bytes MD5: 0x3E615FA17C483E81CD5EB5419014F489
SHA-1: 0xE83FEE05E590C5DE371AC22137F3F5C4064531E0

 

Memory Modifications

Process NameProcess FilenameMain Module Size
winlogon.exe%AppData%\winlogon.exe1,372,160 bytes
[filename of the sample #1][file and pathname of the sample #1]1,372,160 bytes

Service NameDisplay NameStatusService Filename
DRSrvicesDevice Report Services"Running"%AppData%\winlogon.exe

 

Registry Modifications

 

Other details

Server NameServer PortConnect as UserConnection Password
down.nood1e.cf80(null)(null)
ser.cnxc.bid80(null)(null)

 

 

Downloaded File Summary:

What's been foundSeverity Level
Produces outbound traffic.
Downloads/requests other files from Internet.

 

Technical Details:

 

Memory Modifications

Process NameProcess FilenameMain Module Size
fsldsw.exe%System%\fsldsw.exe233,472 bytes
services.exe%Windir%\debug\debugconfig\services.exe5,107,712 bytes
csrss.exe%Windir%\debug\debugconfig\csrss.exe61,440 bytes
[filename of the sample #1][file and pathname of the sample #1]233,472 bytes
[filename of the sample #2][file and pathname of the sample #2]5,107,712 bytes
spoolsv.exe%Windir%\debug\debugconfig\spoolsv.exe57,344 bytes
svchost.exe%Windir%\debug\debugconfig\svchost.exe143,360 bytes

Service NameDisplay NameStatusService Filename
PowerShadowMicrosoft PowerMaster"Running"%System%\fsldsw.exe

 

Registry Modifications

 

Other details

PortProtocolProcess
1033TCPfsldsw.exe (%System%\fsldsw.exe)

Remote HostPort Number
yk.cnxc.tk9800

Server NameServer PortConnect as UserConnection Password
down.nood1e.cf80(null)(null)

 

Outbound traffic (potentially malicious)

 

 

Downloaded Files Summary (Generation #2):

What's been foundSeverity Level
Downloads/requests other files from Internet.

 

Technical Details:

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[generic host process][generic host process filename]20,480 bytes

Module NameModule FilenameAddress Space Details
[filename of the sample #2][file and pathname of the sample #2]Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0xB10000 - 0xB9C000

 

Other details

URL to be downloadedFilename for the downloaded bits
http://205.209.177.18/mm/svchosx.exe%Temp%\\kwgks.exe
????????8??I?4????e`};?T?0@h/8

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.