Remote Host Port Number 81 80

* The data identified by the following URL was then requested from the remote web server:
o http://wallprofiles.net/pic.exe

USER n “” “lol” :n
JOIN #biz#
PONG 422

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ WindowsDriverControl = “%AppData%C-76947-8457-2745wincdrsvn.exe”

so that wincdrsvn.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
gnt.exe %Temp%gnt.exe 323 584 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%C-76947-8457-2745wincdrsvn.exe
%Temp%gnt.exe 323 584 bytes MD5: 0xF06F4893C8D7D972A1888055ABB3043E
SHA-1: 0xBCFD472DC2412D9CEE088D97A52F19645B8BEA7B Backdoor.LolBot [PCTools]
2 [file and pathname of the sample #1] 286 720 bytes MD5: 0xE4E921C2C44E97B7327251A0C17A2EB8
SHA-1: 0x338FE93F833ED7B54B86CAADCCD2F6E21581EFA6 Backdoor.LolBot [PCTools]
3 %System%winrtsnr.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)

Categories: Uncategorized
Previous post
Next post