Remote Host Port Number
64.62.181.46 80
83.140.172.212 6667
* The data identified by the following URL was then requested from the remote web server:
o http://h1.ripway.com/sxmast/config.php
NICK u-uu6
USER l4 8 * :0.0
PONG :3083554165
JOIN #sxsouls nopass
* The following port was open in the system:
Port Protocol Process
1056 TCP usx32.exe (%AppData%usx32.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ usx32 = “%AppData%usx32.exe”
so that usx32.exe runs every time Windows starts
* The following Registry Value was deleted:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ VMware Tools = “%ProgramFiles%VMwareVMware ToolsVMwareTray.exe”
+ VMware User Process = “%ProgramFiles%VMwareVMware ToolsVMwareUser.exe”
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
usx32.exe %AppData%usx32.exe 2 306 048 bytes
* The following system services were modified:
Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service “Stopped” %System%alg.exe
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash
1 %AppData%usx32.exe
[file and pathname of the sample #1] 1 622 016 bytes MD5: 0xFF968983FC6B41FD0E839A2EA3AF62B2
SHA-1: 0x736577E80709107230C533EFFC4F611ACA1E8E41