Analysis Date2015-10-16 05:56:15
MD545ad57f867768bed4ba34c3b74010b9e
SHA10ef114c1d57307447c6de8f8e54daee5c2170a40

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 926521b35a124d75944746c0114b2947 sha1: d9d30946616fbc0cd8ee39d98fb6615c672b962a size: 65536
Section.rdata md5: 03c58848222dcc669b0d046cc77e9709 sha1: 69814cca5f0ee91b1410ec2fb59baa344bde2cf9 size: 19968
Section.data md5: b69a3ce84439c99a517fceb1685573e6 sha1: 762381a3aedadb86675aae056aad4bb50bbcb150 size: 16896
Section.rsrc md5: ba69d28fb15f5954783ee9ffede54d65 sha1: c782c78fe713b0194401a1e10392e11c88e0b43d size: 1536
Timestamp2004-02-25 04:15:13
VersionLegalCopyright: YfmfStiwhw"Tyjfsgva.Jlwc),Ngq-vpziur"cojzrdxb&
InternalName: PH*Nlzt"xltxgp
FileVersion: 2(0%4-8
CompanyName: CeadBfnjwr%Lbxnazsp#Muxd&
ProductName: atpc.dmwvquw0ldfbhu
ProductVersion: 1%4,0*5
FileDescription: FR8,Ravvb0Xgmgdeoo
OriginalFilename: QH2+Doczr*Sevjyrzx
PackerMicrosoft Visual C++ ?.?
PEhash4be8bd4df62f66af232d95d7745d0713a8042cbc
IMPhash1ea3557620b62cbf9ddd777bbbc69c45
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.Foreign.1
AVDr. WebBackDoor.Andromeda.404
AVClamAVno_virus
AVArcabit (arcavir)Trojan.Foreign.1
AVBullGuardTrojan.Foreign.1
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Badur
AVCAT (quickheal)Trojan.Generic.B4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Badur.Win32.3248
AVEmsisoftTrojan.Foreign.1
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.QYOC-2609
AVMalwareBytesno_virus
AVMicroWorld (escan)Trojan.Foreign.1
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AU
AVK7Trojan ( 0049dbdb1 )
AVBitDefenderTrojan.Foreign.1
AVFortinetW32/CPacker.G!tr
AVSymantecno_virus
AVGrisoft (avg)Crypt3.AFKS
AVEset (nod32)Win32/Kryptik.CGZQ
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVAd-AwareTrojan.Foreign.1
AVTwisterTrojan.Generic.smjv
AVAvira (antivir)TR/Kryptik.opoz
AVMcafeePWSZbot-FAVF!45AD57F86776

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates File\Device\Afd\Endpoint
Winsock DNSmdutmte.in
Winsock DNSmdutmta.in

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates File\Device\Afd\Endpoint
Deletes FileC:\0EF114~1.EXE
Winsock DNSmdutmte.in
Winsock DNSmdutmta.in

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSupdate.microsoft.com
Type: A
DNSmdutmta.in
Type: A
DNSmdutmte.in
Type: A
Flows TCP192.168.1.1:1036 ➝ 65.55.50.158:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1057 ➝ 76.84.81.120:443
Flows TCP192.168.1.1:1041 ➝ 65.55.50.158:80
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings