Analysis Date2015-12-19 01:40:59
MD5654c94b0f51952c170cb3f143acfd2c6
SHA112102c134c8db0273b482305558af2da9c965cf6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2339f1e9d68400ad75e1dbde743b5ffb sha1: b14877dd1b747e95aca2911c90138084c5c90481 size: 195072
Section.rdata md5: 42e0a08420c451590237397765fbb000 sha1: a942b874a84ab6d4615b18333de7aa687670a9bb size: 15360
Section.data md5: c31f0760f93b61cc224e372e0d7629ae sha1: 1f7c07549c9ebf916c129cf1bf2d102522a0aef8 size: 17920
Section.rsrc md5: c2fd1c0aada8a64983d9a12672d5beed sha1: 83aaa21152cd38d30cc61a9922a07b22233f799b size: 73216
Timestamp2015-10-18 12:35:20
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: dpnsvr.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385
FileDescription: Microsoft DirectPlay8 Server
OriginalFilename: dpnsvr.exe
PackerMicrosoft Visual C++ ?.?
PEhashfe7a2275fc1b78258f9caf12b1431adff25bc47a
IMPhash5e26ed349a496419b84cd75bd009e6b4
AVAlwil (avast)Androp [Drp]
AVMalwareBytesTrojan.FakeMS
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVEset (nod32)Win32/Kryptik.EBDN
AVAvira (antivir)TR/Crypt.Xpack.302339
AVGrisoft (avg)Crypt_r.AER
AVSymantecBackdoor.Trojan
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVKasperskyBackdoor.Win32.Ruskill.aayt
AVAd-AwareTrojan.Lethic.Gen.9
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVIkarusWorm.Win32.Dorkbot
AVBullGuardTrojan.Lethic.Gen.9
AVEmsisoftTrojan.Lethic.Gen.9
AVRisingno_virus
AVTwisterno_virus
AVZillya!Backdoor.Androm.Win32.29383
AVDr. WebBackDoor.IRC.NgrBot.42
AVFortinetW32/Kryptik.EASA!tr
AVClamAVno_virus
AVCAT (quickheal)Backdoor.Androm.r4
AVAuthentiumW32/Trojan.BDHC-5563
AVCA (E-Trust Ino)no_virus
AVMcafeeRDN/Generic BackDoor
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Lethic.Gen.9
AVTrend Microno_virus
AVBitDefenderTrojan.Lethic.Gen.9
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVK7Trojan ( 004d46711 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\117109
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSand12.thesuchivestfishmarketeat111.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
82.219.4.30
DNSeurope.pool.ntp.org
Type: A
82.141.152.3
DNSeurope.pool.ntp.org
Type: A
5.200.6.34
DNSeurope.pool.ntp.org
Type: A
192.33.96.102
DNSnorth-america.pool.ntp.org
Type: A
208.53.158.34
DNSnorth-america.pool.ntp.org
Type: A
97.107.128.58
DNSnorth-america.pool.ntp.org
Type: A
45.79.10.228
DNSnorth-america.pool.ntp.org
Type: A
209.244.0.3
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSasia.pool.ntp.org
Type: A
202.112.29.82
DNSasia.pool.ntp.org
Type: A
157.7.235.92
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
78.111.50.52
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
125.255.139.115
DNSoceania.pool.ntp.org
Type: A
203.173.10.97
DNSoceania.pool.ntp.org
Type: A
203.23.237.200
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSpool.ntp.org
Type: A
69.167.160.102
DNSpool.ntp.org
Type: A
69.28.90.107
DNSpool.ntp.org
Type: A
45.79.190.93
DNSpool.ntp.org
Type: A
96.44.142.5
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSand12.thesuchivestfishmarketeat111.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings