Analysis Date2015-11-22 22:01:55
MD51c6fc792a87142eaf650965092bc5c29
SHA11ce2291a3aafa8117ddba18b950c4799921e3278

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b33bc2e90d685d8cbec37c03888c8feb sha1: e3bffe0429b07871a79034d061382e2bb44ccc9a size: 30720
Section.rdata md5: 95ad29c97e2052780e66fc691d9c8f15 sha1: 4bd8ad0d64328baff7068dade1f43974fa40dede size: 14848
Section.data md5: 428e6dded81dd4e6ce78c4871d10defb sha1: c75fadf2195833c5e2fd629285cd4d22e8151eb9 size: 3072
Section.bnert md5: 7fc54839e4e1764259b16521ae2b2eee sha1: 2959300f3a5132afa336a91d78193df1b28157e8 size: 31232
Section.reloc md5: 61ca30e1e61a5b3fc08998fc39b0f0d6 sha1: 9b3fa3aae98e448fcd27592b88d442ef4a1b78ef size: 4096
Timestamp2015-11-05 16:45:06
PackerMicrosoft Visual C++ ?.?
PEhashb668734eacb9cabfd1c9e0738277b1c933f263e0
IMPhash4296eaa0bac0fa50f53e3dca801fef5d
AVF-SecureGen:Variant.Kazy.764156
AVAuthentiumW32/S-d1a8399f!Eldorado
AVMalwareBytesTrojan.Injector
AVDr. WebTrojan.DownLoader17.41409
AVGrisoft (avg)Crypt5.JWH
AVMalwareBytesTrojan.Injector
AVEset (nod32)Win32/Kryptik.EDUK
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVEset (nod32)Win32/Kryptik.EDUK
AVBitDefenderGen:Variant.Kazy.764156
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVAvira (antivir)TR/Crypt.Xpack.317295
AVAlwil (avast)Dorder-D [Trj]
AVFortinetW32/Kryptik.EEAE!tr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.ipsj
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVMcafeeRDN/Generic BackDoor
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.317295
AVAlwil (avast)Dorder-D [Trj]
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.EEAE!tr
AVK7Trojan ( 004d61661 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVGrisoft (avg)Crypt5.JWH
AVSymantecTrojan.Gen
AVBitDefenderGen:Variant.Kazy.764156
AVK7Trojan ( 004d61661 )
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Kazy.764156
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.764156
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\113406
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
86.59.13.46
DNSeurope.pool.ntp.org
Type: A
188.165.255.179
DNSeurope.pool.ntp.org
Type: A
212.83.179.156
DNSeurope.pool.ntp.org
Type: A
80.96.120.252
DNSnorth-america.pool.ntp.org
Type: A
66.228.59.187
DNSnorth-america.pool.ntp.org
Type: A
104.41.150.68
DNSnorth-america.pool.ntp.org
Type: A
108.61.194.85
DNSnorth-america.pool.ntp.org
Type: A
129.250.35.250
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
186.103.182.15
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
157.7.152.213
DNSasia.pool.ntp.org
Type: A
157.7.154.134
DNSasia.pool.ntp.org
Type: A
218.234.23.44
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSoceania.pool.ntp.org
Type: A
203.123.77.111
DNSoceania.pool.ntp.org
Type: A
103.51.68.133
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSpool.ntp.org
Type: A
96.244.96.19
DNSpool.ntp.org
Type: A
132.163.4.102
DNSpool.ntp.org
Type: A
198.55.111.5
DNSpool.ntp.org
Type: A
204.2.134.194
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings