Analysis Date2016-02-17 00:56:44
MD51843cfb169d1e292a15fd36aa6a5d6c9
SHA1325352c49fda24b4d4331c8dc148edb6ac12a9e8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fc4a1907cee79cdf352dca002e41d22b sha1: 3ca67df88e90448f93c95764da38e8c4ba8c9806 size: 28672
Section.rdata md5: 44ef8689175adec7e3e9779feac7bb2d sha1: 41bfab66085530288fb3cd4b23d8e4d5dc2dd427 size: 47616
Section.data md5: 0980f82560a684dc24efc0d3bd6dc204 sha1: 5760cceb9b935114bf9203346c596865c6baee99 size: 5120
Section.reloc md5: 5c2d8ce13ce90eb71ce34a2d0e2b48de sha1: b16affb931ad5cdb608d00b393dc258a328e1aa8 size: 3584
Timestamp2016-02-09 11:45:15
PackerMicrosoft Visual C++ ?.?
PEhash3d6d24650308f089eee47918bfc470fbf040b29a
IMPhash218e9328231c8cd3fe93e3d60d413b44
AVCA (E-Trust Ino)Gen:Variant.Razy.14372
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.396701
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.14372
AVAlwil (avast)Dorder-U [Trj]
AVEset (nod32)Win32/Kryptik.ENLA
AVGrisoft (avg)Crypt5.AHSM
AVSymantecNo Virus
AVFortinetW32/Yakes.ENLA!tr
AVBitDefenderGen:Variant.Razy.14372
AVK7Trojan ( 004ddef21 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Razy.14372
AVMalwareBytesTrojan.Dropper
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Razy.14372
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!Trojan.Yakes.Win32.46330
AVKasperskyTrojan.Win32.Yakes.ozdw
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Razy.14372
AVArcabit (arcavir)Gen:Variant.Razy.14372
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.23342
AVF-SecureGen:Variant.Razy.14372

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\114953
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\325352~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
130.236.254.17
DNSeurope.pool.ntp.org
Type: A
149.18.38.230
DNSeurope.pool.ntp.org
Type: A
212.113.190.2
DNSeurope.pool.ntp.org
Type: A
77.37.6.59
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.244
DNSnorth-america.pool.ntp.org
Type: A
192.95.25.79
DNSnorth-america.pool.ntp.org
Type: A
198.55.111.50
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.243
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSasia.pool.ntp.org
Type: A
202.112.29.82
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
128.199.87.155
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.231.7.85
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSpool.ntp.org
Type: A
198.55.111.5
DNSpool.ntp.org
Type: A
208.75.88.4
DNSpool.ntp.org
Type: A
24.56.178.140
DNSpool.ntp.org
Type: A
66.228.59.187
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings