Analysis Date2015-11-24 19:06:06
MD5ccc49877a9f680de381f6058cafadcce
SHA143dc61b6de7a3a8514470bba7763f569a83ddb63

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fab5cf99d938e964adb90be12d4629e2 sha1: 1dc6add2f578f6f463f8242a7cb4f1c3b1d4bf03 size: 30720
Section.rdata md5: a49e1d070d4d78c07ee16802a8427302 sha1: 0e9b226de0006a0d6e60817ee41887eba3b06d27 size: 14848
Section.data md5: 428e6dded81dd4e6ce78c4871d10defb sha1: c75fadf2195833c5e2fd629285cd4d22e8151eb9 size: 3072
Section.bnert md5: dc12bb69c621b9a34781f29c0917cdd7 sha1: 09e261a01678f167dd16acc81cb7cad0f03f234a size: 31232
Section.reloc md5: 61ca30e1e61a5b3fc08998fc39b0f0d6 sha1: 9b3fa3aae98e448fcd27592b88d442ef4a1b78ef size: 4096
Timestamp2015-11-06 05:38:07
PackerMicrosoft Visual C++ ?.?
PEhashb668734eacb9cabfd1c9e0738277b1c933f263e0
IMPhash4296eaa0bac0fa50f53e3dca801fef5d
AVF-SecureGen:Variant.Kazy.764156
AVAuthentiumW32/S-d1a8399f!Eldorado
AVMalwareBytesTrojan.Injector
AVDr. WebTrojan.DownLoader17.41409
AVGrisoft (avg)Crypt5.JWH
AVMalwareBytesTrojan.Injector
AVEset (nod32)Win32/Kryptik.EDUK
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVEset (nod32)Win32/Kryptik.EDUK
AVBitDefenderGen:Variant.Kazy.764156
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVAvira (antivir)TR/Crypt.Xpack.315642
AVAlwil (avast)Dorder-D [Trj]
AVFortinetW32/Kryptik.EEAE!tr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.ipsg
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.315642
AVAlwil (avast)Dorder-D [Trj]
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.EEAE!tr
AVK7Trojan ( 004d61661 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVRisingno_virus
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVGrisoft (avg)Crypt5.JWH
AVSymantecTrojan.Gen
AVBitDefenderGen:Variant.Kazy.764156
AVK7Trojan ( 004d61661 )
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Kazy.764156
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.764156
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\114484
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
87.81.181.2
DNSeurope.pool.ntp.org
Type: A
91.206.16.3
DNSeurope.pool.ntp.org
Type: A
178.32.216.71
DNSeurope.pool.ntp.org
Type: A
37.187.103.150
DNSnorth-america.pool.ntp.org
Type: A
207.210.46.249
DNSnorth-america.pool.ntp.org
Type: A
208.69.120.201
DNSnorth-america.pool.ntp.org
Type: A
208.76.1.123
DNSnorth-america.pool.ntp.org
Type: A
132.163.4.102
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.16
DNSsouth-america.pool.ntp.org
Type: A
200.20.186.76
DNSasia.pool.ntp.org
Type: A
123.108.200.124
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
52.69.228.202
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSoceania.pool.ntp.org
Type: A
202.60.94.11
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSpool.ntp.org
Type: A
97.107.128.165
DNSpool.ntp.org
Type: A
198.55.111.50
DNSpool.ntp.org
Type: A
198.169.208.141
DNSpool.ntp.org
Type: A
23.99.222.162
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings