Analysis Date2015-11-25 05:34:36
MD5e8894482c6999ffb63a38edb467bf81f
SHA14734ef3f6d1b68567e5915dcdbaaa558cbdc98ba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 28714dc2b65c022697a2303a74ca1e79 sha1: 771201c70602c5e75ba44c5e1a2892fce7dcdc75 size: 29184
Section.rdata md5: b1add3297c44a78cf6664ffa73d36236 sha1: 64b71910c707db58547c4484fe5b9dd3571ec945 size: 24576
Section.data md5: d4b46e04d3f9904cb89a3f55a0a4ef74 sha1: d25cced517c2e2389699ba3f130b5716ba86b76b size: 24576
Timestamp2015-11-06 16:37:59
PackerMicrosoft Visual C++ ?.?
PEhash809e8b48c01b0130270673d9c567026eca113df6
IMPhash4bc0ff997ec6b00a7cb79ac9c2bfef90
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.766176
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EDYF
AVGrisoft (avg)Crypt5.KAJ
AVSymantecno_virus
AVFortinetW32/Androm.IPWE!tr.bdr
AVBitDefenderGen:Variant.Kazy.766176
AVK7Trojan ( 004d66231 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Kazy.766176
AVMalwareBytesTrojan.MalPack
AVAuthentiumW32/Trojan.KHQG-2123
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.766176
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.ipwe
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.766176
AVArcabit (arcavir)Gen:Variant.Kazy.766176
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.48925
AVF-SecureGen:Variant.Kazy.766176
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.766176
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EDYF
AVGrisoft (avg)Crypt5.KAJ
AVSymantecno_virus
AVFortinetW32/Androm.IPWE!tr.bdr
AVBitDefenderGen:Variant.Kazy.766176
AVK7Trojan ( 004d66231 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Kazy.766176
AVMalwareBytesTrojan.MalPack
AVAuthentiumW32/Trojan.KHQG-2123
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\115671
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
178.79.160.57
DNSeurope.pool.ntp.org
Type: A
88.157.128.22
DNSeurope.pool.ntp.org
Type: A
144.76.172.53
DNSeurope.pool.ntp.org
Type: A
157.161.57.2
DNSnorth-america.pool.ntp.org
Type: A
198.110.48.12
DNSnorth-america.pool.ntp.org
Type: A
216.244.65.162
DNSnorth-america.pool.ntp.org
Type: A
96.44.142.5
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.29
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSasia.pool.ntp.org
Type: A
116.58.172.182
DNSasia.pool.ntp.org
Type: A
157.7.203.102
DNSasia.pool.ntp.org
Type: A
60.56.214.78
DNSasia.pool.ntp.org
Type: A
92.61.176.134
DNSoceania.pool.ntp.org
Type: A
54.252.165.245
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSpool.ntp.org
Type: A
204.2.134.164
DNSpool.ntp.org
Type: A
4.53.160.75
DNSpool.ntp.org
Type: A
66.219.116.140
DNSpool.ntp.org
Type: A
66.228.59.187
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.100.122.175:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings