Analysis Date2016-02-04 22:21:03
MD52f8baa7559176e4ce6559397707762dc
SHA14a9cc6395dd7f7644517d096fdaf7e342fd1199c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 26d28c60625a77f7b2d9ff7c1198bab8 sha1: 7e3537a26f2e381743f1470a98090a8ef68ef17e size: 52224
Section.rdata md5: fe4ae5d2aa29037488c239722544fa91 sha1: 953351b9571bd69da53b38fea39461ef5baa661e size: 52224
Section.data md5: dcedcdc360da7aa1ee77f309b3802af7 sha1: c0db26fae3c67ab6dda0feaf8d9b82162702b2cd size: 4608
Section.rey md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.reloc md5: 89d057729fa7f900e72b983ad184772d sha1: e82bbb22cd2875addcfa5156ce88b4d227adad86 size: 4608
Timestamp2016-02-02 19:15:13
PackerMicrosoft Visual C++ ?.?
PEhashfafa933781a3f8d11144e38643dae085d1cd80a4
IMPhasha5528fce563eaa94bfe7770a7161d7c7
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.441693
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.11615
AVAlwil (avast)No Virus
AVEset (nod32)Win32/TrojanDownloader.Wauchos.BD
AVGrisoft (avg)Crypt_r.AXR
AVSymantecNo Virus
AVFortinetW32/Yakes.BD!tr
AVBitDefenderGen:Variant.Razy.11615
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)No Virus
AVMalwareBytesRansom.FileLocker
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Razy.11615
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Yakes
AVZillya!No Virus
AVKasperskyTrojan.Win32.Yakes.oxfj
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Worm.Gamarue.WR6
AVBullGuardGen:Variant.Razy.11615
AVArcabit (arcavir)Gen:Variant.Razy.11615
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.16652
AVF-SecureGen:Variant.Razy.11615

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\114062
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\4A9CC6~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
83.170.1.42
DNSeurope.pool.ntp.org
Type: A
193.27.209.211
DNSeurope.pool.ntp.org
Type: A
37.187.107.140
DNSeurope.pool.ntp.org
Type: A
82.78.227.6
DNSnorth-america.pool.ntp.org
Type: A
198.60.22.240
DNSnorth-america.pool.ntp.org
Type: A
45.79.111.114
DNSnorth-america.pool.ntp.org
Type: A
66.232.97.8
DNSnorth-america.pool.ntp.org
Type: A
69.164.194.139
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSsouth-america.pool.ntp.org
Type: A
164.73.227.4
DNSasia.pool.ntp.org
Type: A
220.231.122.105
DNSasia.pool.ntp.org
Type: A
31.193.144.2
DNSasia.pool.ntp.org
Type: A
157.7.235.92
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSafrica.pool.ntp.org
Type: A
196.10.55.57
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSpool.ntp.org
Type: A
104.236.167.15
DNSpool.ntp.org
Type: A
198.55.111.50
DNSpool.ntp.org
Type: A
199.102.167.190
DNSpool.ntp.org
Type: A
97.107.129.217
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.40.211.35:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings