Analysis Date2015-11-14 20:37:10
MD5986321a5914f4c0e280531d3a78624f5
SHA14b9d8fe6d78eb2ba60e08e17679343b9f37c3861

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9dcfe382353271e92f7a987e0605ccaf sha1: 909554bd8e0d807e77ac93b705a07c4cd9db8ec9 size: 29696
Section.rdata md5: f2497182928ed54e3c4b34072497fa5b sha1: 448f20e90ae75beb813a26c12b9e257e6b1bd39f size: 15872
Section.data md5: f3bc92df16ab01d86de1e4d1bf87e463 sha1: 6a16472b8ca7377066397b28fc02ca2b927e8f3f size: 3584
Section.veywb md5: 8e0261c5048bea5b05ba9903ad1b6228 sha1: 2e4a5e8663f9e5ff497a01a66e32b48374b84778 size: 31232
Section.reloc md5: 023fb69cc2ce64a4447b5108124b364c sha1: bb0a41b3897431b1ad40e40c4082a722d0ab1af2 size: 4096
Timestamp2015-11-04 18:00:08
PackerMicrosoft Visual C++ ?.?
PEhash2a456e0229764bfc5b2291f0ec048d3acaa9a46e
IMPhash12c0745368cf9731a611e73c2d6a6df0
AVF-SecureGen:Variant.Kazy.764156
AVAuthentiumW32/S-d1a8399f!Eldorado
AVMalwareBytesWorm.Gamarue
AVDr. WebTrojan.DownLoader17.40933
AVGrisoft (avg)Crypt_s.JVY
AVMalwareBytesWorm.Gamarue
AVEset (nod32)Win32/Kryptik.EDPJ
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVTrend Microno_virus
AVClamAVno_virus
AVTwisterno_virus
AVEset (nod32)Win32/Kryptik.EDPJ
AVBitDefenderGen:Variant.Kazy.764156
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVAvira (antivir)TR/Crypt.Xpack.313872
AVAlwil (avast)Rootkit-gen [Rtk]
AVFortinetW32/Kryptik.EDPJ!tr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.313872
AVAd-AwareGen:Variant.Kazy.764156
AVAlwil (avast)Rootkit-gen [Rtk]
AVSymantecno_virus
AVFortinetW32/Kryptik.EDPJ!tr
AVK7Trojan ( 004d5ff11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVRisingno_virus
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVGrisoft (avg)Crypt_s.JVY
AVSymantecno_virus
AVBitDefenderGen:Variant.Kazy.764156
AVK7Trojan ( 004d5ff11 )
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Kazy.764156
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.764156
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\113000
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
82.197.164.46
DNSeurope.pool.ntp.org
Type: A
144.76.117.245
DNSeurope.pool.ntp.org
Type: A
188.227.227.31
DNSeurope.pool.ntp.org
Type: A
193.224.65.146
DNSnorth-america.pool.ntp.org
Type: A
209.244.0.4
DNSnorth-america.pool.ntp.org
Type: A
97.107.129.217
DNSnorth-america.pool.ntp.org
Type: A
128.138.141.172
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.163
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
157.7.152.213
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
106.247.248.106
DNSoceania.pool.ntp.org
Type: A
203.23.237.200
DNSoceania.pool.ntp.org
Type: A
54.252.161.68
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSafrica.pool.ntp.org
Type: A
197.84.150.123
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
168.167.71.131
DNSpool.ntp.org
Type: A
50.116.38.157
DNSpool.ntp.org
Type: A
69.28.90.107
DNSpool.ntp.org
Type: A
204.9.54.119
DNSpool.ntp.org
Type: A
208.53.158.34
DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 134.170.185.46:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings