Analysis Date2015-11-25 08:16:09
MD53c631c0c0e8ed2b2975055eff0f11918
SHA150bd1b598bd0feab83a8db496ab73cf5581daa98

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e244d162885b73da8ede759bdf75b269 sha1: 353f0f54f0b0039c2f679b9263eab8748e23c97a size: 29184
Section.rdata md5: 93620b1af2d97a5fd157a8b2d64a65ae sha1: 8c470009875c296b3a7627fd5b9969a9acd55b72 size: 24064
Section.data md5: db53ece319aebfeb27fedfbabc984864 sha1: 11565e88c30905c17801f13c9b0ab5162bd9de45 size: 25600
Timestamp2015-11-06 12:31:01
PackerMicrosoft Visual C++ ?.?
PEhash28d03d052de30af019c93b0d481e1d221809342e
IMPhash4bc0ff997ec6b00a7cb79ac9c2bfef90
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.ZPACK.204406
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.766176
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EDYF
AVGrisoft (avg)Crypt_r.AJS
AVSymantecno_virus
AVFortinetW32/Androm.EDYF!tr.bdr
AVBitDefenderGen:Variant.Kazy.766176
AVK7Trojan ( 004d64c11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.766176
AVMalwareBytesTrojan.MalPack
AVAuthentiumW32/Trojan.ZOFC-1117
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.766176
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.iqbw
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.766176
AVArcabit (arcavir)Gen:Variant.Kazy.766176
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.49892
AVF-SecureGen:Variant.Kazy.766176
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.ZPACK.204406
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.766176
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EDYF
AVGrisoft (avg)Crypt_r.AJS
AVSymantecno_virus
AVFortinetW32/Androm.EDYF!tr.bdr
AVBitDefenderGen:Variant.Kazy.766176
AVK7Trojan ( 004d64c11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.766176
AVMalwareBytesTrojan.MalPack
AVAuthentiumW32/Trojan.ZOFC-1117
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\748546
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
81.89.61.115
DNSeurope.pool.ntp.org
Type: A
91.121.192.17
DNSeurope.pool.ntp.org
Type: A
178.17.161.12
DNSeurope.pool.ntp.org
Type: A
212.113.190.2
DNSnorth-america.pool.ntp.org
Type: A
209.114.111.1
DNSnorth-america.pool.ntp.org
Type: A
104.131.118.129
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSnorth-america.pool.ntp.org
Type: A
198.55.111.50
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
194.27.222.5
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSpool.ntp.org
Type: A
50.116.36.122
DNSpool.ntp.org
Type: A
96.44.142.5
DNSpool.ntp.org
Type: A
107.170.242.27
DNSpool.ntp.org
Type: A
108.61.56.35
DNSmicrosoft.com
Type: A
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53

Raw Pcap

Strings