Analysis Date2015-11-24 21:01:23
MD5e3b51eaff010b9f561b0a491cc7881ff
SHA1703230e718ef900e0458442faf742be5e3a78254

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 11d056821c914b0616b79acd5470e86b sha1: 6a03b36b7afeebaf258024b6e2b3d89f8d9c82ba size: 29696
Section.rdata md5: 6101e40d19e210ee70910bfd973a9f34 sha1: ce2f62f09165204a481e40d6b741faf46eb75147 size: 15872
Section.data md5: f3bc92df16ab01d86de1e4d1bf87e463 sha1: 6a16472b8ca7377066397b28fc02ca2b927e8f3f size: 3584
Section.veywb md5: 3ace3171c91ec08a2101340db1cf8048 sha1: e00871a5bc3101cf714325708ee3bf099f70e700 size: 31232
Section.reloc md5: 023fb69cc2ce64a4447b5108124b364c sha1: bb0a41b3897431b1ad40e40c4082a722d0ab1af2 size: 4096
Timestamp2015-11-04 11:45:06
PackerMicrosoft Visual C++ ?.?
PEhash2a456e0229764bfc5b2291f0ec048d3acaa9a46e
IMPhash12c0745368cf9731a611e73c2d6a6df0
AVCAT (quickheal)no_virus
AVAuthentiumW32/S-d1a8399f!Eldorado
AVGrisoft (avg)Crypt_s.JVY
AVGrisoft (avg)Crypt_s.JVY
AVMalwareBytesWorm.Gamarue
AVEset (nod32)Win32/Kryptik.EDPJ
AVEset (nod32)Win32/Kryptik.EDPJ
AVMalwareBytesWorm.Gamarue
AVTrend Microno_virus
AVDr. WebTrojan.DownLoader17.40933
AVCA (E-Trust Ino)no_virus
AVBitDefenderGen:Variant.Kazy.764156
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVAvira (antivir)TR/AD.Gamarue.Y.1582
AVAlwil (avast)Dorder-D [Trj]
AVAvira (antivir)TR/AD.Gamarue.Y.1582
AVAlwil (avast)Dorder-D [Trj]
AVBitDefenderGen:Variant.Kazy.764156
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Yakes.neql
AVBullGuardGen:Variant.Kazy.764156
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVF-SecureGen:Variant.Kazy.764156
AVSymantecTrojan.Gen
AVFortinetW32/Yakes.NEQL!tr
AVK7Trojan ( 004d5ff11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVRisingno_virus
AVMcafeeRDN/Generic.grp
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVRisingno_virus
AVMcafeeRDN/Generic.grp
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVSymantecTrojan.Gen
AVFortinetW32/Yakes.NEQL!tr
AVK7Trojan ( 004d5ff11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Kazy.764156
AVZillya!no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\112140
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
212.83.131.33
DNSeurope.pool.ntp.org
Type: A
81.94.123.16
DNSeurope.pool.ntp.org
Type: A
95.46.198.21
DNSeurope.pool.ntp.org
Type: A
178.23.124.2
DNSnorth-america.pool.ntp.org
Type: A
104.131.118.129
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.132
DNSnorth-america.pool.ntp.org
Type: A
208.53.158.34
DNSnorth-america.pool.ntp.org
Type: A
104.131.51.97
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSasia.pool.ntp.org
Type: A
106.185.48.114
DNSasia.pool.ntp.org
Type: A
118.189.211.186
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSoceania.pool.ntp.org
Type: A
116.68.13.156
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
45.114.116.62
DNSoceania.pool.ntp.org
Type: A
59.167.135.82
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSpool.ntp.org
Type: A
74.117.238.11
DNSpool.ntp.org
Type: A
209.118.204.201
DNSpool.ntp.org
Type: A
64.113.44.57
DNSpool.ntp.org
Type: A
66.79.167.34
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSoutsphere.com
Type: A
77.120.113.58
DNSbenezramarketing.com
Type: A
HTTP POSThttp://outsphere.com/wp-content/plugins/xcalendar/data/system4_1030.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 77.120.113.58:80
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53

Raw Pcap

Strings