Analysis Date2015-11-18 21:49:44
MD540e7fedfe2604131e7d9fe5476cd3de6
SHA1705fe670f657bc95860b54cad878df173e12e37a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1faf67d887fa204793e5643fb8ac0d4c sha1: 3963f232bde431bb963d64e68d7400e35977b9f6 size: 27648
Section.rdata md5: 23ccb59321d8db76c95f0840eacb972b sha1: c8c4798c045325a354208d3943bbe575ae7ffdeb size: 8704
Section.data md5: df98fcfc595786fefd62b65dbc8b8525 sha1: 7f26a53c4474b11ff2ab38a02141f1e74b68185a size: 8704
Section.rdhxdf md5: f0ef21075619217e01b429833aec8af4 sha1: e2267b60193d98f0d533651cdbc6d223190d0821 size: 30720
Section.rsrc md5: 1e251f71417231406c6c99463364ca79 sha1: 5e5ec87fc4b2cfad39e2593f37f30b89aef31b2c size: 15360
Section.reloc md5: 786b5825d8f22b0529433d00a613e56d sha1: a9b59a7e3daa16e9bd558fffccfccf2ac679f93b size: 3584
Timestamp2015-10-29 02:00:06
PackerMicrosoft Visual C++ ?.?
PEhashc826ef2bd171712750612b338de485b9fe50370a
IMPhashcce7119ce3ababcf1c178ddc608a787d
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeGenericR-EYU!40E7FEDFE260
AVAvira (antivir)TR/Dropper.A.16215
AVTwisterTrojan.Girtk.ECOE.ulwm
AVAd-AwareGen:Variant.Zusy.167673
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ECOE
AVGrisoft (avg)Crypt5.HOU
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.ECOE!tr
AVBitDefenderGen:Variant.Zusy.167673
AVK7Trojan ( 004d575d1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.167673
AVMalwareBytesTrojan.Downloader
AVAuthentiumW32/Trojan.SYWM-7585
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Zusy.167673
AVZillya!no_virus
AVKasperskyTrojan.Win32.Yakes.naoy
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)Trojan.Yakes
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.167673
AVArcabit (arcavir)Gen:Variant.Zusy.167673
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.33388
AVF-SecureGen:Variant.Zusy.167673
AVRisingno_virus
AVMcafeeGenericR-EYU!40E7FEDFE260
AVAvira (antivir)TR/Dropper.A.16215
AVTwisterTrojan.Girtk.ECOE.ulwm
AVAd-AwareGen:Variant.Zusy.167673
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ECOE
AVGrisoft (avg)Crypt5.HOU
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.ECOE!tr
AVBitDefenderGen:Variant.Zusy.167673
AVK7Trojan ( 004d575d1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.167673
AVMalwareBytesTrojan.Downloader
AVAuthentiumW32/Trojan.SYWM-7585
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\114109
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org
Winsock DNS1026pro.pw

Network Details:

DNSeurope.pool.ntp.org
Type: A
81.169.196.230
DNSeurope.pool.ntp.org
Type: A
84.27.77.18
DNSeurope.pool.ntp.org
Type: A
129.250.35.250
DNSeurope.pool.ntp.org
Type: A
37.187.104.44
DNSnorth-america.pool.ntp.org
Type: A
64.71.128.26
DNSnorth-america.pool.ntp.org
Type: A
66.135.44.92
DNSnorth-america.pool.ntp.org
Type: A
66.228.42.59
DNSnorth-america.pool.ntp.org
Type: A
209.118.204.201
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
220.231.122.99
DNSasia.pool.ntp.org
Type: A
59.149.185.193
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
196.25.1.5
DNSafrica.pool.ntp.org
Type: A
196.43.1.5
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSpool.ntp.org
Type: A
138.236.128.36
DNSpool.ntp.org
Type: A
139.162.199.10
DNSpool.ntp.org
Type: A
204.2.134.162
DNSpool.ntp.org
Type: A
96.44.142.5
DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNS1026pro.pw
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 134.170.188.221:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings