Analysis Date2015-11-25 06:43:34
MD5f607cfff410f7e0b82906337db4e4c14
SHA172a16f369995eb8b6464d4638240476530c673d3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 63c517c55505640ab7020c93bc5eb50c sha1: 2204bb5535fc8020d1a0beb52418be3a8507c96a size: 29184
Section.rdata md5: c6bbbd12ceb8a2c9953341c12c8ac800 sha1: e18fabbd69bd907361019cab38554b842739e709 size: 33792
Section.data md5: 2f082f6fdcf6767b8fa11a47b293233e sha1: 9caaa9b3406a3475485c35815578b7c7d70705ba size: 15872
Timestamp2015-11-06 13:45:48
PackerMicrosoft Visual C++ ?.?
PEhashaf8b3f2b0cb300dc0123e921c50b11da71bfa318
IMPhash4bc0ff997ec6b00a7cb79ac9c2bfef90
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1603
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2854252
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EDYF
AVGrisoft (avg)Crypt_r.AJS
AVSymantecTrojan.Gen.2
AVFortinetW32/Androm.EDYF!tr.bdr
AVBitDefenderTrojan.GenericKD.2854252
AVK7Trojan ( 004d66231 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Trojan.GenericKD.2854252
AVMalwareBytesno_virus
AVAuthentiumW32/Trojan.WJKP-2607
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.GenericKD.2854252
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.ipxy
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2854252
AVArcabit (arcavir)Trojan.GenericKD.2854252
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.48840
AVF-SecureTrojan.GenericKD.2854252
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1603
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2854252
AVAlwil (avast)Dorder-D [Trj]
AVEset (nod32)Win32/Kryptik.EDYF
AVGrisoft (avg)Crypt_r.AJS
AVSymantecTrojan.Gen.2
AVFortinetW32/Androm.EDYF!tr.bdr
AVBitDefenderTrojan.GenericKD.2854252
AVK7Trojan ( 004d66231 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Trojan.GenericKD.2854252
AVMalwareBytesno_virus
AVAuthentiumW32/Trojan.WJKP-2607
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\110218
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
139.162.149.81
DNSeurope.pool.ntp.org
Type: A
213.246.159.22
DNSeurope.pool.ntp.org
Type: A
88.159.1.196
DNSeurope.pool.ntp.org
Type: A
95.213.132.250
DNSnorth-america.pool.ntp.org
Type: A
45.56.72.16
DNSnorth-america.pool.ntp.org
Type: A
72.20.40.62
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.164
DNSnorth-america.pool.ntp.org
Type: A
23.92.29.245
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSasia.pool.ntp.org
Type: A
106.185.48.114
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
218.234.23.44
DNSasia.pool.ntp.org
Type: A
59.106.180.168
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
54.252.129.186
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSpool.ntp.org
Type: A
50.116.36.122
DNSpool.ntp.org
Type: A
73.208.216.139
DNSpool.ntp.org
Type: A
96.44.142.5
DNSpool.ntp.org
Type: A
104.245.33.76
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings