Analysis Date2015-11-17 21:49:16
MD5d4602f08a2c11ba554906bf15f20c6c4
SHA1752a4716da3b35687cf01d2fba7ef2fb55c588b1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3a054c145ffb4a548f16f29beaad5fd8 sha1: 5ef2ca4f62cd1b273e345a08c5179207fc011e34 size: 32256
Section.rdata md5: 57bdd50a195c8a335fb24c15ff65c7af sha1: f4e05e876f3715aa95a62c05e8277b605f75ced9 size: 7680
Section.data md5: cd998b83bda03498c3f5f819b6aead43 sha1: e33148a0a22b510c6bc653d83588dedef135a3d0 size: 24576
Section.rsrc md5: e55e3312b84475cabfde5a148d92d71b sha1: b35395d8235d0ccf593aa86e6e18ed8f72fba02d size: 215552
Timestamp2015-06-19 14:08:28
VersionLegalCopyright: © 2009-2011 Dexpot GbR
InternalName: updexer
FileVersion: 1.01
CompanyName: Dexpot GbR
ProductName: Updexer
ProductVersion: 1.01
FileDescription: Updating your Dexpot since 2009
OriginalFilename: updexer.exe
PackerMicrosoft Visual C++ ?.?
PEhash0f57bb124ecec95d383c303be54dbb8063a63bcc
IMPhasha50ba6d07f9356b2bab8a6d4ae5d6dda
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Dropper.A.6037
AVTwisterTrojan.DOMG.vngd
AVAd-AwareGen:Variant.Symmi.52240
AVAlwil (avast)Dropper-gen [Drp]
AVEset (nod32)Win32/Kryptik.DMWK
AVGrisoft (avg)Crypt4.AXSN
AVSymantecno_virus
AVFortinetW32/Kryptik.DONG!tr
AVBitDefenderGen:Variant.Symmi.52240
AVK7Trojan ( 004c656d1 )
AVMicrosoft Security EssentialsTrojan:Win32/Bagsu!rfn
AVMicroWorld (escan)Gen:Variant.Symmi.52240
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.HFQC-9038
AVFrisk (f-prot)W32/Trojan3.QLM
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Symmi.52240
AVZillya!Tool.InstallCore.Win32.24
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)Ransom.Cryptodef.S4
AVVirusBlokAda (vba32)Backdoor.Androm
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.52240
AVArcabit (arcavir)Gen:Variant.Symmi.52240
AVClamAVno_virus
AVDr. WebTrojan.PWS.Panda.8087
AVF-SecureGen:Variant.Symmi.52240
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Dropper.A.6037
AVTwisterTrojan.DOMG.vngd
AVAd-AwareGen:Variant.Symmi.52240
AVAlwil (avast)Dropper-gen [Drp]
AVEset (nod32)Win32/Kryptik.DMWK
AVGrisoft (avg)Crypt4.AXSN
AVSymantecno_virus
AVFortinetW32/Kryptik.DONG!tr
AVBitDefenderGen:Variant.Symmi.52240
AVK7Trojan ( 004c656d1 )
AVMicrosoft Security EssentialsTrojan:Win32/Bagsu!rfn
AVMicroWorld (escan)Gen:Variant.Symmi.52240
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.HFQC-9038
AVFrisk (f-prot)W32/Trojan3.QLM
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Deletes FileC:\malware.exe
Winsock DNSkds.pilenga.net
Winsock DNSsfss.cfsa.it
Winsock DNSupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSupdate.microsoft.com
Type: A
DNSsfss.cfsa.it
Type: A
DNSkds.pilenga.net
Type: A
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 65.55.50.157:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53

Raw Pcap

Strings