Analysis Date2015-11-18 20:26:52
MD5124324e5f2a52395ae4fa5173931a31c
SHA17b53f58fe5f0467265d25fff1aef9c246a27f93e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ddc2bf7b220696a49bf7e15fc9b0fd57 sha1: 6f839c6ecbaaba303eb25f7220f9118d1bc1c4cf size: 28160
Section.rdata md5: 4963847c65e27fd5de15c1a9012d515a sha1: ad4e0d80103d79ae5209822f6621e431d79f4911 size: 14848
Section.data md5: e552a8269be36d8f6c4adbcb755ab7e9 sha1: d3dab3f677ac0f2a952ca0435c02e93b1b98cc4e size: 8704
Section.trhdtr md5: 8324fc82cd0d14029cc087da228b6cf5 sha1: e181b4fbda4dd16c121152233b642bb7a64b59ca size: 31232
Section.rsrc md5: 5451e0d02f40243772d7013cfbebaac7 sha1: 903f3f6ecc80ed7847bea4eacf9bb9d264a03161 size: 17408
Section.reloc md5: 8362179184f5309cf8ce9856b48b1af0 sha1: 4d770dc234534b6edbf0c3d81c1797e37fc9bed9 size: 4096
Timestamp2015-10-31 15:30:06
PackerMicrosoft Visual C++ ?.?
PEhash51799e600a5386fceb1956addc7007ab3e03cd13
IMPhash87dd5c9b4d5a7a0c583ab6a9ee90f872
AVRisingno_virus
AVMcafeeGenericR-EYN!124324E5F2A5
AVAvira (antivir)TR/Crypt.Xpack.310276
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.762151
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ECXX
AVGrisoft (avg)Crypt5.ILA
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.EEAE!tr
AVBitDefenderGen:Variant.Kazy.762151
AVK7Trojan ( 004d58e61 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.762151
AVMalwareBytesTrojan.Downloader
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.762151
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.ioja
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.762151
AVArcabit (arcavir)Gen:Variant.Kazy.762151
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.37757
AVF-SecureGen:Variant.Kazy.762151
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeGenericR-EYN!124324E5F2A5
AVAvira (antivir)TR/Crypt.Xpack.310276
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.762151
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ECXX
AVGrisoft (avg)Crypt5.ILA
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.EEAE!tr
AVBitDefenderGen:Variant.Kazy.762151
AVK7Trojan ( 004d58e61 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.762151
AVMalwareBytesTrojan.Downloader
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\1310281
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSexpediteddocs.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
144.76.14.132
DNSeurope.pool.ntp.org
Type: A
195.222.33.219
DNSeurope.pool.ntp.org
Type: A
212.51.181.242
DNSeurope.pool.ntp.org
Type: A
95.81.173.74
DNSnorth-america.pool.ntp.org
Type: A
50.116.36.122
DNSnorth-america.pool.ntp.org
Type: A
66.96.99.10
DNSnorth-america.pool.ntp.org
Type: A
204.9.136.253
DNSnorth-america.pool.ntp.org
Type: A
207.210.46.249
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSasia.pool.ntp.org
Type: A
120.88.46.10
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSasia.pool.ntp.org
Type: A
92.61.176.134
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSafrica.pool.ntp.org
Type: A
154.127.59.231
DNSafrica.pool.ntp.org
Type: A
168.167.168.38
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSafrica.pool.ntp.org
Type: A
41.231.7.85
DNSpool.ntp.org
Type: A
209.118.204.201
DNSpool.ntp.org
Type: A
24.56.178.140
DNSpool.ntp.org
Type: A
67.198.37.16
DNSpool.ntp.org
Type: A
198.55.111.50
DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSexpediteddocs.com
Type: A
50.97.106.192
DNSbuymeeverything.com
Type: A
HTTP POSThttp://expediteddocs.com/wp-includes/js/tinymce/plugins/system4_1030.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 134.170.188.221:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 50.97.106.192:80
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53

Raw Pcap

Strings