Analysis Date2016-01-28 09:25:08
MD5035d05b358a5c17d35551e239c666fe2
SHA17eac62797954ed5b7825f832748b9130341f21f0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9a745cf76ae738b116ffdbd06df6f16a sha1: b861d1b39429c72efe3837e33c7b6cc1fee1ef0b size: 55808
Section.rdata md5: 782a5dfd45f300a277a9a747ca19ccde sha1: 066e589b4812b22261ca145b0f58f1a601415f79 size: 9728
Section.data md5: 4d848b6ba34ea85d63501c4ef056f620 sha1: 5dbd351e231bf953e5e69122fb71a59b3361ae03 size: 60416
Section.reloc md5: a76a1e7ffbb155e3b0526bc7b898c589 sha1: 22b0dbbd26b3f72dfd6a0e7f45a43acbbd048d64 size: 4608
Timestamp2016-01-20 10:45:05
PackerMicrosoft Visual C++ ?.?
PEhash0ae5cf73b97da4ccef0192f001442b8321ebdc3a
IMPhashe455678411cf3e1a19ba82415a4febba
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeRDN/Generic.hbg
AVAvira (antivir)TR/Crypt.Xpack.418942
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.177418
AVAlwil (avast)Dorder-E [Trj]
AVEset (nod32)Win32/Kryptik.ELCF
AVGrisoft (avg)Crypt5.ACUB
AVSymantecNo Virus
AVFortinetW32/Kryptik.ELCF!tr
AVBitDefenderGen:Variant.Zusy.177418
AVK7Trojan ( 004dc37e1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)No Virus
AVMalwareBytesRansom.FileCryptor
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Zusy.177418
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Zusy.177418
AVArcabit (arcavir)Gen:Variant.Zusy.177418
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.2633
AVF-SecureGen:Variant.Zusy.177418

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\114968
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\7EAC62~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
145.94.62.142
DNSeurope.pool.ntp.org
Type: A
195.154.10.106
DNSeurope.pool.ntp.org
Type: A
5.196.160.139
DNSeurope.pool.ntp.org
Type: A
139.112.153.37
DNSnorth-america.pool.ntp.org
Type: A
173.255.246.13
DNSnorth-america.pool.ntp.org
Type: A
198.110.48.12
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSnorth-america.pool.ntp.org
Type: A
129.250.35.251
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSasia.pool.ntp.org
Type: A
157.7.154.23
DNSasia.pool.ntp.org
Type: A
194.225.150.25
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
54.252.165.245
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.223.19.2
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSpool.ntp.org
Type: A
107.20.168.69
DNSpool.ntp.org
Type: A
38.111.6.68
DNSpool.ntp.org
Type: A
45.79.10.228
DNSpool.ntp.org
Type: A
74.123.29.4
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.100.122.175:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings