Analysis Date2015-12-04 01:51:48
MD5f64faf320c9ea35b02f59f353fe6395c
SHA183b4cf9bb75e8bd2e75742be9a704ec875960c39

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 383389c8cbffd9ad50f5d9759adc9f9d sha1: f39756bfba04a6acfca2e34f6de9e1757d30288a size: 27136
Section.rdata md5: 03b6ee086c16c69fa04c8fc379a802eb sha1: 5bb415e58b56bf894c0d0b711d05fdb6cb6e5da9 size: 1024
Section.data md5: e2a4cdf9fe6437d2c85e10b834f7b8e2 sha1: 29345a8907eedba114659c2d050ee5086972f6f2 size: 11776
Section.rsrc md5: a6b910e2a6ee05728e99fd6538f0d634 sha1: 931f73aea6f8071f1ce2bcc6b23b3a20105061ad size: 41472
Section.reloc md5: 279c1f83ae2efa278e7078787efaad6f sha1: d6031f71f7722ad39a3eeace4116282a1288c80b size: 2048
Timestamp2015-11-10 03:17:40
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: wordpad
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7601.17514
FileDescription: Windows Wordpad Application
OriginalFilename: WORDPAD.EXE
PackerMicrosoft Visual C++ v6.0
PEhash0b63bb11829f6d11a68256affb8a30cc36471da8
IMPhash04d310bfa6439b9d8f9756a2d128c1f6
AVF-SecureTrojan.GenericKD.2865179
AVAuthentiumW32/Backdoor.FZRV-4984
AVMalwareBytesTrojan.FakeMS
AVDr. WebBackDoor.Bifrost.29831
AVGrisoft (avg)Crypt5.MAY
AVMalwareBytesTrojan.FakeMS
AVEset (nod32)Win32/Kryptik.EERE
AVMicroWorld (escan)Trojan.GenericKD.2865179
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareTrojan.GenericKD.2865179
AVEset (nod32)Win32/Kryptik.EERE
AVBitDefenderTrojan.GenericKD.2865179
AVMicroWorld (escan)Trojan.GenericKD.2865179
AVAvira (antivir)TR/Dropper.A.16946
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Androm.IQPF!tr.bdr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVIkarusTrojan.Dropper
AVKasperskyBackdoor.Win32.Androm.iqpf
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Trojan.GenericKD.2865179
AVMcafeeRDN/Generic BackDoor
AVTwisterno_virus
AVAvira (antivir)TR/Dropper.A.16946
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecBackdoor.Trojan
AVFortinetW32/Androm.IQPF!tr.bdr
AVK7Trojan ( 004d692d1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2865179
AVGrisoft (avg)Crypt5.MAY
AVSymantecBackdoor.Trojan
AVBitDefenderTrojan.GenericKD.2865179
AVK7Trojan ( 004d692d1 )
AVAuthentiumW32/Backdoor.FZRV-4984
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.GenericKD.2865179
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2865179
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Dropper
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\125140
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
139.112.1.21
DNSeurope.pool.ntp.org
Type: A
5.9.156.53
DNSeurope.pool.ntp.org
Type: A
37.59.46.217
DNSeurope.pool.ntp.org
Type: A
86.59.13.46
DNSnorth-america.pool.ntp.org
Type: A
208.73.56.29
DNSnorth-america.pool.ntp.org
Type: A
66.228.59.187
DNSnorth-america.pool.ntp.org
Type: A
104.232.3.3
DNSnorth-america.pool.ntp.org
Type: A
192.95.20.208
DNSsouth-america.pool.ntp.org
Type: A
170.155.148.1
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.17
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSasia.pool.ntp.org
Type: A
202.178.122.195
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSasia.pool.ntp.org
Type: A
103.44.223.15
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.43.1.5
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSpool.ntp.org
Type: A
198.211.106.151
DNSpool.ntp.org
Type: A
50.22.155.163
DNSpool.ntp.org
Type: A
74.120.8.2
DNSpool.ntp.org
Type: A
129.6.15.28

Raw Pcap

Strings