Analysis Date2015-11-25 08:18:34
MD53d7fc876d42ceed3f278c6110640931a
SHA188af53c5bf46de07355b209aa2fae5d31b76c05f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 69bcccbee334b65ec6ddf995b463d3e5 sha1: c2201fc7708f5d110e620285b2a70a38da366378 size: 28160
Section.rdata md5: cf5cc936df01890960e974d0e51ccfb8 sha1: 162302b738a48a1d22301085c49fa7eed8304ab4 size: 33280
Section.data md5: fce7da2d058f366034eb3d7cd52b7311 sha1: aa782dc5be9d263a7d253f7c32d497c726343900 size: 15872
Timestamp2015-11-11 19:15:13
PackerMicrosoft Visual C++ ?.?
PEhash5076a494f0ad1ea8dc6f7da8d86fe91efc58ab09
IMPhash4b62e2a1fca468d49b9dec42ccc75e4d
AVF-SecureTrojan.GenericKD.2871533
AVAuthentiumW32/Trojan.GOPH-9276
AVMalwareBytesno_virus
AVDr. WebTrojan.DownLoader17.49491
AVGrisoft (avg)Crypt5.LCN
AVMalwareBytesno_virus
AVEset (nod32)Win32/Kryptik.AMUG
AVMicroWorld (escan)Trojan.GenericKD.2871533
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareTrojan.GenericKD.2871533
AVEset (nod32)Win32/Kryptik.AMUG
AVBitDefenderTrojan.GenericKD.2871533
AVMicroWorld (escan)Trojan.GenericKD.2871533
AVAvira (antivir)TR/Crypt.ZPACK.208464
AVAlwil (avast)Dorder-D [Trj]
AVFortinetW32/Androm.AMUG!tr.bdr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.iqxt
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Trojan.GenericKD.2871533
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.208464
AVAlwil (avast)Dorder-D [Trj]
AVSymantecno_virus
AVFortinetW32/Androm.AMUG!tr.bdr
AVK7Trojan ( 003eb63d1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVRisingno_virus
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2871533
AVGrisoft (avg)Crypt5.LCN
AVSymantecno_virus
AVBitDefenderTrojan.GenericKD.2871533
AVK7Trojan ( 003eb63d1 )
AVAuthentiumW32/Trojan.GOPH-9276
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.GenericKD.2871533
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2871533
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\114203
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
212.113.190.2
DNSeurope.pool.ntp.org
Type: A
178.17.161.12
DNSeurope.pool.ntp.org
Type: A
91.121.192.17
DNSeurope.pool.ntp.org
Type: A
81.89.61.115
DNSnorth-america.pool.ntp.org
Type: A
198.55.111.50
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.28
DNSnorth-america.pool.ntp.org
Type: A
104.131.118.129
DNSnorth-america.pool.ntp.org
Type: A
209.114.111.1
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSasia.pool.ntp.org
Type: A
194.27.222.5
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSpool.ntp.org
Type: A
108.61.56.35
DNSpool.ntp.org
Type: A
107.170.242.27
DNSpool.ntp.org
Type: A
96.44.142.5
DNSpool.ntp.org
Type: A
50.116.36.122
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.100.122.175:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings