Analysis Date2015-11-21 04:56:49
MD5a6d0595d8b6cb99697d33b0bc36e9675
SHA18b917e41f7f66ed414f949ae924dd3eb8eeaff81

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 68df391636a399a24fd526500b9778ae sha1: d7f37d00293af55e7e7623c18656b91afe8988a1 size: 29696
Section.rdata md5: 69f106969be825f227b8339c391cf07b sha1: b588c2df82f601a61296a29e73b6f37a3216fa1d size: 15872
Section.data md5: f3bc92df16ab01d86de1e4d1bf87e463 sha1: 6a16472b8ca7377066397b28fc02ca2b927e8f3f size: 3584
Section.veywb md5: a737dee5ea617e660f3f824124b43722 sha1: 8d4801da9525ffd8f2b45d15d3f7fa9bce8a9ee5 size: 31232
Section.reloc md5: 023fb69cc2ce64a4447b5108124b364c sha1: bb0a41b3897431b1ad40e40c4082a722d0ab1af2 size: 4096
Timestamp2015-11-04 10:52:57
PackerMicrosoft Visual C++ ?.?
PEhash2a456e0229764bfc5b2291f0ec048d3acaa9a46e
IMPhash12c0745368cf9731a611e73c2d6a6df0
AVRisingno_virus
AVMcafeeRDN/Generic.grp
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.764156
AVAlwil (avast)Rootkit-gen [Rtk]
AVEset (nod32)Win32/Kryptik.EDPJ
AVGrisoft (avg)Crypt_s.JVY
AVSymantecTrojan.Gen
AVFortinetW32/Yakes.NEQH!tr
AVBitDefenderGen:Variant.Kazy.764156
AVK7Trojan ( 004d5ff11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVMalwareBytesWorm.Gamarue
AVAuthentiumW32/S-d1a8399f!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.764156
AVZillya!no_virus
AVKasperskyTrojan.Win32.Yakes.neqh
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.764156
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.40933
AVF-SecureGen:Variant.Kazy.764156
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\1771062
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
193.227.197.2
DNSeurope.pool.ntp.org
Type: A
5.135.158.34
DNSeurope.pool.ntp.org
Type: A
87.238.165.168
DNSeurope.pool.ntp.org
Type: A
178.17.162.12
DNSnorth-america.pool.ntp.org
Type: A
104.232.3.3
DNSnorth-america.pool.ntp.org
Type: A
209.208.79.69
DNSnorth-america.pool.ntp.org
Type: A
50.116.55.65
DNSnorth-america.pool.ntp.org
Type: A
66.219.116.140
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
200.20.186.76
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
160.16.101.116
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
203.23.237.200
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSafrica.pool.ntp.org
Type: A
168.167.168.38
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSpool.ntp.org
Type: A
108.61.73.244
DNSpool.ntp.org
Type: A
173.44.32.10
DNSpool.ntp.org
Type: A
208.74.136.34
DNSpool.ntp.org
Type: A
208.75.88.4
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings