Analysis Date2015-12-02 06:32:22
MD532d773cf928dbf3d2184dfbcfe95ae1a
SHA19072837ef6563da872d6b5fd64c6a81a804348ec

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 62a4ed67a00893c3eb3ad23eb50eb6e3 sha1: a7e0f0306a30e72e335f578104cbf9d9723e90a7 size: 30720
Section.rdata md5: 4b234ce4750df385e6a1060d85bfe888 sha1: 3b19ae2c9677856ad3a7f9dabd9b5defabe71da8 size: 9728
Section.data md5: 082ab9f57c97f3035b332e45bfc32493 sha1: 1187e75ba905f5136c751c7d0ce81deffa873c1d size: 8704
Section.trhdtr md5: e2eb530b2d2270691b9246d25054d7be sha1: 9a0870c0e0cede35d53c93c9170de41e06b3eb95 size: 31232
Section.reloc md5: 831c2572750f6d36cb18eee5b688fa47 sha1: 13785e943908717980f7787a18c11b6c9beb5c9c size: 4096
Timestamp2015-11-02 23:00:09
PackerMicrosoft Visual C++ ?.?
PEhash7c2091f5e499d7522c1af7d4b9c4958870aae3c9
IMPhashabbef199762681e4356cbc5530d9c1e0
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVGrisoft (avg)Crypt_s.JUK
AVKasperskyTrojan.Win32.Generic
AVMcafeeno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.764156
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.764156
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d5ba51 )
AVMalwareBytesWorm.Gamarue
AVMcafeeno_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVFortinetW32/Kryptik.EEAE!tr
AVFortinetW32/Kryptik.EEAE!tr
AVCAT (quickheal)no_virus
AVF-SecureGen:Variant.Kazy.764156
AVClamAVno_virus
AVGrisoft (avg)Crypt_s.JUK
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d5ba51 )
AVDr. WebTrojan.Siggen.65341
AVMalwareBytesWorm.Gamarue
AVAd-AwareGen:Variant.Kazy.764156
AVDr. WebTrojan.Siggen.65341
AVEmsisoftGen:Variant.Kazy.764156
AVAvira (antivir)TR/Crypt.Xpack.319506
AVAvira (antivir)TR/Crypt.Xpack.319506
AVEmsisoftGen:Variant.Kazy.764156
AVEset (nod32)Win32/Kryptik.EDEZ
AVEset (nod32)Win32/Kryptik.EDEZ
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVBitDefenderGen:Variant.Kazy.764156
AVBitDefenderGen:Variant.Kazy.764156
AVArcabit (arcavir)Gen:Variant.Kazy.764156
AVCAT (quickheal)no_virus
AVFrisk (f-prot)no_virus
AVAd-AwareGen:Variant.Kazy.764156
AVBullGuardGen:Variant.Kazy.764156
AVBullGuardGen:Variant.Kazy.764156
AVAlwil (avast)Dorder-E [Trj]
AVAlwil (avast)Dorder-E [Trj]
AVClamAVno_virus
AVAuthentiumW32/S-d1a8399f!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/S-d1a8399f!Eldorado
AVPadvishno_virus
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\115375
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoutsphere.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
95.154.26.34
DNSeurope.pool.ntp.org
Type: A
144.76.117.245
DNSeurope.pool.ntp.org
Type: A
147.251.48.140
DNSeurope.pool.ntp.org
Type: A
212.83.131.33
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.163
DNSnorth-america.pool.ntp.org
Type: A
64.113.32.5
DNSnorth-america.pool.ntp.org
Type: A
71.19.145.222
DNSnorth-america.pool.ntp.org
Type: A
168.235.149.88
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
190.3.107.187
DNSsouth-america.pool.ntp.org
Type: A
190.228.30.178
DNSsouth-america.pool.ntp.org
Type: A
200.20.186.76
DNSasia.pool.ntp.org
Type: A
92.61.176.134
DNSasia.pool.ntp.org
Type: A
128.199.84.169
DNSasia.pool.ntp.org
Type: A
160.16.101.116
DNSasia.pool.ntp.org
Type: A
82.200.209.194
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
154.127.59.231
DNSafrica.pool.ntp.org
Type: A
168.167.252.243
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSpool.ntp.org
Type: A
131.107.13.100
DNSpool.ntp.org
Type: A
198.211.106.151
DNSpool.ntp.org
Type: A
66.228.59.187
DNSpool.ntp.org
Type: A
97.107.129.217
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSoutsphere.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.96.52.53:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings