Analysis Date2015-12-07 20:26:53
MD5f0ea059c0164e693381d67e7fcca11a8
SHA19bbbf806f22d4302cdf8326313839f27a1d0f221

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3fc1befb1023733678f4d48b69b6e570 sha1: 35bdd0b275e55f98662c317d75e2bceffeb12535 size: 105984
Section.rdata md5: 11c047181edd00e4c46fa5f644340a59 sha1: b4cdaf4170ebd0198e949d4ace0c58665b62521f size: 40448
Section.data md5: 6ce0eec54279f80f603517755780c35e sha1: a7420da9b4df9931ae80f762db6aeaf8b3102040 size: 35840
Section.rsrc md5: 631bfc0a5ce75f67b8997ca2235c29d8 sha1: 3aaeb18ea96e638610cf6c8f9246a163cc3c2019 size: 62464
Timestamp2015-10-20 10:48:32
PackerMicrosoft Visual C++ ?.?
PEhash80fdb69451b96056ada85c300cbf110a9ae52b5b
IMPhash5fb09aab36d211d5e6e28798ae2113c7
AVVirusBlokAda (vba32)Backdoor.Androm
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVZillya!no_virus
AVMalwareBytesRansom.CryptoWall
AVAlwil (avast)Androp [Drp]
AVIkarusTrojan.Win32.Crypt
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVSymantecTrojan.Gen
AVEmsisoftTrojan.GenericKDZ.30724
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVClamAVno_virus
AVKasperskyTrojan.Win32.Yakes.mwvt
AVFrisk (f-prot)no_virus
AVEset (nod32)Win32/Injector.BNHS
AVGrisoft (avg)Crypt_r.AFP
AVK7Trojan ( 004cef571 )
AVMcafeeGamarue-FDC!F0EA059C0164
AVFortinetW32/Kryptik.EASA!tr
AVTwisterTrojan.Injector.BNHS.bwns
AVBitDefenderTrojan.GenericKDZ.30724
AVTrend Microno_virus
AVDr. WebTrojan.DownLoad3.35944
AVRisingno_virus
AVAvira (antivir)TR/AD.Gamarue.Y.1287
AVBullGuardTrojan.GenericKDZ.30724
AVF-SecureTrojan.GenericKDZ.30724
AVAd-AwareTrojan.GenericKDZ.30724
AVCAT (quickheal)Ransom.Crowti.B4
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\126109
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
81.7.4.127
DNSeurope.pool.ntp.org
Type: A
78.111.224.11
DNSeurope.pool.ntp.org
Type: A
91.224.149.41
DNSeurope.pool.ntp.org
Type: A
83.98.201.134
DNSnorth-america.pool.ntp.org
Type: A
207.210.46.249
DNSnorth-america.pool.ntp.org
Type: A
198.60.22.240
DNSnorth-america.pool.ntp.org
Type: A
174.136.103.130
DNSnorth-america.pool.ntp.org
Type: A
173.44.32.10
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
157.7.154.23
DNSasia.pool.ntp.org
Type: A
82.200.209.236
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSpool.ntp.org
Type: A
38.111.6.68
DNSpool.ntp.org
Type: A
69.28.91.73
DNSpool.ntp.org
Type: A
50.116.36.122
DNSpool.ntp.org
Type: A
45.79.78.173
DNSmicrosoft.com
Type: A
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53

Raw Pcap

Strings