Analysis Date2015-12-24 12:26:17
MD526344c1abc50a69103bec7e0142e4411
SHA19d6783d7e39ad56667c0714557ca59999f226ea1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4de851722bd2e42e616e646a052bdb0b sha1: 26b798bd04f9d020b3b007c417b3a01e08f3cc49 size: 119296
Section.rdata md5: dbe494db1358f90d592ad3aac93de2e5 sha1: c5e9949faacfbc58cdf7956f35cebfe0ab869057 size: 14336
Section.data md5: 9259c18c97b04c0edfc308f857dfc73d sha1: d911ba5130b02ea5400df638cc18e0d8ca0f320e size: 4096
Section.rsrc md5: 979aeff2d67f9417ece09c6f05b3374b sha1: f5ceb78e9abc489db82b343fab167adcae4c939d size: 59392
Timestamp2015-10-05 05:50:28
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: attrib
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385
FileDescription: Attribute Utility
OriginalFilename: ATTRIB.EXE
PackerMicrosoft Visual C++ ?.?
PEhashd6e03cd83bd313cc16f1b45c92f36dc6a6f294ec
IMPhash31a5ddb3cb1d561aee6579489d7240ea
AVAd-AwareGen:Variant.Mikey.25585
AVDr. WebTrojan.PWS.Siggen1.42244
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEmsisoftGen:Variant.Mikey.25585
AVK7Trojan ( 004d34071 )
AVTrend Microno_virus
AVEset (nod32)Win32/Kryptik.DZHO
AVIkarusTrojan.Win32.Crypt
AVAlwil (avast)Androp [Drp]
AVFortinetW32/Kryptik.EDTY!tr
AVGrisoft (avg)Crypt5.AKH
AVAvira (antivir)TR/AD.Gamarue.Y.950
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Mikey.25585
AVSymantecTrojan.Gen
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVBitDefenderGen:Variant.Mikey.25585
AVZillya!Backdoor.Androm.Win32.28551
AVBullGuardGen:Variant.Mikey.25585
AVRisingno_virus
AVMicroWorld (escan)Gen:Variant.Mikey.25585
AVCA (E-Trust Ino)no_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVArcabit (arcavir)Gen:Variant.Mikey.25585
AVCAT (quickheal)Backdoor.Androm.r4
AVMcafeeRDN/Generic BackDoor
AVTwisterTrojan.Girtk.DZHO.unpx
AVClamAVno_virus
AVMalwareBytesTrojan.FakeMS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
95.213.132.254
DNSeurope.pool.ntp.org
Type: A
144.76.38.73
DNSeurope.pool.ntp.org
Type: A
195.138.69.242
DNSeurope.pool.ntp.org
Type: A
78.47.93.200
DNSnorth-america.pool.ntp.org
Type: A
67.18.187.111
DNSnorth-america.pool.ntp.org
Type: A
74.123.29.4
DNSnorth-america.pool.ntp.org
Type: A
199.182.221.110
DNSnorth-america.pool.ntp.org
Type: A
4.53.160.75
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.197
DNSasia.pool.ntp.org
Type: A
157.7.152.213
DNSasia.pool.ntp.org
Type: A
193.29.53.170
DNSasia.pool.ntp.org
Type: A
202.112.29.82
DNSasia.pool.ntp.org
Type: A
52.69.228.202
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
54.252.165.245
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSafrica.pool.ntp.org
Type: A
196.10.54.57
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSpool.ntp.org
Type: A
45.79.10.228
DNSpool.ntp.org
Type: A
129.250.35.251
DNSpool.ntp.org
Type: A
173.44.32.10
DNSpool.ntp.org
Type: A
198.110.48.12

Raw Pcap

Strings