Analysis Date2016-02-05 00:02:37
MD5498fcca4f6301a2915451ac22e8529bf
SHA1ad7ad4e5d04133213a1f07ae2d1257af68ea0360

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0c8a50cf8c3c4291306ce642f9466b17 sha1: 411db094ad6cacee04e657654b7a461b6ba05401 size: 31744
Section.rdata md5: f72a397b4f335fdccc5f4e41f0b9a4e1 sha1: e606c70f0996438c38693e0594741d397059f94b size: 45056
Section.data md5: 97548890e4deea97531597e3838c4a85 sha1: 8442c71908fc62bde23076c3cfe5d00e35a7c36a size: 3072
Section.rey md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.reloc md5: 29b58f6bbec97192a8cd65164d797fd4 sha1: 307ab276aca82a9d46f4d71502f9d5b5bf944b68 size: 4096
Timestamp2016-02-01 14:45:46
PackerMicrosoft Visual C++ ?.?
PEhash2307284c38b7d9124590ab8f93d152f5a6c9a4af
IMPhash95b2deaf40d12d96a2e5b8f3508b7860
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.441168
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.10768
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.EMLL
AVGrisoft (avg)Crypt_s.KRD
AVSymantecNo Virus
AVFortinetW32/Yakes.EMLL!tr
AVBitDefenderGen:Variant.Razy.10768
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Razy.10768
AVMalwareBytesTrojan.MalPack.INJ
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Razy.10768
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!No Virus
AVKasperskyTrojan.Win32.Yakes.owzz
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Razy.10768
AVArcabit (arcavir)Gen:Variant.Razy.10768
AVClamAVNo Virus
AVDr. WebBackDoor.Andromeda.1407
AVF-SecureGen:Variant.Razy.10768

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\112281
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\AD7AD4~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
213.141.154.170
DNSeurope.pool.ntp.org
Type: A
129.250.35.250
DNSeurope.pool.ntp.org
Type: A
188.126.88.9
DNSeurope.pool.ntp.org
Type: A
195.141.190.190
DNSnorth-america.pool.ntp.org
Type: A
142.54.181.202
DNSnorth-america.pool.ntp.org
Type: A
198.110.48.12
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.131
DNSnorth-america.pool.ntp.org
Type: A
96.126.105.86
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSsouth-america.pool.ntp.org
Type: A
164.73.227.4
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
59.149.185.193
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
202.6.116.123
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
41.231.7.85
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
197.84.150.123
DNSpool.ntp.org
Type: A
129.6.15.28
DNSpool.ntp.org
Type: A
216.152.240.220
DNSpool.ntp.org
Type: A
97.107.128.58
DNSpool.ntp.org
Type: A
104.232.3.3
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSringplanet.eu
Type: A
31.193.177.68
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 31.193.177.68:80

Raw Pcap

Strings