Analysis Date2015-11-18 22:34:37
MD554711bac66583452efb00697de5f8b17
SHA1b4deffd0994b20ce2023e7ac79843ba017b21c84

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1a837d2d0dfd950ed1126e84e2629833 sha1: 3144570543bfa13f50d80d11c429d0970c012b88 size: 27648
Section.rdata md5: 0b946189a60b1210a8beb081d4ae6136 sha1: 422d31ebba986365aa6303ef85c9f0ad0f7a0b93 size: 14848
Section.data md5: 0db4dccadd7fbbc9bde32a4a5232fb67 sha1: f7f06ec7685ec1dc38714f3bcb36a8b6f7a57090 size: 8704
Section.trhdtr md5: d504a85da552bdae4a3cbe182ae601d9 sha1: 219c9d2eb1f7436fbeca6b02d3acc847f598026d size: 31232
Section.rsrc md5: ba27b50052fb25ad4880a94ad428e824 sha1: 98595fdc26f956416dbef372faeb6724f198ce47 size: 15360
Section.reloc md5: d0dd882a39dafcfcda98071febdc8d17 sha1: abd9f6b763ab3402e8ec4b184afddf79409481f5 size: 4096
Timestamp2015-10-31 02:15:06
PackerMicrosoft Visual C++ ?.?
PEhashbb6977eb630132b3c027c5abd415d391972a023b
IMPhash2675be372bdfb56cd65dbb0e0fc1cf8e
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeGenericR-EXU!54711BAC6658
AVAvira (antivir)TR/Crypt.Xpack.310595
AVTwisterTrojan.Girtk.ECWV.pmoc
AVAd-AwareGen:Variant.Kazy.762151
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.ECWV
AVGrisoft (avg)Crypt_r.AIK
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.ECWV!tr
AVBitDefenderGen:Variant.Kazy.762151
AVK7Trojan ( 004d592e1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.762151
AVMalwareBytesTrojan.Wauchos
AVAuthentiumW32/Trojan.HYWZ-9355
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Kazy.762151
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.iook
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.762151
AVArcabit (arcavir)Gen:Variant.Kazy.762151
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.37263
AVF-SecureGen:Variant.Kazy.762151
AVRisingno_virus
AVMcafeeGenericR-EXU!54711BAC6658
AVAvira (antivir)TR/Crypt.Xpack.310595
AVTwisterTrojan.Girtk.ECWV.pmoc
AVAd-AwareGen:Variant.Kazy.762151
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.ECWV
AVGrisoft (avg)Crypt_r.AIK
AVSymantecTrojan.Gen
AVFortinetW32/Kryptik.ECWV!tr
AVBitDefenderGen:Variant.Kazy.762151
AVK7Trojan ( 004d592e1 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.762151
AVMalwareBytesTrojan.Wauchos
AVAuthentiumW32/Trojan.HYWZ-9355
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\117296
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
194.54.80.30
DNSeurope.pool.ntp.org
Type: A
31.3.101.37
DNSeurope.pool.ntp.org
Type: A
81.0.124.200
DNSeurope.pool.ntp.org
Type: A
129.70.132.35
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.244
DNSnorth-america.pool.ntp.org
Type: A
192.3.141.155
DNSnorth-america.pool.ntp.org
Type: A
198.55.111.50
DNSnorth-america.pool.ntp.org
Type: A
97.107.128.58
DNSsouth-america.pool.ntp.org
Type: A
200.186.125.195
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSasia.pool.ntp.org
Type: A
119.82.243.189
DNSasia.pool.ntp.org
Type: A
128.199.84.169
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
59.106.180.168
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.43.1.5
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSpool.ntp.org
Type: A
129.250.35.251
DNSpool.ntp.org
Type: A
208.43.245.212
DNSpool.ntp.org
Type: A
45.56.72.16
DNSpool.ntp.org
Type: A
108.61.73.243
DNSmicrosoft.com
Type: A
134.170.188.221
DNSmicrosoft.com
Type: A
134.170.185.46
DNSexpediteddocs.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 134.170.188.221:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings