Analysis Date2015-12-25 01:02:11
MD5aba828aecec6760da1a2177319463cff
SHA1bc27af29ad0bbc559ed388fd2c060055919d9e1a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3ab13c26296fa9cebbe9802f9e6627c0 sha1: 39f6b863e8fb358eeaef17c4e3f8a30933644e37 size: 227328
Section.rdata md5: 175aab7ee00eca695081f54b079ab2d6 sha1: 252a51ce1ba2be9a1d097d54a8b787fcf358bbb5 size: 26624
Section.data md5: 057f7ce6fa5817f13571666f109534f4 sha1: 060c35f3a0daf32d000f95f6cef2b717f04d496a size: 17408
Section.rsrc md5: 287cbb51fdbe568c34594fa19fbece35 sha1: 7e48e79f269ceceea0662a155723d4d350292efb size: 84480
Timestamp2015-10-21 15:46:30
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: pathping.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385
FileDescription: TCP/IP PathPing Command
OriginalFilename: pathping.exe
PackerMicrosoft Visual C++ ?.?
PEhash90b58988a4e6bc0c06e19bb2db7b3c86c673232e
IMPhash8f4d454f412dbee7b499c7ff21e01153
AVAd-AwareGen:Variant.Zusy.169788
AVDr. WebTrojan.MulDrop6.12706
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.169788
AVK7Trojan ( 004d48ed1 )
AVTrend Microno_virus
AVEset (nod32)Win32/Kryptik.EBPA
AVIkarusTrojan.Win32.Crypt
AVAlwil (avast)Androp [Drp]
AVFortinetW32/Kryptik.EASA!tr
AVGrisoft (avg)Crypt_r.AFZ
AVAvira (antivir)TR/AD.Gamarue.Y.1413
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.169788
AVSymantecTrojan.Gen
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVBitDefenderGen:Variant.Zusy.169788
AVZillya!no_virus
AVBullGuardGen:Variant.Zusy.169788
AVRisingno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.169788
AVCA (E-Trust Ino)no_virus
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVArcabit (arcavir)Gen:Variant.Zusy.169788
AVCAT (quickheal)Trojan.CeeInject.r4
AVMcafeeRDN/Generic BackDoor
AVTwisterno_virus
AVClamAVno_virus
AVMalwareBytesTrojan.FakeMS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\117093
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
85.254.217.235
DNSeurope.pool.ntp.org
Type: A
176.9.1.211
DNSeurope.pool.ntp.org
Type: A
195.154.189.15
DNSeurope.pool.ntp.org
Type: A
78.47.148.174
DNSnorth-america.pool.ntp.org
Type: A
66.228.59.187
DNSnorth-america.pool.ntp.org
Type: A
74.122.204.5
DNSnorth-america.pool.ntp.org
Type: A
198.60.22.240
DNSnorth-america.pool.ntp.org
Type: A
52.0.56.137
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
131.0.232.2
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.16
DNSsouth-america.pool.ntp.org
Type: A
200.1.22.6
DNSasia.pool.ntp.org
Type: A
80.241.0.72
DNSasia.pool.ntp.org
Type: A
124.109.2.169
DNSasia.pool.ntp.org
Type: A
202.118.1.81
DNSasia.pool.ntp.org
Type: A
52.69.228.202
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSoceania.pool.ntp.org
Type: A
54.252.129.186
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
115.126.160.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.10.55.57
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSpool.ntp.org
Type: A
204.2.134.163
DNSpool.ntp.org
Type: A
45.79.10.228
DNSpool.ntp.org
Type: A
64.71.128.26
DNSpool.ntp.org
Type: A
67.18.208.203
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSand12.thesuchivestfishmarketeat111.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings