Analysis Date2016-02-08 20:28:50
MD5c21641c9513632314ea52202bd9a7f87
SHA1bd365685c6bf51520a8066e521fd03d02b4a0af7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 01980e5e61d9fc9432582d612627519a sha1: bbd414531d5d742cdd52d1ec6b04322bcab3b4d8 size: 56832
Section.rdata md5: 3a5b70d79fe8ee1cba74934040ade8de sha1: 3165454e8c7e74dd7b84b352acb8d2f69491f95f size: 137216
Section.data md5: 21453a53325f63394123c58932f6e8f6 sha1: d88b16553423144d2044fb0c696ac7c89e63f7df size: 24064
Section.rsrc md5: f3e338b537b35fec186de1405edf1db8 sha1: cb86adad04fd9863142eec7407f7d6faf49a1264 size: 23552
Timestamp2015-07-06 10:35:35
VersionLegalCopyright: 2005-2014 COMODO. All rights reserved.
FileVersion: 7, 0, 315459, 4132
CompanyName: COMODO
ProductName: COMODO Internet Security
ProductVersion: 7, 0, 315459, 4132
FileDescription: COMODO Internet Security
PackerMicrosoft Visual C++ ?.?
PEhash8d5811588a9e81daf9bb5893b883818d8e9aee63
IMPhashe388c431cfa97aecdd6b698653276ce4
AVAd-AwareGen:Variant.Symmi.53418
AVDr. WebTrojan.Inject1.43628
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/FakeAlert.ACZ.gen!Eldorado
AVEmsisoftGen:Variant.Symmi.53418
AVK7Trojan ( 004c7c181 )
AVTrend MicroTROJ_CR.DEE3FA4C
AVEset (nod32)Win32/Kryptik.DOUG
AVIkarusTrojan.Win32.Crypt
AVAlwil (avast)Dorder-G [Trj]
AVFortinetW32/Kryptik.DOUG!tr
AVGrisoft (avg)Crypt4.BEZM
AVAvira (antivir)TR/Crypt.Xpack.29014
AVFrisk (f-prot)W32/FakeAlert.ACZ.gen!Eldorado
AVF-SecureGen:Variant.Symmi.53418
AVSymantecTrojan.Gen
AVVirusBlokAda (vba32)Heur.Malware-Cryptor.Ngrbot
AVBitDefenderGen:Variant.Symmi.53418
AVZillya!Backdoor.Androm.Win32.21903
AVBullGuardGen:Variant.Symmi.53418
AVRisingNo Virus
AVMicroWorld (escan)Gen:Variant.Symmi.53418
AVCA (E-Trust Ino)No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AR
AVArcabit (arcavir)Gen:Variant.Symmi.53418
AVCAT (quickheal)Ransom.Cryptodef.S4
AVMcafeeRDN/Generic BackDoor!bdw
AVTwisterNo Virus
AVClamAVNo Virus
AVMalwareBytesTrojan.MalPack.ED

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
178.239.61.38
DNSeurope.pool.ntp.org
Type: A
195.154.71.176
DNSeurope.pool.ntp.org
Type: A
91.237.88.67
DNSeurope.pool.ntp.org
Type: A
129.250.35.251
DNSnorth-america.pool.ntp.org
Type: A
66.220.10.2
DNSnorth-america.pool.ntp.org
Type: A
159.203.31.244
DNSnorth-america.pool.ntp.org
Type: A
198.23.200.19
DNSnorth-america.pool.ntp.org
Type: A
198.110.48.12
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
128.199.84.169
DNSasia.pool.ntp.org
Type: A
139.162.20.174
DNSasia.pool.ntp.org
Type: A
157.7.154.23
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSafrica.pool.ntp.org
Type: A
196.10.54.57
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
41.73.42.22
DNSpool.ntp.org
Type: A
129.250.35.250
DNSpool.ntp.org
Type: A
199.223.248.99
DNSpool.ntp.org
Type: A
204.2.134.162
DNSpool.ntp.org
Type: A
104.156.99.226
DNSupdate.microsoft.com
Type: A
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53

Raw Pcap

Strings