Analysis Date2016-02-26 22:55:41
MD5cc15bc148eaaf01f1d653b4490e12872
SHA1c3a3705796811775ea80117ae6e7b6cd313ca563

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b191696b91cece89ce7b5bbd68ce97ec sha1: 39d0aa4b18c21fc4e6527c46e7785d6aa836cd41 size: 55808
Section.rdata md5: efd5db693bf6eef7cd3c05f96f51f4aa sha1: ef9f831441c046fd077fa0e6bd79e07349a812f3 size: 9728
Section.data md5: aff04e3caef656077e25b6fe6876b157 sha1: c71e8800f1592e9927eb3c2955c0f9d2b56f2764 size: 60928
Section.reloc md5: dbdbd39cba386de27af88ad64f5ced08 sha1: f2245ea331a94140a1e59f04ad610d5691c0b58c size: 4608
Timestamp2016-01-19 13:15:19
PackerMicrosoft Visual C++ ?.?
PEhash0e0e45339c73057b24f6da9a9c77bd8992453506
IMPhashe455678411cf3e1a19ba82415a4febba
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.7113
AVAlwil (avast)Dorder-E [Trj]
AVEset (nod32)Win32/Kryptik.ELCF
AVGrisoft (avg)Crypt5.ACVG
AVSymantecNo Virus
AVFortinetW32/Kryptik.EMTD!tr
AVBitDefenderGen:Variant.Razy.7113
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)Gen:Variant.Razy.7113
AVMalwareBytesRansom.FileCryptor
AVAuthentiumW32/S-98627d33!Eldorado
AVEmsisoftGen:Variant.Razy.7113
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Razy.7113
AVArcabit (arcavir)Gen:Variant.Razy.7113
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.10584
AVF-SecureGen:Variant.Razy.7113
AVCA (E-Trust Ino)Gen:Variant.Razy.7113

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\1828453
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\C3A370~1.EXE
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
62.210.85.244
DNSeurope.pool.ntp.org
Type: A
91.224.149.41
DNSeurope.pool.ntp.org
Type: A
91.234.160.19
DNSeurope.pool.ntp.org
Type: A
95.104.192.10
DNSnorth-america.pool.ntp.org
Type: A
64.71.128.26
DNSnorth-america.pool.ntp.org
Type: A
66.7.96.1
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.164
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.131
DNSsouth-america.pool.ntp.org
Type: A
192.188.53.26
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSsouth-america.pool.ntp.org
Type: A
164.73.232.34
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSasia.pool.ntp.org
Type: A
128.199.84.169
DNSasia.pool.ntp.org
Type: A
157.7.154.29
DNSasia.pool.ntp.org
Type: A
194.225.150.25
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
54.252.129.186
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
197.82.150.123
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSpool.ntp.org
Type: A
173.255.246.13
DNSpool.ntp.org
Type: A
184.105.182.7
DNSpool.ntp.org
Type: A
209.208.79.69
DNSpool.ntp.org
Type: A
129.250.35.250
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1045 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings