Analysis Date2016-02-05 15:17:25
MD5b953a4d15093b2cc4cf31a5a46f8c8c3
SHA1d08e4584f1b7db6718cf40583236ea3198182b76

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c42e92852b78a9f19f3f67b477a60581 sha1: caa1fb4c070616ec339370cdb48a711e3aed07f3 size: 91648
Section.rdata md5: bb1ea615809f3f22c2764e1e1edc14ad sha1: 0ebce730a510b2f99dc900a4902a7acb7c8fb62d size: 31744
Section.data md5: edb9b479fa3c49ce4ade672d3695babc sha1: bb95e570a896beb11bc790057b6c9f3155ed8c3e size: 9728
Section.elfs md5: cd508c9a7c516b5b7daf7f3925433501 sha1: b337a8abd3a09aeea7a98557ef30efe94909a552 size: 12288
Section.roul md5: ed483c0ce380d4dec89b92cae091cf75 sha1: f85388f12d113b9a2c9d09a4f38c4b3eda17af8e size: 9728
Section.rsrc md5: 12e6a6fce4ca3fe72747302a7e2a63ab sha1: 1b1d2229b95a5d5a48479f3e8509dfbaa60c8516 size: 39424
Timestamp2016-01-29 15:47:27
PackerMicrosoft Visual C++ ?.?
PEhashcf9af6063b33240378fe3375cb7611cc3d1b50c1
IMPhash5800cda9f6d803757f5a8f2b3065bed7
AVF-SecureGen:Variant.Zusy.180057
AVAd-AwareGen:Variant.Zusy.180057
AVGrisoft (avg)Crypt5.AFGL
AVCAT (quickheal)No Virus
AVIkarusTrojan.Win32.Crypt
AVAvira (antivir)TR/Crypt.Xpack.439513
AVK7Trojan ( 004dcfbd1 )
AVClamAVNo Virus
AVKasperskyTrojan.Win32.Bublik.edqu
AVArcabit (arcavir)Gen:Variant.Zusy.180057
AVMalwareBytesRansom.FileLocker
AVDr. WebBackDoor.Andromeda.662
AVMcafeeRDN/Generic.dx
AVBitDefenderGen:Variant.Zusy.180057
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVEmsisoftGen:Variant.Zusy.180057
AVMicroWorld (escan)Gen:Variant.Zusy.180057
AVAlwil (avast)Dorder-T [Trj]
AVRisingNo Virus
AVEset (nod32)Win32/Kryptik.EMHJ
AVBullGuardGen:Variant.Zusy.180057
AVSymantecTrojan.Gen
AVFortinetW32/Bublik.EDQU!tr
AVTrend MicroNo Virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVTwisterNo Virus
AVFrisk (f-prot)No Virus
AVVirusBlokAda (vba32)No Virus
AVCA (E-Trust Ino)No Virus
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\113984
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\D08E45~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSand18.f16zakitchenboy1.com
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
212.83.184.186
DNSeurope.pool.ntp.org
Type: A
46.46.160.130
DNSeurope.pool.ntp.org
Type: A
78.46.107.140
DNSeurope.pool.ntp.org
Type: A
194.71.144.71
DNSnorth-america.pool.ntp.org
Type: A
132.163.4.101
DNSnorth-america.pool.ntp.org
Type: A
204.9.54.119
DNSnorth-america.pool.ntp.org
Type: A
208.75.88.4
DNSnorth-america.pool.ntp.org
Type: A
66.228.42.59
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.16
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
190.228.30.178
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
139.162.20.174
DNSasia.pool.ntp.org
Type: A
211.233.40.78
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
202.80.33.11
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSpool.ntp.org
Type: A
208.75.89.4
DNSpool.ntp.org
Type: A
209.244.0.3
DNSpool.ntp.org
Type: A
67.18.187.111
DNSpool.ntp.org
Type: A
129.250.35.250
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSand18.f16zakitchenboy1.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings