Analysis Date2016-01-28 10:53:08
MD5e9592da1c6a954d8ed0daae280f90b12
SHA1d41712fbc9bde09d5478813ac6c6c976c89b602b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fba5d12b7d0a027050b5f63fe5076a8e sha1: b5f779ad471e37594603a15ad3c4f737eb286152 size: 57344
Section.rdata md5: c1e1c54399b5e0d3f9781849819e8151 sha1: 5da94d9739c2e6fdac77659efc91acaf5f8e3508 size: 9728
Section.data md5: de7f9b87826bc2f50a506bfe87d07e84 sha1: 5ee336cd078b754cca02d2f8c2834d501ad07d3c size: 40448
Section.vber md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.xtr md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.reloc md5: fba68dc21cc54223f483739e5b6d294c sha1: 60ca74748aba287cf9526abd548c65b072e6425f size: 5120
Timestamp2016-01-21 18:45:06
PackerMicrosoft Visual C++ ?.?
PEhash86645d6a6dacf93ce7f9199d8238e59ab9192004
IMPhash798a145ab0f5d70e6caa7f50807d05a2
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.432643
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.4293
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.ELIE
AVGrisoft (avg)Crypt5.ADFV
AVSymantecNo Virus
AVFortinetW32/Kryptik.ELIE!tr
AVBitDefenderGen:Variant.Razy.4293
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVMicroWorld (escan)No Virus
AVMalwareBytesTrojan.Downloader
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVEmsisoftGen:Variant.Razy.4293
AVZillya!No Virus
AVKasperskyTrojan.Win32.Yakes.osxg
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Razy.4293
AVArcabit (arcavir)Gen:Variant.Razy.4293
AVClamAVNo Virus
AVDr. WebTrojan.Siggen6.55743
AVF-SecureGen:Variant.Razy.4293
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\112968
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\D41712~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSringplanet.eu
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
144.76.172.53
DNSeurope.pool.ntp.org
Type: A
193.219.61.110
DNSeurope.pool.ntp.org
Type: A
46.254.216.9
DNSeurope.pool.ntp.org
Type: A
91.235.212.22
DNSnorth-america.pool.ntp.org
Type: A
69.164.201.165
DNSnorth-america.pool.ntp.org
Type: A
96.126.105.86
DNSnorth-america.pool.ntp.org
Type: A
97.107.128.58
DNSnorth-america.pool.ntp.org
Type: A
173.255.246.13
DNSsouth-america.pool.ntp.org
Type: A
200.189.40.8
DNSsouth-america.pool.ntp.org
Type: A
201.49.148.135
DNSsouth-america.pool.ntp.org
Type: A
131.0.232.2
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSasia.pool.ntp.org
Type: A
82.200.209.236
DNSasia.pool.ntp.org
Type: A
194.225.150.25
DNSasia.pool.ntp.org
Type: A
203.160.128.3
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
219.88.71.36
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
202.147.104.51
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
196.10.55.57
DNSpool.ntp.org
Type: A
38.229.71.1
DNSpool.ntp.org
Type: A
50.16.201.39
DNSpool.ntp.org
Type: A
69.167.160.102
DNSpool.ntp.org
Type: A
204.9.136.253
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSringplanet.eu
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 23.100.122.175:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings