Analysis Date2015-11-27 06:35:23
MD59d3b8ba66a8d0b39923e6102732a1330
SHA1d87deada6b59e34196d2605505d62d1e73e36fe4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d58b2d14ef0b3b5a4bb1a3ec93c7a537 sha1: 39122822f17be393845d7dd67000edd530070cd6 size: 28160
Section.rdata md5: eb14ae2b926d4a698870acd51824e96b sha1: 6b4afa6f1ca068ba3030e63d178709c9554e40e0 size: 31744
Section.data md5: 6d018ca2f58fdcb101cbdf4655ba4ab1 sha1: be1e52fdf0b44d124ff2b461e98d62434a0986e5 size: 17920
Timestamp2015-11-11 18:15:17
PackerMicrosoft Visual C++ ?.?
PEhash759df220848ee9a29f0c813a34c9a36a1a87205f
IMPhash4b62e2a1fca468d49b9dec42ccc75e4d
AVF-SecureGen:Variant.Kazy.766176
AVAuthentiumW32/Trojan.XHGT-2118
AVMalwareBytesTrojan.MalPack
AVDr. WebTrojan.DownLoader17.50718
AVGrisoft (avg)Crypt5.LBT
AVMalwareBytesTrojan.MalPack
AVEset (nod32)Win32/Kryptik.AMUG
AVMicroWorld (escan)Gen:Variant.Kazy.766176
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareGen:Variant.Kazy.766176
AVEset (nod32)Win32/Kryptik.AMUG
AVBitDefenderGen:Variant.Kazy.766176
AVMicroWorld (escan)Gen:Variant.Kazy.766176
AVAvira (antivir)TR/Crypt.ZPACK.207117
AVAlwil (avast)Dorder-D [Trj]
AVFortinetW32/Androm.IQQH!tr.bdr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.iqqh
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.766176
AVMcafeeno_virus
AVTwisterTrojan.Girtk.AMUG.ewlc
AVAvira (antivir)TR/Crypt.ZPACK.207117
AVAlwil (avast)Dorder-D [Trj]
AVSymantecTrojan.Gen.2
AVFortinetW32/Androm.IQQH!tr.bdr
AVK7Trojan ( 004d6b541 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVRisingno_virus
AVMcafeeno_virus
AVTwisterTrojan.Girtk.AMUG.ewlc
AVAd-AwareGen:Variant.Kazy.766176
AVGrisoft (avg)Crypt5.LBT
AVSymantecTrojan.Gen.2
AVBitDefenderGen:Variant.Kazy.766176
AVK7Trojan ( 004d6b541 )
AVAuthentiumW32/Trojan.XHGT-2118
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Kazy.766176
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.766176
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\120046
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
5.196.160.139
DNSeurope.pool.ntp.org
Type: A
82.100.248.10
DNSeurope.pool.ntp.org
Type: A
85.252.162.7
DNSeurope.pool.ntp.org
Type: A
91.206.8.36
DNSnorth-america.pool.ntp.org
Type: A
198.211.106.151
DNSnorth-america.pool.ntp.org
Type: A
104.41.150.68
DNSnorth-america.pool.ntp.org
Type: A
104.131.51.97
DNSnorth-america.pool.ntp.org
Type: A
138.236.128.112
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
186.103.182.15
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
52.69.228.202
DNSasia.pool.ntp.org
Type: A
168.63.242.24
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
196.223.19.3
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
154.127.59.231
DNSpool.ntp.org
Type: A
45.79.10.228
DNSpool.ntp.org
Type: A
204.9.136.253
DNSpool.ntp.org
Type: A
208.79.89.249
DNSpool.ntp.org
Type: A
209.244.0.4
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53

Raw Pcap

Strings