Analysis Date2015-12-01 23:41:07
MD572b1e9c5844baa13bf8aadf81e496a3e
SHA1dc54e0ee5cc024b39c153f82c0af9be634c31655

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5eb9dc211197b40ff7e58d45be941b71 sha1: 3a1dff8f8f872a47b7ee70b36045c5109549971b size: 104960
Section.rdata md5: 78acdd8c7c7adcd7f95835c4f53d1852 sha1: 7aa92258110fffc4a417621a0076931ea469ab7c size: 41472
Section.data md5: b061a28b33a656aa3935dc826e7e6011 sha1: 7319e2d6a23835c34a911bee014067a3f3edc381 size: 26112
Section.rsrc md5: acc8c10f23206974e0c4f73a8f0ce16b sha1: 4c159827c2a041117acb6447ad4e706dcfc478f3 size: 55296
Timestamp2015-09-11 23:54:44
PackerMicrosoft Visual C++ ?.?
PEhash636210843fd0a4310a2c97f9e404d98368408e95
IMPhash99d93ea4a94d11f0bd1c1252b5318c03
AVFortinetW32/Kryptik.DWRV!tr
AVIkarusWorm.Win32.Dorkbot
AVTrend MicroBKDR_AN.CEE09E25
AVAd-AwareTrojan.GenericKDZ.30305
AVMcafeeRDN/Generic.dx
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesRansom.CryptoWall
AVSymantecTrojan.Gen
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Ransom.Crowti.A4
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Trojan.GenericKDZ.30305
AVBullGuardTrojan.GenericKDZ.30305
AVEmsisoftTrojan.GenericKDZ.30305
AVK7Trojan ( 004cf4451 )
AVClamAVno_virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue!rfn
AVEset (nod32)Win32/Kryptik.DWTK
AVTwisterno_virus
AVZillya!Trojan.Kryptik.Win32.791408
AVDr. WebBackDoor.Andromeda.614
AVAlwil (avast)Androp [Drp]
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVRisingno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKDZ.30305
AVAvira (antivir)TR/Crypt.Xpack.273217
AVBitDefenderTrojan.GenericKDZ.30305
AVArcabit (arcavir)Trojan.GenericKDZ.30305
AVGrisoft (avg)Zbot.AHAW

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\~
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSupdate.microsoft.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
194.54.80.30
DNSeurope.pool.ntp.org
Type: A
131.188.3.221
DNSeurope.pool.ntp.org
Type: A
81.94.123.16
DNSeurope.pool.ntp.org
Type: A
195.50.171.101
DNSnorth-america.pool.ntp.org
Type: A
168.235.149.88
DNSnorth-america.pool.ntp.org
Type: A
129.6.15.29
DNSnorth-america.pool.ntp.org
Type: A
96.126.105.86
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.132
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSasia.pool.ntp.org
Type: A
106.247.248.106
DNSasia.pool.ntp.org
Type: A
59.106.180.168
DNSasia.pool.ntp.org
Type: A
31.193.144.2
DNSasia.pool.ntp.org
Type: A
194.27.222.5
DNSoceania.pool.ntp.org
Type: A
130.102.128.23
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
202.127.210.37
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSpool.ntp.org
Type: A
108.61.56.35
DNSpool.ntp.org
Type: A
204.2.134.162
DNSpool.ntp.org
Type: A
198.110.48.12
DNSpool.ntp.org
Type: A
132.163.4.101
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSupdate.microsoft.com
Type: A
DNSand4.junglebeariwtc1.com
Type: A
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 65.55.50.189:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings