Analysis Date2015-12-24 11:02:31
MD521f6776f46257d2ae5302b9ac3a37a91
SHA1e92240c607a01a2ecbd4e28bd686b554fbe86e48

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5e9ce83a7296cae17ed1124bff38e427 sha1: 130ce8ba30ac34de1e306f61b73cb33d10d69927 size: 207872
Section.rdata md5: cf896853d2ebee99a2cbb19959ac5cd0 sha1: 6dbd5db936de107e96941e9ab65804484277021d size: 14848
Section.data md5: 7a0234aaaa0cf36eab0493a15ba14c6b sha1: 5373571dc69e3f1defe3d53b3ce85ab5a0e4bcc0 size: 15360
Section.rsrc md5: 412fdee9700bf718e413ad9995c71ac9 sha1: 2c2b8045e82ca70e49ffed53f7ba8f6aa9b06fa7 size: 49664
Timestamp2015-10-16 11:15:23
VersionLegalCopyright: Copyright © 2002-2011
InternalName: BCWipeTM
FileVersion: 3.01
CompanyName: Jetico, Inc.
ProductName: Jetico, Inc. BCWipe Task Manager
ProductVersion: 3.01
FileDescription: BCWipeTM
OriginalFilename: BCWipeTM.exe
PackerMicrosoft Visual C++ ?.?
PEhash51f466816bc18fee4b047de8e9eda6bfacc6149e
IMPhash164f13876ee1d1cd61b967351ca5b19f
AVAlwil (avast)Androp [Drp]
AVMalwareBytesRansom.FileCryptor
AVMicrosoft Security EssentialsTrojan:Win32/Skeeyah.A!rfn
AVEset (nod32)Win32/Kryptik.EBAI
AVAvira (antivir)TR/AD.Gamarue.Y.1226
AVGrisoft (avg)Crypt_r.AEJ
AVSymantecTrojan.Gen.2
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVKasperskyTrojan.Win32.Generic
AVAd-AwareTrojan.Lethic.Gen.9
AVVirusBlokAda (vba32)Heur.Malware-Cryptor.Ngrbot
AVIkarusTrojan.Win32.Crypt
AVBullGuardTrojan.Lethic.Gen.9
AVEmsisoftTrojan.Lethic.Gen.9
AVRisingno_virus
AVTwisterno_virus
AVZillya!no_virus
AVDr. WebTrojan.PWS.Stealer.15593
AVFortinetW32/Kryptik.EBGU!tr
AVClamAVno_virus
AVCAT (quickheal)Backdoor.Androm.r4
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVMcafeeRDN/Generic BackDoor
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Lethic.Gen.9
AVTrend Microno_virus
AVBitDefenderTrojan.Lethic.Gen.9
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVK7Trojan ( 004d456f1 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\115515
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSand12.thesuchivestfishmarketeat111.com
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
5.9.122.148
DNSeurope.pool.ntp.org
Type: A
87.195.109.220
DNSeurope.pool.ntp.org
Type: A
192.53.103.108
DNSeurope.pool.ntp.org
Type: A
212.47.252.138
DNSnorth-america.pool.ntp.org
Type: A
97.107.129.217
DNSnorth-america.pool.ntp.org
Type: A
128.138.141.172
DNSnorth-america.pool.ntp.org
Type: A
129.250.35.251
DNSnorth-america.pool.ntp.org
Type: A
198.55.111.50
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
54.232.82.232
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
118.189.211.186
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
202.162.32.12
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSafrica.pool.ntp.org
Type: A
41.222.88.32
DNSafrica.pool.ntp.org
Type: A
196.10.52.57
DNSafrica.pool.ntp.org
Type: A
41.79.80.34
DNSafrica.pool.ntp.org
Type: A
41.204.120.137
DNSpool.ntp.org
Type: A
45.56.105.98
DNSpool.ntp.org
Type: A
131.107.13.100
DNSpool.ntp.org
Type: A
142.54.181.202
DNSpool.ntp.org
Type: A
216.152.240.220
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSand12.thesuchivestfishmarketeat111.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings