PDF

Print

ThreatScope Analysis Report

For file Dcs.tmp uploaded 2013-01-15 at 09:47:12 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Drops and runs executable file(s)

Drops executable file(s)

Writes to the filesystem in the Windows Program Files directory

Writes to the filesystem in a directory of the user profile

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

086b444ae139ffe8b4f913890f358c85

File size

504.00 KB

Hash SHA-1

0336d98c7a450caf9ff5354a7f50873189b8d804

File uploaded

2013-01-15 09:47:12 AM

Hash SHA-256

3420e88e0b3976dc533ac3997a6629354d4c9ce8c95f19f15d6a373eeeb27843

Report created

2013-01-15 09:48:39 AM

Technical Details

Requested HTTP URLs


No HTTP communications were detected.

Resolved hostnames


DNS was not used to resolve any hostnames.

IP addresses


No IP addresses were requested.

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Creates file

c:\Program Files\Windows NT\svchost.exe

Writes file

c:\Program Files\Windows NT\svchost.exe

Opens file

c:\Program Files\Windows NT\svchost.exe

Creates file

c:\Documents and Settings\Administrator\Local Settings\Temp\msc.bat

Writes file

c:\Documents and Settings\Administrator\Local Settings\Temp\msc.bat

Opens file

c:\Documents and Settings\Administrator\Local Settings\Temp\msc.bat

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

Sample started

Creates process

C:\Program Files\Windows NT\svchost.exe

Creates process

C:\WINDOWS\system32\cmd.exe

Creates process

C:\WINDOWS\system32\chcp.com

Creates process

C:\WINDOWS\system32\attrib.exe

Registry


No Windows Registry changes were made.

Global system events

The following global system events were detected.

Event

Name

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}8c85.exe

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

Creates event

WIN_8E2CA425E087247A6CE7BDD3F518220508056104

Creates event

SYS_3ED36C30F6E3A1E2BC2F74A30ED75E2C0057B292

Creates mutex

SHIMLIB_LOG_MUTEX

Creates event

DINPUTWINMM

Creates event

Global\userenv: User Profile setup eventE1}

Websense has made an effort to determine if your submission is malicious however, Websense cannot guarantee the accuracy of the result