PDF

Print

ThreatScope Analysis Report

For file KB00121097.exe uploaded 2013-04-10 at 03:36:07 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Traffic to server hosting malicious content

Drops and runs executable file(s) in a directory of the user profile often used by malware

Writes to the filesystem in a directory of the user profile often used by malware

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

c786fac05a46b8d6757a26b4b82618f2

File size

154.00 KB

Hash SHA-1

633ee1de05ce93fc53cec7359a6f97f9e0cb2548

File uploaded

2013-04-10 03:36:07 AM

Hash SHA-256

b0ab47c47c0969ade554ebd52721cbdeb97ebe3bb4d792e05c4e824e22ffc418

Report created

2013-04-10 03:38:38 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

88.191.130.98:8080/p+K3T/pMlIM
/AkcY/

88.191.130.98

France

Malicious Web Sites

User agent:

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

HTTP Server:

POST

200
0 B

application/octet-stream

88.191.130.98:8080/p+K3T/pMlIM
/AkcY/

88.191.130.98

France

Malicious Web Sites

User agent:

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

HTTP Server:

POST

0
0 B

Resolved hostnames


DNS was not used to resolve any hostnames.

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

88.191.130.98

AS12322 Free SAS

France

88.191.130.98

AS12322 Free SAS

France

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\exp1.tmp.bat

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\exp4.tmp.bat

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\KB01332073.exe

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\Temp\633ee1de05ce93fc53cec7359a6f97f9e0cb2548.exe

Creates process

\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\exp3.tmp.exe

Creates process

\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\exp2.tmp.exe

Creates process

\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\KB01332073.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\explorer.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\HWID

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData

Data:

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result