PDF

Print

ThreatScope Analysis Report

For file 14VkWHU0.exe uploaded 2013-06-14 at 10:06:18 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Drops and runs executable file(s) in a directory of the user profile often used by malware

Writes to the filesystem in a Windows system directory

Writes to the filesystem in a directory of the user profile often used by malware

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

9801a14d3f476a88de9b216b58d61308

File size

0 B

Hash SHA-1

4d8f5799ac5d7fd8f9e28d16c0c3150f43d81576

File uploaded

2013-06-14 10:06:18 AM

Hash SHA-256

da5f0f7bb48ca31c4f81d3addcc85e93fb7bbfe660b6b8ae141a460a968d90c8

Report created

2013-06-14 10:08:03 AM

Technical Details

Requested HTTP URLs


No HTTP communications were detected.

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

time.microsoft.akadns.net

Information Technology

64.4.10.33

time.windows.com

Information Technology

time.microsoft.akadns.net

IP addresses


No IP addresses were requested.

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT.LOG

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.ini

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Lean\uznea.exe

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\perfh009.dat

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.INI

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.h

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.TMP

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\perfc009.dat

Writes file

\Device\HarddiskVolume1\$ConvertToNonresident

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\wbem\Logs\wmiprov.log

Writes file

\Device\HarddiskVolume1\$LogFile

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\NPH944B.bat

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe

Creates process

\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Lean\uznea.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiadap.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\Temp\4d8f5799ac5d7fd8f9e28d16c0c3150f43d81576.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\explorer.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\advapi32.dll[MofResourceName]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Aluhzaajigs\1319ddbh

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\advapi32.dll[MofResourceName]

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating

Data:

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result