PDF

Print

ThreatScope Analysis Report

For file FSEMC_39898_2898810.exe uploaded 2013-06-14 at 10:02:01 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Traffic to server hosting malicious content

Drops and runs executable file(s) in a directory of the user profile often used by malware

Writes to the filesystem in a Windows system directory

Traffic to uncategorized server

Writes to the filesystem in a directory of the user profile often used by malware

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

bc48d3e736c66f577636ed486a990eeb

File size

112.50 KB

Hash SHA-1

d1811144d9ac5593b24f2fa2c332a59915c736a0

File uploaded

2013-06-14 10:02:01 AM

Hash SHA-256

00f44827497950548a994f0f7150cd5edb8595fc85a21a3fb9d9d549a96516df

Report created

2013-06-14 10:03:46 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

kahrobaa.com/14VkWHU0.exe

72.55.179.150

Canada

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)

HTTP Server:

GET

200
294.00 KB

application/octet-stream

audiomasteringmeistro.com/pony
b/gate.php

173.246.104.154

United States

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)

HTTP Server:

POST

200
0 B

application/octet-stream

www.google.com/

173.194.33.17

United States

Search Engines and Portals

User agent:

Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0

HTTP Server:

GET

0
0 B

www.sistersnstyle.co/4bnsSjBb.
exe

184.168.178.1

United States

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)

HTTP Server:

GET

200
294.00 KB

application/octet-stream

villa-anastasia-crete.com/JWHv
dgW.exe

207.58.178.155

United States

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)

HTTP Server:

GET

200
201.50 KB

application/octet-stream

204.12.46.166/7tW.exe

204.12.46.166

United States

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)

HTTP Server:

GET

200
294.00 KB

application/octet-stream

www.microsoft.com/uploading/id
=9498657&u=4WSbvjA+sJYdYTrHmxr
7tGGnc41+nDo4SXuEzEaJacviRtjYI
g2xcqQMAWYaZM4RqxalcusDRHEPXzn
qfe/8wQ==

78.140.131.151

Netherlands

Information Technology

User agent:

Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0

HTTP Server:

GET

403
0 B

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

cdn162.files2uplodetc.com

Uncategorized

78.131.140.151

time.windows.com

Information Technology

time.microsoft.akadns.net

www.google.com

Search Engines and Portals

173.194.33.17

www.google.com

Search Engines and Portals

173.194.33.20

www.google.com

Search Engines and Portals

173.194.33.19

www.google.com

Search Engines and Portals

173.194.33.18

www.google.com

Search Engines and Portals

173.194.33.16

sistersnstyle.co

Uncategorized

184.168.178.1

audiomasteringmeistro.com

Uncategorized

173.246.104.154

kahrobaa.com

Uncategorized

72.55.179.150

villa-anastasia-crete.com

Uncategorized

207.58.178.155

time.microsoft.akadns.net

Information Technology

64.4.10.33

www.sistersnstyle.co

Uncategorized

sistersnstyle.co

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

72.55.179.150

AS32613 iWeb Technologies Inc.

Canada

173.246.104.154

AS29169 Gandi SAS

United States

173.194.33.17

AS15169 Google Inc.

United States

184.168.178.1

AS26496 GoDaddy.com, LLC

United States

207.58.178.155

AS25847 ServInt

United States

204.12.46.166

AS20021 HostMySite

United States

78.140.131.151

AS35415 Webazilla B.V.

Netherlands

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\44093.exe

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\PKM28A7.bat

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\PYP59D.bat

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.TMP

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\47107.exe

Writes file

\Device\HarddiskVolume1\$ConvertToNonresident

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\47718.bat

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\victimo@google[1].txt

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT.LOG

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.ini

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\perfh009.dat

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\45345.exe

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.INI

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.h

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Vacah\uxeb.exe

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\index.dat

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\perfc009.dat

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\victimo@google[2].txt

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\41269.exe

Writes file

\Device\HarddiskVolume1\WINDOWS\system32\wbem\Logs\wmiprov.log

Writes file

\Device\HarddiskVolume1\$LogFile

Writes file

\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\OZV8D36.bat

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe

Creates process

\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\44093.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\msiexec.exe

Creates process

\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\45345.exe

Creates process

\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\41269.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

Creates process

\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Vacah\uxeb.exe

Creates process

\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\47107.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\Temp\d1811144d9ac5593b24f2fa2c332a59915c736a0.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiadap.exe

Creates process

\Device\HarddiskVolume1\WINDOWS\explorer.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\41269.exe

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\Client Hash

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\45345.exe

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\HWID

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\advapi32.dll[MofResourceName]

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\9801A14D3F476A88DE9B216B58D61308

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\47718.bat

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\44093.exe

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Doheuhe\15j9hf07

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\37E2C9AC0CDFFBF796E53D4B77B4F0C0

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\47107.exe

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\advapi32.dll[MofResourceName]

Data:

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result