csi.forcepoint.com - Report for "FSEMC_39898

ThreatScope Analysis Report

For file FSEMC_39898_2898810.exe uploaded 2013-06-14 at 10:02:01 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat		Assessment
		Traffic to server hosting malicious content
		Drops and runs executable file(s) in a directory of the user profile often used by malware
		Writes to the filesystem in a Windows system directory
		Traffic to uncategorized server
		Writes to the filesystem in a directory of the user profile often used by malware
		Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5	bc48d3e736c66f577636ed486a990eeb	File size	112.50 KB
Hash SHA-1	d1811144d9ac5593b24f2fa2c332a59915c736a0	File uploaded	2013-06-14 10:02:01 AM
Hash SHA-256	00f44827497950548a994f0f7150cd5edb8595fc85a21a3fb9d9d549a96516df	Report created	2013-06-14 10:03:46 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL	IP Address	Category	Details May include user agent string, HTTP server, or encryption information. Details	Method	Status The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status	MIME The first item is the server-declared content type. The second item is the true content type. MIME
kahrobaa.com/14VkWHU0.exe	72.55.179.150 Canada	Uncategorized	User agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2) HTTP Server:	GET	200 294.00 KB	application/octet-stream
audiomasteringmeistro.com/pony b/gate.php	173.246.104.154 United States	Uncategorized	User agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2) HTTP Server:	POST	200 0 B	application/octet-stream
www.google.com/	173.194.33.17 United States	Search Engines and Portals	User agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 HTTP Server:	GET	0 0 B
www.sistersnstyle.co/4bnsSjBb. exe	184.168.178.1 United States	Uncategorized	User agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2) HTTP Server:	GET	200 294.00 KB	application/octet-stream
villa-anastasia-crete.com/JWHv dgW.exe	207.58.178.155 United States	Uncategorized	User agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2) HTTP Server:	GET	200 201.50 KB	application/octet-stream
204.12.46.166/7tW.exe	204.12.46.166 United States	Malicious Web Sites	User agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2) HTTP Server:	GET	200 294.00 KB	application/octet-stream
www.microsoft.com/uploading/id =9498657&u=4WSbvjA+sJYdYTrHmxr 7tGGnc41+nDo4SXuEzEaJacviRtjYI g2xcqQMAWYaZM4RqxalcusDRHEPXzn qfe/8wQ==	78.140.131.151 Netherlands	Information Technology	User agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 HTTP Server:	GET	403 0 B

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname	Category	IP address
cdn162.files2uplodetc.com	Uncategorized	78.131.140.151
time.windows.com	Information Technology	time.microsoft.akadns.net
www.google.com	Search Engines and Portals	173.194.33.17
www.google.com	Search Engines and Portals	173.194.33.20
www.google.com	Search Engines and Portals	173.194.33.19
www.google.com	Search Engines and Portals	173.194.33.18
www.google.com	Search Engines and Portals	173.194.33.16
sistersnstyle.co	Uncategorized	184.168.178.1
audiomasteringmeistro.com	Uncategorized	173.246.104.154
kahrobaa.com	Uncategorized	72.55.179.150
villa-anastasia-crete.com	Uncategorized	207.58.178.155
time.microsoft.akadns.net	Information Technology	64.4.10.33
www.sistersnstyle.co	Uncategorized	sistersnstyle.co

IP addresses

The analyzed file requests the following IP addresses.

IP Address		ASN
72.55.179.150		AS32613 iWeb Technologies Inc. Canada
173.246.104.154		AS29169 Gandi SAS United States
173.194.33.17		AS15169 Google Inc. United States
184.168.178.1		AS26496 GoDaddy.com, LLC United States
207.58.178.155		AS25847 ServInt United States
204.12.46.166		AS20021 HostMySite United States
78.140.131.151		AS35415 Webazilla B.V. Netherlands

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event		File path
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\44093.exe
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\PKM28A7.bat
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\PYP59D.bat
Writes file		\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.TMP
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\47107.exe
Writes file		\Device\HarddiskVolume1\$ConvertToNonresident
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\47718.bat
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\victimo@google[1].txt
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT.LOG
Writes file		\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.ini
Writes file		\Device\HarddiskVolume1\WINDOWS\system32\perfh009.dat
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\45345.exe
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT
Writes file		\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.INI
Writes file		\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.h
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Vacah\uxeb.exe
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\index.dat
Writes file		\Device\HarddiskVolume1\WINDOWS\system32\perfc009.dat
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\victimo@google[2].txt
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\41269.exe
Writes file		\Device\HarddiskVolume1\WINDOWS\system32\wbem\Logs\wmiprov.log
Writes file		\Device\HarddiskVolume1\$LogFile
Writes file		\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\OZV8D36.bat

Process modifications

The analyzed file affected the following system processes.

Event		File path
Creates process		\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe
Creates process		\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\44093.exe
Creates process		\Device\HarddiskVolume1\WINDOWS\system32\msiexec.exe
Creates process		\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\45345.exe
Creates process		\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\41269.exe
Creates process		\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe
Creates process		\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Vacah\uxeb.exe
Creates process		\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\47107.exe
Creates process		\Device\HarddiskVolume1\WINDOWS\Temp\d1811144d9ac5593b24f2fa2c332a59915c736a0.exe
Creates process		\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiadap.exe
Creates process		\Device\HarddiskVolume1\WINDOWS\explorer.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event	Key	Value
Adds/Sets value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\41269.exe
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\Client Hash
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\45345.exe
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\HWID
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\advapi32.dll[MofResourceName]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\9801A14D3F476A88DE9B216B58D61308
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\47718.bat
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\44093.exe
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Doheuhe\15j9hf07
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\37E2C9AC0CDFFBF796E53D4B77B4F0C0
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\47107.exe
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]
Adds/Sets value	Data:
Adds/Sets value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\advapi32.dll[MofResourceName]
Adds/Sets value	Data:

Global system events

No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result