ThreatScope Analysis Report
For file FSEMC_39898_2898810.exe uploaded 2013-06-14 at 10:02:01 AM
Threat level: Malicious
Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.
Threat | Assessment | |
---|---|---|
Traffic to server hosting malicious content |
||
Drops and runs executable file(s) in a directory of the user profile often used by malware |
||
Writes to the filesystem in a Windows system directory |
||
Traffic to uncategorized server |
||
Writes to the filesystem in a directory of the user profile often used by malware |
||
Executes the Windows command shell program |
Screenshots: None
File details:
Hash MD5 |
bc48d3e736c66f577636ed486a990eeb |
File size |
112.50 KB |
|
Hash SHA-1 |
d1811144d9ac5593b24f2fa2c332a59915c736a0 |
File uploaded |
2013-06-14 10:02:01 AM |
|
Hash SHA-256 |
00f44827497950548a994f0f7150cd5edb8595fc85a21a3fb9d9d549a96516df |
Report created |
2013-06-14 10:03:46 AM |
Technical Details
Requested HTTP URLs
The analyzed file requests the following URLs.
URL |
IP Address |
Category |
May include user agent string, HTTP server, or encryption information. Details |
Method |
The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status |
The first item is the server-declared content type. The second item is the true content type. MIME |
|
---|---|---|---|---|---|---|---|
kahrobaa.com/14VkWHU0.exe |
Canada |
|
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)
|
GET |
200 |
application/octet-stream |
|
audiomasteringmeistro.com/pony |
United States |
|
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)
|
POST |
200 |
application/octet-stream |
|
www.google.com/ |
United States |
|
Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
|
GET |
0 |
||
www.sistersnstyle.co/4bnsSjBb. |
United States |
|
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)
|
GET |
200 |
application/octet-stream |
|
villa-anastasia-crete.com/JWHv |
United States |
|
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)
|
GET |
200 |
application/octet-stream |
|
204.12.46.166/7tW.exe |
United States |
|
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)
|
GET |
200 |
application/octet-stream |
|
www.microsoft.com/uploading/id |
Netherlands |
|
Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
|
GET |
403 |
Resolved hostnames
The analyzed file used DNS to resolve the following hostnames.
Hostname |
Category |
IP address |
|
---|---|---|---|
cdn162.files2uplodetc.com |
|
78.131.140.151 |
|
time.windows.com |
|
time.microsoft.akadns.net |
|
www.google.com |
|
173.194.33.17 |
|
www.google.com |
|
173.194.33.20 |
|
www.google.com |
|
173.194.33.19 |
|
www.google.com |
|
173.194.33.18 |
|
www.google.com |
|
173.194.33.16 |
|
sistersnstyle.co |
|
184.168.178.1 |
|
audiomasteringmeistro.com |
|
173.246.104.154 |
|
kahrobaa.com |
|
72.55.179.150 |
|
villa-anastasia-crete.com |
|
207.58.178.155 |
|
time.microsoft.akadns.net |
|
64.4.10.33 |
|
www.sistersnstyle.co |
|
sistersnstyle.co |
IP addresses
The analyzed file requests the following IP addresses.
File system modifications
The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.
Event |
File path |
|
---|---|---|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\44093.exe |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\PKM28A7.bat |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\PYP59D.bat |
|
Writes file |
\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.TMP |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\47107.exe |
|
Writes file |
\Device\HarddiskVolume1\$ConvertToNonresident |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\47718.bat |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\victimo@google[1].txt |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT.LOG |
|
Writes file |
\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.ini |
|
Writes file |
\Device\HarddiskVolume1\WINDOWS\system32\perfh009.dat |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\45345.exe |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\NTUSER.DAT |
|
Writes file |
\Device\HarddiskVolume1\WINDOWS\system32\PerfStringBackup.INI |
|
Writes file |
\Device\HarddiskVolume1\WINDOWS\system32\wbem\Performance\WmiApRpl_new.h |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Vacah\uxeb.exe |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\index.dat |
|
Writes file |
\Device\HarddiskVolume1\WINDOWS\system32\perfc009.dat |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Cookies\victimo@google[2].txt |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\41269.exe |
|
Writes file |
\Device\HarddiskVolume1\WINDOWS\system32\wbem\Logs\wmiprov.log |
|
Writes file |
\Device\HarddiskVolume1\$LogFile |
|
Writes file |
\Device\HarddiskVolume1\Documents and Settings\victimo\Local Settings\Temp\OZV8D36.bat |
Process modifications
The analyzed file affected the following system processes.
Event |
File path |
|
---|---|---|
Creates process |
\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe |
|
Creates process |
\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\44093.exe |
|
Creates process |
\Device\HarddiskVolume1\WINDOWS\system32\msiexec.exe |
|
Creates process |
\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\45345.exe |
|
Creates process |
\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\41269.exe |
|
Creates process |
\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe |
|
Creates process |
\Device\HarddiskVolume1\Documents and Settings\victimo\Application Data\Vacah\uxeb.exe |
|
Creates process |
\Device\HarddiskVolume1\DOCUME~1\victimo\LOCALS~1\Temp\47107.exe |
|
Creates process |
\Device\HarddiskVolume1\WINDOWS\Temp\d1811144d9ac5593b24f2fa2c332a59915c736a0.exe |
|
Creates process |
\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiadap.exe |
|
Creates process |
\Device\HarddiskVolume1\WINDOWS\explorer.exe |
Registry
The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.
Event |
Key |
Value |
---|---|---|
Adds/Sets value |
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\41269.exe |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\Client Hash |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\45345.exe |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\HWID |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\advapi32.dll[MofResourceName] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\9801A14D3F476A88DE9B216B58D61308 |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\47718.bat |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\44093.exe |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Doheuhe\15j9hf07 |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\WinRAR\37E2C9AC0CDFFBF796E53D4B77B4F0C0 |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\victimo\LOCALS~1\Temp\47107.exe |
|
Data: |
||
Adds/Sets value |
\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource] |
|
Data: |
||
Adds/Sets value |
\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\advapi32.dll[MofResourceName] |
|
Data: |
Global system events
No global system events were detected.
Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result
Copyright © 2023 Forcepoint, Inc. All rights reserved
Follow Forcepoint on Facebook, Twitter and Security Labs
Facebook Twitter Security Labs