PDF

Print

ThreatScope Analysis Report

For file VLCMediaPlayer__3793_il256.exe uploaded 2013-10-30 at 12:23:12 PM

Threat level: Suspicious

This file is suspicious. Monitor communications from any machine that has run the file to detect suspicious behavior.

Threat Assessment

Traffic to server hosting potentially malicious content

Writes to the filesystem in a directory of the user profile

Screenshots:

File details:

Hash MD5

67ede57bc17c17af6a36a880a0556f31

File size

149.53 KB

Hash SHA-1

7e8593c36209afa8f065ac00aa3d3b40b738dc00

File uploaded

2013-10-30 12:23:12 PM

Hash SHA-256

88f2a48d1a36f247de77ad694074e24b251bac57742738b763b552be91fbdf6c

Report created

2013-10-30 12:23:15 PM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

http://www.idyllicdownload.com
/index.php

ils-front-balancer2-400693425.us-east-1.elb.amazonaws.com

Potentially Unwanted Software

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache/2.2.15 (Red Hat)

POST

302
146 B

text/html; charset=UTF-8

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

www.idyllicdownload.com

Potentially Unwanted Software

ils-front-balancer2-400693425.us-east-1.elb.amazonaws.com

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

ils-front-balancer2-400693425.us-east-1.elb.amazonaws.com

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

C:\Documents and Settings\victimo\Local Settings\Temporary Internet Files\Content.IE5\MLOLIDQD\FailedToInstall[1].htm

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

C:\WINDOWS\explorer.exe

Creates process

C:\WINDOWS\Temp\7e8593c36209afa8f065ac00aa3d3b40b738dc00.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32\ServerExecutable

Data:

C:\Windows\Temp\7e8593c36209afa8f065ac00aa3d3b40b738dc00.exe

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib\Version

Data:

1.0

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\7e8593c36209afa8f065ac00aa3d3b40b738dc00\DEBUG\Trace Level

Data:

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryCount

Data:

16

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\TypesSupported

Data:

7

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

Data:

C:\Documents and Settings\victimo\Local Settings\Temporary Internet Files

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

Data:

C:\Documents and Settings\victimo\Cookies

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History

Data:

C:\Documents and Settings\victimo\Local Settings\History

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

Data:

C:\Documents and Settings\All Users\Application Data

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Data:

C:\Documents and Settings\victimo\Application Data

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

Data:

0

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

Data:

0

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

Data:

1

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result