PDF

Print

ThreatScope Analysis Report

For file cd7edb0d3ecb005261a3988067d81b9fc2f4206f.pif uploaded 2014-07-04 at 11:17:27 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Drops and runs executable file(s) in a directory of the user profile often used by malware

Drops executable file(s)

Writes to the filesystem in a directory of the user profile often used by malware

Writes to the filesystem in a directory of the user profile

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

4fc7395dcdf7e3f95338d21f25541abd

File size

215.00 KB

Hash SHA-1

cd7edb0d3ecb005261a3988067d81b9fc2f4206f

File uploaded

2014-07-04 11:17:27 AM

Hash SHA-256

c2cc2f42586179e421e9f2e2efe1d9347809d691e8a591bb1fe971b8528298a6

Report created

2014-07-04 11:17:28 AM

Technical Details

Requested HTTP URLs


No HTTP communications were detected.

Resolved hostnames


DNS was not used to resolve any hostnames.

IP addresses


No IP addresses were requested.

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

C:\Documents and Settings\victimo\Application Data\Megui\elde.exe

Writes file

C:\Documents and Settings\victimo\Application Data\Megui\elde.exe

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\tmpcb859e7a.bat

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

C:\WINDOWS\explorer.exe

Creates process

C:\WINDOWS\Temp\cd7edb0d3ecb005261a3988067d81b9fc2f4206f.pif

Creates process

C:\Documents and Settings\victimo\Application Data\Megui\elde.exe

Creates process

C:\WINDOWS\system32\cmd.exe

Creates process

C:\WINDOWS\system32\wbem\wmiprvse.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

Data:

C:\Documents and Settings\All Users\Application Data

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData

Data:

C:\Documents and Settings\victimo\Local Settings\Application Data

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

Data:

C:\Documents and Settings\victimo\Local Settings\Temporary Internet Files

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

Data:

C:\Documents and Settings\victimo\Cookies

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass

Data:

Drive

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass

Data:

Drive

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\Temp\cd7edb0d3ecb005261a3988067d81b9fc2f4206f.pif

Data:

Vyhuf Wypary Ica

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Data:

C:\Documents and Settings\victimo\Application Data

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Data:

C:\Documents and Settings\victimo\Application Data

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

Data:

1

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving

Data:

0

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0

Data:

0

Adds/Sets value

\REGISTRY\USER\S-1-5-21-1220945662-152049171-1343024091-1003\Software\Microsoft\Pazyv\Mobup

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Data:

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\advapi32.dll[MofResourceName]

Data:

LowDateTime:1236297984,HighDateTime:29653446***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]

Data:

LowDateTime:220807424,HighDateTime:29653431***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]

Data:

LowDateTime:-1933636608,HighDateTime:29653447***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]

Data:

LowDateTime:237222144,HighDateTime:29435611***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]

Data:

LowDateTime:-1439192576,HighDateTime:29653430***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]

Data:

LowDateTime:75774720,HighDateTime:29653430***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating

Data:

WmiApRpl

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter

Data:

3360

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help

Data:

3361

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter

Data:

3366

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help

Data:

3367

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter

Data:

3362

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help

Data:

3363

Adds/Sets value

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List

Data:

3362

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\advapi32.dll[MofResourceName]

Data:

LowDateTime:1236297984,HighDateTime:29653446***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ACPI.sys[ACPIMOFResource]

Data:

LowDateTime:220807424,HighDateTime:29653431***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\mssmbios.sys[MofResource]

Data:

LowDateTime:-1933636608,HighDateTime:29653447***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]

Data:

LowDateTime:-1439192576,HighDateTime:29653430***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]

Data:

LowDateTime:75774720,HighDateTime:29653430***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\system32\DRIVERS\pcntpci5.sys[NdisMofResource]

Data:

LowDateTime:237222144,HighDateTime:29435611***Binary mof compiled successfully

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh

Data:

0

Adds/Sets value

\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed

Data:

1

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result