PDF

Print

ThreatScope Analysis Report

For file n26pqxmzx.scr uploaded 2013-07-24 at 12:08:47 PM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Traffic to server hosting malicious content

Drops and runs executable file(s) in a directory of the user profile often used by malware

Drops executable file(s)

Possibly injects code into remote process(es)

Writes to the filesystem in a directory of the user profile often used by malware

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

69c9362cf19a1835a7513f149101c3f5

File size

358.50 KB

Hash SHA-1

1e2f31884a2676045763849729e6af60a7c88b59

File uploaded

2013-07-24 12:08:47 PM

Hash SHA-256

a77a73d255cf9f57dec08c7246c5a35e497986a4b75786a4a03e675cd25fe348

Report created

2013-07-24 12:10:23 PM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

http://pietrospalanzani.com/ps
home/file.php

151.1.96.126

Italy

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache

POST

200
173.78 KB

application/octet-stream

http://www.google.com/webhp

74.125.28.147

United States

Search Engines and Portals

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

gws

GET

200
0 B

text/html; charset=UTF-8

http://positiverealism.com/com
ponents/mode.php

98.129.229.182

United States

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache/2.2

POST

200
64 B

text/html; charset=UTF-8

http://universodelpc.it/red/fi
le.php

151.1.96.126

Italy

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache

POST

404
962 B

text/html

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

universodelpc.it

Malicious Web Sites

151.1.96.126

www.google.com

Search Engines and Portals

74.125.28.147

www.google.com

Search Engines and Portals

74.125.28.106

www.google.com

Search Engines and Portals

74.125.28.105

www.google.com

Search Engines and Portals

74.125.28.103

www.google.com

Search Engines and Portals

74.125.28.99

www.google.com

Search Engines and Portals

74.125.28.104

pietrospalanzani.com

Malicious Web Sites

151.1.96.126

positiverealism.com

Malicious Web Sites

98.129.229.182

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

151.1.96.126

AS3242 ITnet S.r.l.

Italy

74.125.28.147

AS15169 Google Inc.

United States

98.129.229.182

AS33070 Rackspace Hosting

United States

151.1.96.126

AS3242 ITnet S.r.l.

Italy

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\tmp27148249.bat

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\29DONE.EXE

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\1374610935_0621.720X489.JPEG

Writes file

C:\Documents and Settings\victimo\Application Data\Ackeuf\edwi.exe

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates Process

C:\WINDOWS\system32\cmd.exe

Registry


No Windows Registry changes were made.

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result