PDF

Print

ThreatScope Analysis Report

For file IrFKDDEW.exe uploaded 2012-11-15 at 06:13:22 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Drops and runs executable file(s) in a Windows system directory

Drops executable file(s)

Writes to the filesystem in a Windows system directory

Executes the Windows command shell program

Starts the Microsoft Internet Explorer web browser

Screenshots: None

File details:

Hash MD5

f089cbee11315f5a3256803cc727984d

File size

68.00 KB

Hash SHA-1

d0d8d7f67f09e44d05ccb18b67205198fdd64ba0

File uploaded

2012-11-15 06:13:22 AM

Hash SHA-256

73b6dd0a41fcf898ebe52b5af5fcfb48af12442fc8c11257c08c275d50f0179e

Report created

2012-11-15 06:15:06 AM

Technical Details

Requested HTTP URLs


No HTTP communications were detected.

Resolved hostnames


DNS was not used to resolve any hostnames.

IP addresses


No IP addresses were requested.

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Creates file

c:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe

Writes file

c:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe

Opens file

c:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe

Creates file

c:\WINDOWS\system32\wksprt.dll.tmp

Writes file

c:\WINDOWS\system32\wksprt.dll.tmp

Opens file

c:\WINDOWS\system32\wksprt.dll.tmp

Creates file

c:\WINDOWS\system32\wksprt.dll

Writes file

c:\WINDOWS\system32\wksprt.dll

Opens file

c:\WINDOWS\system32\wksprt.dll

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

Sample started

Creates process

C:\WINDOWS\system32\cmd.exe

Creates process

C:\WINDOWS\system32\attrib.exe

Creates process

C:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe

Creates process

C:\WINDOWS\system32\expand.exe

Creates process

C:\Program Files\Internet Explorer\IEXPLORE.EXE

Creates process

C:\WINDOWS\system32\ipconfig.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Changes value

HKLM\software\microsoft\active setup\installed components\{26d37492-fec2-c272-9882-6d97a521f122}

Data:

C:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe

Global system events

The following global system events were detected.

Event

Name

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}984d.exe

Creates mutex

SHIMLIB_LOG_MUTEX

Creates event

DINPUTWINMM

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

Creates event

Global\userenv: User Profile setup eventE1}

Creates semaphore

shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

Creates semaphore

shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}

Creates mutex

ZonesCounterMutex

Creates mutex

ZonesCacheCounterMutex

Creates mutex

ZonesLockedCacheCounterMutex

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}c727984d.exe

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}EXE

Creates event

Global\crypt32LogoffEvent

Creates mutex

RasPbFile

Creates event

Global\userenv: User Profile setup event

Creates mutex

c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Creates mutex

c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5!

Creates mutex

c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5!

Creates mutex

WininetConnectionMutex

Creates event

Global\userenv: User Profile setup eventocal settings!history!history.ie5!iles!content.ie5!

Websense has made an effort to determine if your submission is malicious however, Websense cannot guarantee the accuracy of the result