ThreatScope Analysis Report
For file IrFKDDEW.exe uploaded 2012-11-15 at 08:13:22 AM
Threat level: Malicious
Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.
Threat | Assessment | |
---|---|---|
Drops and runs executable file(s) in a Windows system directory |
||
Drops executable file(s) |
||
Writes to the filesystem in a Windows system directory |
||
Executes the Windows command shell program |
||
Starts the Microsoft Internet Explorer web browser |
Screenshots: None
File details:
Hash MD5 |
f089cbee11315f5a3256803cc727984d |
File size |
68.00 KB |
|
Hash SHA-1 |
d0d8d7f67f09e44d05ccb18b67205198fdd64ba0 |
File uploaded |
2012-11-15 08:13:22 AM |
|
Hash SHA-256 |
73b6dd0a41fcf898ebe52b5af5fcfb48af12442fc8c11257c08c275d50f0179e |
Report created |
2012-11-15 08:15:06 AM |
Technical Details
Requested HTTP URLs
No HTTP communications were detected.
Resolved hostnames
DNS was not used to resolve any hostnames.
IP addresses
No IP addresses were requested.
File system modifications
The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.
Event |
File path |
|
---|---|---|
Creates file |
c:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe |
|
Writes file |
c:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe |
|
Opens file |
c:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe |
|
Creates file |
c:\WINDOWS\system32\wksprt.dll.tmp |
|
Writes file |
c:\WINDOWS\system32\wksprt.dll.tmp |
|
Opens file |
c:\WINDOWS\system32\wksprt.dll.tmp |
|
Creates file |
c:\WINDOWS\system32\wksprt.dll |
|
Writes file |
c:\WINDOWS\system32\wksprt.dll |
|
Opens file |
c:\WINDOWS\system32\wksprt.dll |
Process modifications
The analyzed file affected the following system processes.
Event |
File path |
|
---|---|---|
Creates process |
Sample started |
|
Creates process |
C:\WINDOWS\system32\cmd.exe |
|
Creates process |
C:\WINDOWS\system32\attrib.exe |
|
Creates process |
C:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe |
|
Creates process |
C:\WINDOWS\system32\expand.exe |
|
Creates process |
C:\Program Files\Internet Explorer\IEXPLORE.EXE |
|
Creates process |
C:\WINDOWS\system32\ipconfig.exe |
Registry
The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.
Event |
Key |
Value |
---|---|---|
Changes value |
HKLM\software\microsoft\active setup\installed components\{26d37492-fec2-c272-9882-6d97a521f122} |
|
Data: C:\WINDOWS\system32\f089cbee11315f5a3256803cc727984d.exe |
Global system events
The following global system events were detected.
Event |
Name |
|
---|---|---|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}984d.exe |
|
Creates mutex |
SHIMLIB_LOG_MUTEX |
|
Creates event |
DINPUTWINMM |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1} |
|
Creates event |
Global\userenv: User Profile setup eventE1} |
|
Creates semaphore |
shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57} |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D} |
|
Creates mutex |
ZonesCounterMutex |
|
Creates mutex |
ZonesCacheCounterMutex |
|
Creates mutex |
ZonesLockedCacheCounterMutex |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}c727984d.exe |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}EXE |
|
Creates event |
Global\crypt32LogoffEvent |
|
Creates mutex |
RasPbFile |
|
Creates event |
Global\userenv: User Profile setup event |
|
Creates mutex |
c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
|
Creates mutex |
c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5! |
|
Creates mutex |
c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5! |
|
Creates mutex |
WininetConnectionMutex |
|
Creates event |
Global\userenv: User Profile setup eventocal settings!history!history.ie5!iles!content.ie5! |
Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result
Copyright © 2024 Forcepoint, Inc. All rights reserved
Follow Forcepoint on Facebook, Twitter and Security Labs
Facebook Twitter Security Labs