PDF

Print

ThreatScope Analysis Report

For file 123.exe uploaded 2012-11-20 at 08:13:15 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Drops and runs executable file(s)

Writes to the filesystem in the Startup directory of the Windows Start Menu

Drops executable file(s)

Adds a registry key to automatically start an executable when the system starts

Traffic to server hosting potentially malicious content

Screenshots: None

File details:

Hash MD5

d04c8c062e7e335f53f7d352ffa65efc

File size

53.68 KB

Hash SHA-1

f21cb38f6d9730bc416c6fdc7f84f54fc923f8da

File uploaded

2012-11-20 08:13:15 AM

Hash SHA-256

66fdad1bc63eca7d8124d16c83322a6ca3b45546a70ddb0a9e122be6e9aaebfb

Report created

2012-11-20 08:14:53 AM

Technical Details

Requested HTTP URLs


No HTTP communications were detected.

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

firestormm6t.no-ip.info

Dynamic DNS

46.166.129.110

IP addresses


No IP addresses were requested.

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Creates file

c:\Documents and Settings\Administrator\explorer.exe

Writes file

c:\Documents and Settings\Administrator\explorer.exe

Opens file

c:\Documents and Settings\Administrator\explorer.exe

Creates file

c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\abdd6bfc0e8fddea8251d6f207eba15e.exe

Writes file

c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\abdd6bfc0e8fddea8251d6f207eba15e.exe

Opens file

c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\abdd6bfc0e8fddea8251d6f207eba15e.exe

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates process

Sample started

Creates process

C:\Documents and Settings\Administrator\explorer.exe

Creates process

C:\WINDOWS\system32\netsh.exe

Registry

The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.

Event

Key

Value

Changes value

HKUS\s-1-5-21-1123561945-436374069-854245398-500\software\microsoft\windows\currentversion\run

Data:

"C:\Documents and Settings\Administrator\explorer.exe" ..

Changes value

HKLM\software\microsoft\windows\currentversion\run

Data:

"C:\Documents and Settings\Administrator\explorer.exe" ..

Global system events

The following global system events were detected.

Event

Name

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}5efc.exe

Creates event

Global\CorDBIPCSetupSyncEvent_12800C90312E1}5efc.exe

Creates semaphore

shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}5efc.exe

Creates semaphore

shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}5efc.exe

Creates mutex

ZonesCounterMutex

Creates mutex

ZonesCacheCounterMutex

Creates mutex

ZonesLockedCacheCounterMutex

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}orer.exe

Creates event

Global\CorDBIPCSetupSyncEvent_1708f7d352ffa65efc.exe

Creates mutex

SHIMLIB_LOG_MUTEX

Creates semaphore

shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

Creates event

DINPUTWINMM

Creates mutex

RasPbFile

Creates event

Global\userenv: User Profile setup eventE1}

Creates event

Global\crypt32LogoffEvent

Creates mutex

abdd6bfc0e8fddea8251d6f207eba15e

Creates mutex

Global\.net clr networking

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result

Copyright © 2024 Forcepoint, Inc. All rights reserved