ThreatScope Analysis Report
For file tool.exe uploaded 2012-08-03 at 09:32:35 AM
Threat level: Suspicious
This file is suspicious. Monitor communications from any machine that has run the file to detect suspicious behavior.
| Threat | Assessment | |
|---|---|---|
|
Writes to the filesystem in the Startup directory of the Windows Start Menu |
|
|
Drops executable file(s) |
|
Screenshots: None
File details:
Hash MD5 |
3c7b7124f84cc4d29aa067eca6110e2f |
File size |
62.27 KB |
|
Hash SHA-1 |
1f7cb066f5592851e043e2365c7a022e762a8d5a |
File uploaded |
2012-08-03 09:32:35 AM |
|
Hash SHA-256 |
d30ddc3defbee30c5e010ea64e008af39268d673bf6948060d7098b9a8302080 |
Report created |
2012-08-03 09:34:10 AM |
|
Technical Details
Requested HTTP URLs
The analyzed file requests the following URLs.
URL |
IP Address |
Category |
May include user agent string, HTTP server, or encryption information. Details |
Method |
The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status |
The first item is the server-declared content type. The second item is the true content type. MIME |
|
|---|---|---|---|---|---|---|---|
|
www.download.windowsupdate.com |
United States |
|
Microsoft-CryptoAPI/5.131.2600.5512
Microsoft-IIS/7.5 |
GET |
200 |
text/plain |
|
Resolved hostnames
The analyzed file used DNS to resolve the following hostnames.
Hostname |
Category |
IP address |
|
|---|---|---|---|
download.windowsupdate.com.c.footprint.net |
|
8.26.207.126 |
|
download.windowsupdate.com.c.footprint.net |
|
8.26.209.126 |
|
download.windowsupdate.com.c.footprint.net |
|
4.27.10.253 |
|
who.xhhow4.com |
|
184.22.171.216 |
|
IP addresses
The analyzed file requests the following IP addresses.
IP Address |
ASN |
|
|---|---|---|
8.26.207.126 |
United States |
|
File system modifications
The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.
Event |
File path |
|
|---|---|---|
Creates file |
c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winnet.exe |
|
Writes file |
c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winnet.exe |
|
Process modifications
The analyzed file affected the following system processes.
Event |
File path |
|
|---|---|---|
Creates process |
Sample started |
|
Registry
No Windows Registry changes were made.
Global system events
The following global system events were detected.
Event |
Name |
|
|---|---|---|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}0e2f.exe |
|
Creates event |
DINPUTWINMM |
|
Creates mutex |
microsoft.com |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}0e2f.exe |
|
Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result
Copyright © 2024 Forcepoint, Inc. All rights reserved
Information Technology
Bot Networks
Follow Forcepoint on Facebook, Twitter and Security Labs
Facebook Twitter Security Labs