ThreatScope Analysis Report
For file kav.exe uploaded 2012-10-25 at 06:23:01 AM
Threat level: Suspicious
This file is suspicious. Monitor communications from any machine that has run the file to detect suspicious behavior.
Threat | Assessment | |
---|---|---|
Drops executable file(s) |
||
Adds a registry key to automatically start an executable when the system starts |
||
Traffic to uncategorized server |
Screenshots: None
File details:
Hash MD5 |
f6b258f2c3f10a5d35c8ff852fb6a004 |
File size |
144.50 KB |
|
Hash SHA-1 |
0541078f7200af1a102582feb57019515bdc8955 |
File uploaded |
2012-10-25 06:23:01 AM |
|
Hash SHA-256 |
8d7e05ccf2577a04c7109ad4c33e41997c59ae071be8e6b7b93c108564143963 |
Report created |
2012-10-25 06:24:37 AM |
Technical Details
Requested HTTP URLs
The analyzed file requests the following URLs.
URL |
IP Address |
Category |
Details May include user agent string, HTTP server, or encryption information. Details |
Method |
Status The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status |
MIME The first item is the server-declared content type. The second item is the true content type. MIME |
|
---|---|---|---|---|---|---|---|
www.chat-mr.com/images/.vr/tas |
United States |
Uncategorized |
User agent: V32 HTTP Server: Microsoft-IIS/6.0 |
GET |
200 |
text/html; charset=utf-8 |
|
www.chat-mr.com/images/.vr/add |
United States |
Uncategorized |
User agent: V32 HTTP Server: |
GET |
0 |
||
www.chat-mr.com/images/.vr/tas |
United States |
Uncategorized |
User agent: V32 HTTP Server: |
GET |
302 |
||
www.chat-mr.com/images/.vr/add |
United States |
Uncategorized |
User agent: V32 HTTP Server: Microsoft-IIS/6.0 |
GET |
200 |
text/html; charset=utf-8 |
Resolved hostnames
The analyzed file used DNS to resolve the following hostnames.
Hostname |
Category |
IP address |
|
---|---|---|---|
chat-mr.com |
Uncategorized |
68.178.232.99 |
IP addresses
The analyzed file requests the following IP addresses.
IP Address |
ASN |
|
---|---|---|
68.178.232.99 |
United States |
|
68.178.232.99 |
United States |
|
68.178.232.99 |
United States |
|
68.178.232.99 |
United States |
File system modifications
The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.
Event |
File path |
|
---|---|---|
Creates file |
c:\svstem32.exe |
|
Writes file |
c:\svstem32.exe |
Process modifications
The analyzed file affected the following system processes.
Event |
File path |
|
---|---|---|
Creates process |
Sample started |
Registry
The analyzed file made the following changes to the Windows Registry. Malicious files often alter the registry to ensure that the malicious software runs at system startup.
Event |
Key |
Value |
---|---|---|
Changes value |
HKUS\s-1-5-21-1123561945-436374069-854245398-500\software\microsoft\windows\currentversion\run |
|
Data: C:\svstem32.exe |
Global system events
The following global system events were detected.
Event |
Name |
|
---|---|---|
Creates event |
Global\crypt32LogoffEvent |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}a004.exe |
|
Creates mutex |
ZonesCounterMutex |
|
Creates mutex |
ZonesCacheCounterMutex |
|
Creates mutex |
ZonesLockedCacheCounterMutex |
|
Creates mutex |
VN_MUTEX16 |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}a004.exe |
|
Creates mutex |
c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
|
Creates mutex |
c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5! |
|
Creates mutex |
c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5! |
|
Creates mutex |
WininetConnectionMutex |
|
Creates event |
DINPUTWINMM |
|
Creates mutex |
RasPbFile |
|
Creates event |
Global\userenv: User Profile setup eventocal settings!history!history.ie5!iles!content.ie5! |
Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result
Copyright © 2024 Forcepoint, Inc. All rights reserved
Follow Forcepoint on Facebook, Twitter and Security Labs
Facebook Twitter Security Labs