Analysis # Sample: Important_WellsFargo_Doc.exe (70e604777a66980bcc751dcb00eafee5) Analysis # /10/ :12 pm

Analysis # 31139 06/10/2013 14:12 pm 1/11

Table of Contents Analysis Summary... 3 Analysis Summary... 3 Digital Behavior Traits... 3 Created Mutexes... 4 Created Mutexes... 4 Registry Activity... 5 Created Keys... 5 Set Values... 6 Network Activity... 7 Network Events... 7 Network Traffic... 8 DNS Requests... 9 Virus Total Results... 10 2/11

Analysis Summary Submitted File: Important_WellsFargo_Doc.exe MD5: 70e604777a66980bcc751dcb00eafee5 File Size: 94720 File Type: PE32 executable for MS Windows (GUI) Intel 80386 3 Analysis Time: 2013-06-10 14:12:14 Start Reason: AnalysisTarget Termination Reason: TerminatedBySelf Start Time: Mon, 10 Jun 2013 18:16:05 +0000 Termination Time: Mon, 10 Jun 2013 18:16:18 +0000 Analysis Time: 2013-06-10 14:12:14 Sandbox: XPSP3-00-0C-29-5E-B4-D8 Total Processes: 1 Sample Notes: Digital Behavior Traits Alters Windows Firewall Checks For Debugger Copies to Windows Could Not Load Creates DLL in System Creates EXE in System Creates Hidden File Creates Mutex Creates Service Deletes File in System Deletes Original Sample Hooks Keyboard Injected Code Makes Network Connection Modifies File in System Modifies Local DNS More than 5 Processes Opens Physical Memory Starts EXE in Documents Starts EXE in Recycle Starts EXE in System Windows/Run Registry Key Set 3/11

Created Mutexes mutex Name: Local\c:!docume~1!admini~1!locals~1!temp!temporary internet files!content.ie5! Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE Name: Local\c:!docume~1!admini~1!locals~1!temp!cookies! Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE Name: Local\c:!docume~1!admini~1!locals~1!temp!history!history.ie5! Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE 4/11

Created Keys key \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\WinRAR \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache 5/11

Set Values key Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\WinRAR Value: HWID entversion\explorer\shell Folders Value: AppData entversion\explorer\shell Folders Value: Local AppData entversion\explorer\shell Folders Value: Personal Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\WinRAR Value: Client Hash Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\WinRAR Value: 8E22E255AC74710F04E018F3D17C6B28 entversion\explorer\mountpoints2\{3259504d-e161-11e0-bf1d-806d6172696f} Value: BaseClass entversion\explorer\mountpoints2\{3259504b-e161-11e0-bf1d-806d6172696f} Value: BaseClass entversion\explorer\mountpoints2\{3259504a-e161-11e0-bf1d-806d6172696f} Value: BaseClass entversion\explorer\shell Folders Value: Desktop Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\WinRAR Value: 8E22E255AC74710F04E018F3D17C6B28 6/11

Network Events Remote IP Local IP HTTP Command 173.255.213.171 10.20.25.247 POST /ponyb/gate.php 62.149.131.162 10.20.25.247 GET /ToSN79T.exe 173.254.68.134 10.20.25.247 GET /PMLyQRMt.exe 207.204.5.170 10.20.25.247 GET /PXVYGJx.exe POST /private/sandbox_status.php 7/11

Network Traffic Remote IP Local IP Connection #1 10.20.25.255 10.20.25.247 8/11

DNS Requests Request Result mceneryfinancial.com 173.255.213.171 www.errezeta.biz 62.149.131.162 ftp.myfxpips.com 173.254.68.134 9/11

Virus Total Results Last Scanned: 2013-06-10 18:06:42 MicroWorld-eScan: nprotect: CAT-QuickHeal: McAfee: Malwarebytes: TheHacker: K7GW: K7AntiVirus: NANO-Antivirus: F-Prot: Symantec: Norman: TotalDefense: TrendMicro-HouseCall: Avast: esafe: ClamAV: Kaspersky: BitDefender: Agnitum: SUPERAntiSpyware: ByteHero: Sophos: Comodo: F-Secure: DrWeb: VIPRE: AntiVir: TrendMicro: McAfee-GW-Edition: Emsisoft: Jiangmin: Antiy-AVL: Kingsoft: Microsoft: ViRobot: GData: Commtouch: AhnLab-V3: VBA32: PCTools: ESET-NOD32: Rising: Ikarus: Fortinet: AVG: Panda: 10/11

Powered by TCPDF (www.tcpdf.org) Analysis # 31139 ThreatTrack Security, Inc. 33 North Garden Avenue, Suite 1200, Clearwater, Florida, USA 33755 Telephone: (855) 443-4284 Intl: +1(813)367-9907 Email: Sales@ThreatTrack.com Disclaimer 2013. ThreatTrack Security, Inc. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. ThreatTrack Security, Inc. is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, ThreatTrack Security makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. ThreatTrack Security makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. 11/11