wordview_en-us (1).exe
This report is generated from a file or URL submitted to this webservice on November 29th 2016 18:52:24 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Pattern Matching
-
YARA signature match
- details
- YARA signature "misc_iocs" classified file "wordview.msi" as "Misc." based on indicators: "d0cf11e0,dw20.exe" (Reference: N/A, Author: @patrickrolsen)
- source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.dll (Show Stream)
ExitWindowsEx@USER32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 12
-
Environment Awareness
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
Installation/Persistance
-
Drops executable files
- details
-
"MSI71BC.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIF162.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIF267.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIEFEF.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Extracted File
- relevance
- 10/10
-
The input sample dropped/contains a certificate file
- details
-
File "files12.cat" is a certificate (Owner: CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 47bf1995df8d524643f7db6d480d31a4; Valid From: 12/04/2003 01:00:00; Until: 12/04/2013 00:59:59; Fingerprints: MD5=68:23:26:7A:B3:5E:C7:A5:44:99:04:BB:4D:80:41:A7; SHA1=F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D)
File "files12.cat" is a certificate (Owner: CN=VeriSign Time Stamping Services Signer, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US; SerialNumber: de92bf0d4d82988183205095e9a7688; Valid From: 12/04/2003 01:00:00; Until: 12/04/2008 00:59:59; Fingerprints: MD5=53:40:E9:1A:17:59:57:50:55:45:27:21:58:46:EE:71; SHA1=81:7E:78:26:73:00:CB:0F:E5:D6:31:35:78:51:DB:36:61:23:A6:90)
File "files12.cat" is a certificate (Owner: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: c1008b3c3c8811d13ef663ecdf40; Valid From: 01/10/1997 08:00:00; Until: 12/31/2020 08:00:00; Fingerprints: MD5=2A:95:4E:CA:79:B2:87:45:73:D9:2D:90:BA:F9:9F:B6; SHA1=A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19)
File "files12.cat" is a certificate (Owner: CN=Microsoft Code Signing PCA, OU=Copyright c 2000 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc0001dab11dac402a16627ba; Valid From: 04/04/2006 19:44:14; Until: 04/26/2012 09:00:00; Fingerprints: MD5=90:C0:F7:B4:B2:6E:E5:53:F4:BD:0D:AD:3F:58:52:0D; SHA1=D0:7E:A6:40:88:A8:00:85:F0:1B:D4:0A:A4:EA:D8:2F:47:04:82:A6)
File "files12.cat" is a certificate (Owner: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Code Signing PCA, OU=Copyright c 2000 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 61469ecb000400000065; Valid From: 04/04/2006 21:43:46; Until: 10/04/2007 21:53:46; Fingerprints: MD5=5F:C1:8A:70:CD:3F:89:50:D5:D7:AC:66:8E:80:4A:71; SHA1=56:4E:01:06:63:87:F2:6C:91:20:10:D0:6B:D7:8D:3C:F1:E8:45:AB) - source
- Extracted File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "12.0.6015.0"
Heuristic match: "12.0.6015.5000"
Heuristic match: "0;{9085040D-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{00850000-6000-11D3-8CFE-0050048383C9}"
Heuristic match: "@HRDEC;;B&F7BB4FhD&BrSummaryInformation(#19TTo19U_wF``3.@7[Microsoft Setup CompilerIntel;2070Intel;2070{90850816-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{90850816-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{00850000-6000-11D3-8CFE-0050048383C9}d"
Heuristic match: "intalciu produktu Microsoft Office Word Viewer 2003.@Microsoft Setup CompilerIntel;1051Intel;1051{9085041B-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{9085041B-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{00850000-6000-11D3-8CFE-0050048383C9}d=c"
Heuristic match: "1KMicrosoft Setup CompilerIntel;1041Intel;1041{90850411-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{90850411-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{00850000-6000-11D3-8CFE-0050048383C9}d"
Heuristic match: "1KMicrosoft Setup CompilerIntel;1041Intel;1041{90850411-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{90850411-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{00850000-6000-11D3-8CFE-0050048383C9}d=c"
Heuristic match: "l#36TTo36UFl;1042{90850412-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{90850412-6000-11D3-8CFE-0150048383C9}11.0.6506.0;{00850000-6000-11D3-8CFE-0050048383C9}d" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
- "C:\47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55.exe" marked "%TEMP%\OWPFF50.tmp" for deletion
- source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
- "<Input Sample>" opened "%TEMP%\OWPFF50.tmp" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "MSIF267.tmp" claimed CRC 42350 while the actual is CRC 179751
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
LookupAccountNameW
RegCloseKey
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueA
RegDeleteValueW
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExW
StartServiceW
CreateProcessW
FindFirstFileW
GetDriveTypeW
GetModuleHandleA
GetProcAddress
GetTickCount
GetVersionExA
LoadLibraryA
Sleep
TerminateProcess
UnhandledExceptionFilter
VirtualProtect
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 17
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExA@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetDiskFreeSpaceExA@KERNEL32.dll (Target: "47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55.exe.bin"; Stream UID: "49334-2558-30026A18")
which is directly followed by "cmp dword ptr [ebp-00000084h], eax" and "je 30026A5Bh". See related instructions: "...
+19 call 30011E07h
+24 push dword ptr [ebp+14h]
+27 mov eax, dword ptr [eax]
+29 push dword ptr [ebp+10h]
+32 push dword ptr [ebp+0Ch]
+35 push eax
+36 call dword ptr [300010A8h] ;GetDiskFreeSpaceExA
+42 mov esi, eax
+44 lea eax, dword ptr [ebp-80h]
+47 cmp dword ptr [ebp-00000084h], eax
+53 je 30026A5Bh" ... (Show Stream)
Found API call GetVersionExA@KERNEL32.dll (Target: "47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55.exe.bin"; Stream UID: "49334-3323-300562BE")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 300562FFh". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000098h
+9 mov eax, dword ptr [30083FBCh]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 lea eax, dword ptr [ebp-00000098h]
+25 push eax
+26 mov dword ptr [ebp-00000098h], 00000094h
+36 call dword ptr [30001080h] ;GetVersionExA
+42 cmp dword ptr [ebp-00000088h], 02h
+49 jne 300562FFh" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/55 Antivirus vendors marked sample as malicious (0% detection rate)
0/42 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"t:\ses\x86\ship\0\opatchinst.pdb"
"hip\0\opatchinst.exe\bbtopt\opatchinstO.pdb"
"UUU !"#$%&'()*+,-./0123U456U789:;<=>?@ABCDEFGHIJKLMNOPQRSTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU9^BMCP_ERR_CONNECTION_BUSYBMCP_ERR_REMOTE_DISCONNECTBMCP_ERR_LOCAL_DISCONNECTS_PENDING@@FF$G(GhGlGH`#RSDS@tRDm=Tsdw.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000HU,`SVWEEPEPhx5^3FuE", "UUU !"#$%&'()*+
-./0123U456U789:;<=>?@ABCDEFGHIJKLMNOPQRSTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU9^BMCP_ERR_CONNECTION_BUSYBMCP_ERR_REMOTE_DISCONNECTBMCP_ERR_LOCAL_DISCONNECTS_PENDING@@YJjJJJ$K(KH%RSDS XI regca.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000KUEV3+t@Ht2Ht$HthPYY*EEEE^]UQeS]VuehVuE ^MW4E;w3ff=[uf~~uf~]u3fFfFCCEf>uE;w3EEz_E^[VtPD$^VtP&^U39EuW-UVufftf", "UUUU !"#$%&'()*+
-./0123U456789:;<=>?@ABCDEFGHIJKLMNOPQRUSTUDllGetVersionSHELL32CoGetClassInfoOLE32.DLLMSI @RSDS;v5Ev!f|oclean.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000U39EuW&UVut", "UUU !"#$%&'()*+,-./0123U456U789:;<=>?@ABCDEFGHIJKLMNOPQRSTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU9^BMCP_ERR_CONNECTION_BUSYBMCP_ERR_REMOTE_DISCONNECTBMCP_ERR_LOCAL_DISCONNECTS_PENDING@@)).*2*r*v*HP`RSDSX:Jx<Hidialogca.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000+VtPD$^VtP&^Ul$PSVWj:Y}ux63hj_WEhpx|tdutLPpd9pu:hWx9|YYt|9xtx3ix0PEPp;uSx;PhpW"
"UUU !"#$%&'()*+
-./0123U456U789:;<=>?@ABCDEFGHIJKLMNOPQRSTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU9^BMCP_ERR_CONNECTION_BUSYBMCP_ERR_REMOTE_DISCONNECTBMCP_ERR_LOCAL_DISCONNECTS_PENDINGProgramFilesDirCommonFilesDirSoftware\Microsoft\Windows\CurrentVersionRSDS^!C%kIkshaft.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000V395t&95v4t$!itF;5r3^DD$3f8;t", "%D%DL66L[4bHvFR.bk6l6
Rl6l6k6iD!LbHN]+H`H 20DHHHHHHpk6l6
Rl6l6k6iCRYPT32.dllFRSDSM|B1oPwordview1033.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000U$<Dl6h8k6uhCWEPEPhk6EHEPPhk6E&39}u" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\OWPFF50.tmp\eula.txt"
"<Input Sample>" created file "%TEMP%\Microsoft Office Word Viewer (0).log" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\MSILOG_e70024401d24a73gol.)0( reweiV droW eciffO tfosorciM_pmeT_lacoL_ataDppA_SWBUPSP_sresU_:C"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSI71BC.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "wordview.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.2 Title: Installation Database Subject: Microsoft Office Word Viewer 2003 Author: Microsoft Corporation Keywords: InstallerMSIDatabaseRelease Comments: This Installer database contains the logic and data required to install Microsoft Office Word Viewer 2003. Template: Intel;1033 Create Time/Date: Wed Apr 27 11:56:12 2005 Number of Pages: 100 Name of Creating Application: Microsoft Setup Compiler Number of Words: 3 Revision Number: {A90C621A-B6CF-4F4E-A00D-A8EFAE684CCB}"), Antivirus vendors marked dropped file "MSIF162.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIF267.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIEFEF.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "PREWDVIEWSP3.msp" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.2 Revision Number: {FE294A11-5F64-40D2-B37B-03C949A63071}{37FF9BB6-1FC7-4A55-974B-654C58925522}{87F42A2C-39C8-4C48-B998-265FE3053987}{397960C8-E6D0-4DB1-87C4-3226973DFCE9}{70313221-900A-411E-87C4-C145D48DF679}{63784129-90B0-43D5-8914-B503812CA894}{AA446589-C141-4A2B-9BE5-17F4E80B7B28}{1AD02127-20BB-47D2-AF52-A03EA7D64D99}{965A1FDD-3707-4229-8093-4772EF98F22A}{151AC68D-255D-418F-B0C1-3DA795C0EFB5}{04D2F2D2-91F9-4411-A27A-A8D6741FE421}{9F1309B9-B8D8-4F8A-8BA2-B78089391B93} Template: {90850406-6000-11D3-8CFE-0150048383C9};{9085040B-6000-11D3-8CFE-0150048383C9};{9085040C-6000-11D3-8CFE-0150048383C9};{90850407-6000-11D3-8CFE-0150048383C9};{90850410-6000-11D3-8CFE-0150048383C9};{90850413-6000-11D3-8CFE-0150048383C9};{90850414-6000-11D3-8CFE-0150048383C9};{90850415-6000-11D3-8CFE-0150048383C9};{90850416-6000-11D3-8CFE-0150048383C9};{90850419-6000-11D3-8CFE-0150048383C9};{9085041D-6000-11D3-8CFE-0150048383C9};{90850402-6000-11D3-8CFE-0150048383C9};{90850405-6000-11D3-8CFE-0150048383C9};{90850408-6000-11D3-8CFE-0150048383C9};{90850C0A-6000-11D3-8CFE-0150048383C9};{9085041A-6000-11D3-8CFE-0150048383C9};{9085040E-6000-11D3-8CFE-0150048383C9};{90850426-6000-11D3-8CFE-0150048383C9};{90850816-6000-11D3-8CFE-0150048383C9};{90850418-6000-11D3-8CFE-0150048383C9};{90850424-6000-11D3-8CFE-0150048383C9};{9085081A-6000-11D3-8CFE-0150048383C9};{9085041F-6000-11D3-8CFE-0150048383C9};{90850422-6000-11D3-8CFE-0150048383C9};{90850425-6000-11D3-8CFE-0150048383C9};{90850427-6000-11D3-8CFE-0150048383C9};{9085041B Last Saved By: :1TTo1U;:#1TTo1U;:2TTo2U;:#2TTo2U;:3TTo3U;:#3TTo3U;:4TTo4U;:#4TTo4U;:5TTo5U;:#5TTo5U;:6TTo6U;:#6TTo6U;:7TTo7U;:#7TTo7U;:8TTo8U;:#8TTo8U;:9TTo9U;:#9TTo9U;:10TTo10U;:#10TTo10U;:11TTo11U;:#11TTo11U;:12TTo12U;:#12TTo12U;:13TTo13U;:#13TTo13U;:14TTo14U;:#14TTo14U;:15TTo15U;:#15TTo15U;:16TTo16U;:#16TTo16U;:17TTo17U;:#17TTo17U;:18TTo18U;:#18TTo18U;:19TTo19U;:#19TTo19U;:20TTo20U;:#20TTo20U;:21TTo21U;:#21TTo21U;:22TTo22U;:#22TTo22U;:23TTo23U;:#23TTo23U;:24TTo24U;:#24TTo24U;:25TTo25U;:#25TTo25U;:26TTo26U;:#26TTo26U;:27TTo27U;:#27TTo27U;:28TTo28U;:#28TTo28U;:29TTo29U;:#29TTo29U;:30TTo30U;:#30TTo30U;:31TTo31U;:#31TTo31U;:32TTo32U;:#32TTo32U;:33TTo33U;:#33TTo33U;:34TTo34U;:#34TTo34U;:35TTo35U;:#35TTo35U;:36TTo36U;:#36TTo36U Title: Office 2003 Patch;wordview;8133;FullFile;ALL Number of Words: 3")
- source
- Extracted File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6AC10000
- source
- Loaded Module
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "wordview.msi" /l*v+ "%TEMP%\Microsoft Office Word Viewer (0).log"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"MSI71BC.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"wordview.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.2 Title: Installation Database Subject: Microsoft Office Word Viewer 2003 Author: Microsoft Corporation Keywords: InstallerMSIDatabaseRelease Comments: This Installer database contains the logic and data required to install Microsoft Office Word Viewer 2003. Template: Intel;1033 Create Time/Date: Wed Apr 27 11:56:12 2005 Number of Pages: 100 Name of Creating Application: Microsoft Setup Compiler Number of Words: 3 Revision Number: {A90C621A-B6CF-4F4E-A00D-A8EFAE684CCB}"
"MSIF162.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIF267.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"files12.cat" has type "data"
"MSIEFEF.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"PREWDVIEWSP3.msp" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.2 Revision Number: {FE294A11-5F64-40D2-B37B-03C949A63071}{37FF9BB6-1FC7-4A55-974B-654C58925522}{87F42A2C-39C8-4C48-B998-265FE3053987}{397960C8-E6D0-4DB1-87C4-3226973DFCE9}{70313221-900A-411E-87C4-C145D48DF679}{63784129-90B0-43D5-8914-B503812CA894}{AA446589-C141-4A2B-9BE5-17F4E80B7B28}{1AD02127-20BB-47D2-AF52-A03EA7D64D99}{965A1FDD-3707-4229-8093-4772EF98F22A}{151AC68D-255D-418F-B0C1-3DA795C0EFB5}{04D2F2D2-91F9-4411-A27A-A8D6741FE421}{9F1309B9-B8D8-4F8A-8BA2-B78089391B93} Template: {90850406-6000-11D3-8CFE-0150048383C9};{9085040B-6000-11D3-8CFE-0150048383C9};{9085040C-6000-11D3-8CFE-0150048383C9};{90850407-6000-11D3-8CFE-0150048383C9};{90850410-6000-11D3-8CFE-0150048383C9};{90850413-6000-11D3-8CFE-0150048383C9};{90850414-6000-11D3-8CFE-0150048383C9};{90850415-6000-11D3-8CFE-0150048383C9};{90850416-6000-11D3-8CFE-0150048383C9};{90850419-6000-11D3-8CFE-0150048383C9};{9085041D-6000-11D3-8CFE-0150048383C9};{90850402-6000-11D3-8CFE-0150048383C9};{90850405-6000-11D3-8CFE-0150048383C9};{90850408-6000-11D3-8CFE-0150048383C9};{90850C0A-6000-11D3-8CFE-0150048383C9};{9085041A-6000-11D3-8CFE-0150048383C9};{9085040E-6000-11D3-8CFE-0150048383C9};{90850426-6000-11D3-8CFE-0150048383C9};{90850816-6000-11D3-8CFE-0150048383C9};{90850418-6000-11D3-8CFE-0150048383C9};{90850424-6000-11D3-8CFE-0150048383C9};{9085081A-6000-11D3-8CFE-0150048383C9};{9085041F-6000-11D3-8CFE-0150048383C9};{90850422-6000-11D3-8CFE-0150048383C9};{90850425-6000-11D3-8CFE-0150048383C9};{90850427-6000-11D3-8CFE-0150048383C9};{9085041B Last Saved By: :1TTo1U;:#1TTo1U;:2TTo2U;:#2TTo2U;:3TTo3U;:#3TTo3U;:4TTo4U;:#4TTo4U;:5TTo5U;:#5TTo5U;:6TTo6U;:#6TTo6U;:7TTo7U;:#7TTo7U;:8TTo8U;:#8TTo8U;:9TTo9U;:#9TTo9U;:10TTo10U;:#10TTo10U;:11TTo11U;:#11TTo11U;:12TTo12U;:#12TTo12U;:13TTo13U;:#13TTo13U;:14TTo14U;:#14TTo14U;:15TTo15U;:#15TTo15U;:16TTo16U;:#16TTo16U;:17TTo17U;:#17TTo17U;:18TTo18U;:#18TTo18U;:19TTo19U;:#19TTo19U;:20TTo20U;:#20TTo20U;:21TTo21U;:#21TTo21U;:22TTo22U;:#22TTo22U;:23TTo23U;:#23TTo23U;:24TTo24U;:#24TTo24U;:25TTo25U;:#25TTo25U;:26TTo26U;:#26TTo26U;:27TTo27U;:#27TTo27U;:28TTo28U;:#28TTo28U;:29TTo29U;:#29TTo29U;:30TTo30U;:#30TTo30U;:31TTo31U;:#31TTo31U;:32TTo32U;:#32TTo32U;:33TTo33U;:#33TTo33U;:34TTo34U;:#34TTo34U;:35TTo35U;:#35TTo35U;:36TTo36U;:#36TTo36U Title: Office 2003 Patch;wordview;8133;FullFile;ALL Number of Words: 3"
"eula.txt" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\system32\msi.dll"
"<Input Sample>" touched file "%WINDIR%\system32\shell32.dll"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\msxml3r.dll"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "files12.cat"
Heuristic match: "=!=1=Q.az"
Heuristic match: "NKOCy
1R.Ws"
Heuristic match: "TmBBc
c.iM"
Heuristic match: "<pO}SB!.uS"
Heuristic match: "B%Tk'R.Gm"
Pattern match: "crl.microsoft.com/pki/crl/products/CSPCA.crl0H"
Pattern match: "http://www.microsoft.com/pki/certs/CSPCA.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/tspca.crl0H"
Pattern match: "http://www.microsoft.com/pki/certs/tspca.crt0"
Pattern match: "http://office.microsoft.com"
Heuristic match: "SYS.LANG.NAME"
Heuristic match: "NG.NAME"
Heuristic match: "ry>$(PATCH.EXTRACTPATH)</LaunchDirectory>
<Property>PATCH.LAUNCHEXITCODE</Property>
</Action>
</IfTrue>
<IfFalse>
<Action type=If>
<Condition>
<Equal property=SYS.ARGS.PASSIVE toValue=1/>
</Condition>
<IfTrue>
"
Pattern match: "www.microsoft.com/exporting.\par"
Pattern match: "http://www.microsoft.com/Office/ORK/"
Pattern match: "www.microsoft.com/exporting"
Pattern match: "support.microsoft.com/kb/934736MoreInfoURLService" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
wordview_en-us (1).exe
- Filename
- wordview_en-us (1).exe
- Size
- 24MiB (25685128 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55
- MD5
- ef59dc6b88eab99362b3ba4982f1a4cb
- SHA1
- e6dfdc8a1545d45ef5840ba513a5c4036bf154bc
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2460)
- msiexec.exe /i "wordview.msi" /l*v+ "%TEMP%\Microsoft Office Word Viewer (0).log" (PID: 2804)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
watson.microsoft.com | Domain/IP reference | 49334-4013-300443B1 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
wordview.msi
- Size
- 866KiB (886272 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, Title: Installation Database, Subject: Microsoft Office Word Viewer 2003, Author: Microsoft Corporation, Keywords: Installer,MSI,Database,Release, Comments: This Installer database contains the logic and data required to install Microsoft Office Word Viewer 2003., Template: Intel;1033, Create Time/Date: Wed Apr 27 11:56:12 2005, Number of Pages: 100, Name of Creating Application: Microsoft Setup Compiler, Number of Words: 3, Revision Number: {A90C621A-B6CF-4F4E-A00D-A8EFAE684CCB}
- AV Scan Result
- 0/55
- Runtime Process
- 47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55.exe (PID: 2460)
- Additional info
- YARA signature match
- MD5
- 3a736bbcc73e1881ff188c74eb15e3ef
- SHA1
- b438fae7012101b251b4a2d192d8eec7efa5d943
- SHA256
- e77910dfb520884b6be4f5a7247ddbca0c2f161355727c59a0ecf2cb6132638d
-
-
Clean 5
-
-
PREWDVIEWSP3.msp
- Size
- 336KiB (344064 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, Revision Number: {FE294A11-5F64-40D2-B37B-03C949A63071}{37FF9BB6-1FC7-4A55-974B-654C58925522}{87F42A2C-39C8-4C48-B998-265FE3053987}{397960C8-E6D0-4DB1-87C4-3226973DFCE9}{70313221-900A-411E-87C4-C145D48DF679}{63784129-90B0-43D5-8914-B503812CA894}{AA446589-C141-4A2B-9BE5-17F4E80B7B28}{1AD02127-20BB-47D2-AF52-A03EA7D64D99}{965A1FDD-3707-4229-8093-4772EF98F22A}{151AC68D-255D-418F-B0C1-3DA795C0EFB5}{04D2F2D2-91F9-4411-A27A-A8D6741FE421}{9F1309B9-B8D8-4F8A-8BA2-B78089391B93}, Template: {90850406-6000-11D3-8CFE-0150048383C9};{9085040B-6000-11D3-8CFE-0150048383C9};{9085040C-6000-11D3-8CFE-0150048383C9};{90850407-6000-11D3-8CFE-0150048383C9};{90850410-6000-11D3-8CFE-0150048383C9};{90850413-6000-11D3-8CFE-0150048383C9};{90850414-6000-11D3-8CFE-0150048383C9};{90850415-6000-11D3-8CFE-0150048383C9};{90850416-6000-11D3-8CFE-0150048383C9};{90850419-6000-11D3-8CFE-0150048383C9};{9085041D-6000-11D3-8CFE-0150048383C9};{90850402-6000-11D3-8CFE-0150048383C9};{90850405-6000-11D3-8CFE-0150048383C9};{90850408-6000-11D3-8CFE-0150048383C9};{90850C0A-6000-11D3-8CFE-0150048383C9};{9085041A-6000-11D3-8CFE-0150048383C9};{9085040E-6000-11D3-8CFE-0150048383C9};{90850426-6000-11D3-8CFE-0150048383C9};{90850816-6000-11D3-8CFE-0150048383C9};{90850418-6000-11D3-8CFE-0150048383C9};{90850424-6000-11D3-8CFE-0150048383C9};{9085081A-6000-11D3-8CFE-0150048383C9};{9085041F-6000-11D3-8CFE-0150048383C9};{90850422-6000-11D3-8CFE-0150048383C9};{90850425-6000-11D3-8CFE-0150048383C9};{90850427-6000-11D3-8CFE-0150048383C9};{9085041B, Last Saved By: :1TTo1U;:#1TTo1U;:2TTo2U;:#2TTo2U;:3TTo3U;:#3TTo3U;:4TTo4U;:#4TTo4U;:5TTo5U;:#5TTo5U;:6TTo6U;:#6TTo6U;:7TTo7U;:#7TTo7U;:8TTo8U;:#8TTo8U;:9TTo9U;:#9TTo9U;:10TTo10U;:#10TTo10U;:11TTo11U;:#11TTo11U;:12TTo12U;:#12TTo12U;:13TTo13U;:#13TTo13U;:14TTo14U;:#14TTo14U;:15TTo15U;:#15TTo15U;:16TTo16U;:#16TTo16U;:17TTo17U;:#17TTo17U;:18TTo18U;:#18TTo18U;:19TTo19U;:#19TTo19U;:20TTo20U;:#20TTo20U;:21TTo21U;:#21TTo21U;:22TTo22U;:#22TTo22U;:23TTo23U;:#23TTo23U;:24TTo24U;:#24TTo24U;:25TTo25U;:#25TTo25U;:26TTo26U;:#26TTo26U;:27TTo27U;:#27TTo27U;:28TTo28U;:#28TTo28U;:29TTo29U;:#29TTo29U;:30TTo30U;:#30TTo30U;:31TTo31U;:#31TTo31U;:32TTo32U;:#32TTo32U;:33TTo33U;:#33TTo33U;:34TTo34U;:#34TTo34U;:35TTo35U;:#35TTo35U;:36TTo36U;:#36TTo36U, Title: Office 2003 Patch;wordview;8133;FullFile;ALL, Number of Words: 3
- AV Scan Result
- 0/46
- Runtime Process
- 47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55.exe (PID: 2460)
- MD5
- f8838c2788d538b340171c37af7921af
- SHA1
- af5c2d14d7860eeb0997e73aa9085553c231f582
- SHA256
- d9532df2483b47aa13b987d7d0ebe82ff9dcef8c7b6c531329c1927efd4ba1cb
-
MSI71BC.tmp
- Size
- 119KiB (121344 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/58
- Runtime Process
- msiexec.exe (PID: 2804)
- MD5
- ddda9f66b090c70b29deba48e15d3d15
- SHA1
- e0c49992b2b8435ccebe903e1c425db83ca3aad1
- SHA256
- ea7001ed247cad1e549ac429658bcc347ce6d44c18d24a9503ef0f7f984ddbb5
-
MSIEFEF.tmp
- Size
- 119KiB (121344 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/58
- Runtime Process
- msiexec.exe (PID: 2804)
- MD5
- ddda9f66b090c70b29deba48e15d3d15
- SHA1
- e0c49992b2b8435ccebe903e1c425db83ca3aad1
- SHA256
- ea7001ed247cad1e549ac429658bcc347ce6d44c18d24a9503ef0f7f984ddbb5
-
MSIF162.tmp
- Size
- 119KiB (121344 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/58
- Runtime Process
- msiexec.exe (PID: 2804)
- MD5
- ddda9f66b090c70b29deba48e15d3d15
- SHA1
- e0c49992b2b8435ccebe903e1c425db83ca3aad1
- SHA256
- ea7001ed247cad1e549ac429658bcc347ce6d44c18d24a9503ef0f7f984ddbb5
-
MSIF267.tmp
- Size
- 11KiB (11264 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/58
- Runtime Process
- msiexec.exe (PID: 2804)
- MD5
- b099830c967cec1138da675888641662
- SHA1
- af97fb07c7ea47e81222208ddcd675e77b970414
- SHA256
- bbf3794e7419c7503146ae93146c3f0b13b3dcbaf427af879c5c9d457dfa0a9b
-
-
Informative 2
-
-
files12.cat
- Size
- 1.3MiB (1323033 bytes)
- Type
- data
- Runtime Process
- 47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55.exe (PID: 2460)
- MD5
- 42fa50994a888c063c67b1d82e6e04b9
- SHA1
- 0aa57af257765415491b8b0a5c39498c1c2e1eab
- SHA256
- 7f14b288bbd5bbcea2b37014b997a8e852e7072b6005fb7ac2a7a5d9dca3f033
-
eula.txt
- Size
- 13KiB (13216 bytes)
- Type
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- 47ce4e64fdb5044df4c07f8c155b07b44e0aa1a23e417258e3c33b2e0de15c55.exe (PID: 2460)
- MD5
- 0edc67969552022a8bf6bd55e668ef1a
- SHA1
- aae43bcfc0155d05a12439eb9c17334983fb3921
- SHA256
- decb736ca4c8cd7a92ac5a3363dcc7de97cb6f64a5b7e5136fdfe0ddbb387831
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- No static analysis parsing on sample was performed
- Not all sources for signature ID "string-21" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)