NetExtender.7.0.196.MSI
This report is generated from a file or URL submitted to this webservice on November 6th 2015 09:39:58 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v2.53 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 3
-
Network Related
-
Found potential URL in binary/memory
- details
- "6.Ji/4W$xXQ]3YJ/tt?D"
- source
- File/Memory
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "d9635bb7" to virtual address "0x6A72EC08" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "94ae5bb7" to virtual address "0x6987E718" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e923192cf1" to virtual address "0x77483D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "71446db6" to virtual address "0x685710AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e181bcb6" to virtual address "0x68CAA980" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "c03ef3b6" to virtual address "0x6735F69C" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "3d905fb7" to virtual address "0x2F851634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "40539c7758589d77186a9d77653c9e770000000000bf47770000000056cc4777000000007cca4777000000003768b6756a2c9e77d62d9e77000000002069b6750000000029a6477700000000a48db67500000000f70e477700000000" to virtual address "0x77071000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 3
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/53 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE12\RICHED20.DLL" at 67300000
- source
- Loaded Module
-
Loads rich edit control libraries
-
Installation/Persistance
-
Dropped files
- details
-
"~$8dc790e634b00c22fbc89dd1bb53100fa73c8a247123c4e1b51485d42d41ae.rtf" has type "data"
"opa12.dat" has type "data"
"~WRD0000.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRS{975CAB43-418C-4DCC-9E90-D4C74DB01527}.tmp" has type "data"
"~WRD0001.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRS{3872A411-0410-4DED-8568-17BA18C9DD41}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
File Details
NetExtender.7.0.196.MSI
- Filename
- NetExtender.7.0.196.MSI
- Size
- Unknown (0 bytes)
- Type
- msi data
- Description
- Unknown
- Architecture
- WINDOWS
- SHA256
- 4d8dc790e634b00c22fbc89dd1bb53100fa73c8a247123c4e1b51485d42d41ae
- MD5
- 3cab5d7592d0fa7727921a42698f4e11
- SHA1
- 08280afc8b64aa644cb401648767af6fc5ae582c
Classification (TrID)
- 95.6% (.MSI) Microsoft Windows Installer
- 3.0% (.DOC) Microsoft Word document (old ver.)
- 1.2% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 176)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 7
-
-
opa12.dat
- Size
- 8.3KiB (8488 bytes)
- Type
- data
- MD5
- d8ad59b33856d5364e0a9ad15040dcba
- SHA1
- 5b9090b2c553665a24a0be5ac402e85ad08d20c9
- SHA256
- e56aaeddd071f711241bd92273532af4de8bb4c18b8ef6fd1f3797dc82252b04
-
~WRD0000.doc
- Size
- 3.5MiB (3686400 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- d753915d4b047b4f2e8998916e7d33e9
- SHA1
- 7716aced9283112d769a7829724ca5518c0aa618
- SHA256
- 6a515f8f625592066c115754a221b2bd2a942ad3c33a1f84c8fc770342a27745
-
~WRD0001.doc
- Size
- 3.5MiB (3657216 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- 7229741c7a861894bda35720e8a3e51e
- SHA1
- 249a2fe7522a7c0075e1fd1d358c7136838206bc
- SHA256
- 387b29b7048a819e56df6444858350aff954c69d4da54b37af641d20a44949a9
-
~WRS{3872A411-0410-4DED-8568-17BA18C9DD41}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{975CAB43-418C-4DCC-9E90-D4C74DB01527}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- e13e613626c6f29eb9c447500e4e93c9
- SHA1
- dd11a00c1246f3e3857cff08231c4ac85e8cb452
- SHA256
- d827ac33b3250306e9c46f552b48047bf0639b419f229bcd60ed0a367dd7cb28
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- eb472ef53d60378e99e4c5b4676b7255
- SHA1
- afc1b205f30f06ea01fe28f215584518059a6b89
- SHA256
- 39d2e9412fe96606d23204fca641046a20e6da8876865716291b93dcb0ee570e
-
~$8dc790e634b00c22fbc89dd1bb53100fa73c8a247123c4e1b51485d42d41ae.rtf
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 4356a599ac2b4daaeca975e1cef170a7
- SHA1
- 44e63d2026ee8d070c09550b93c9bce18818c693
- SHA256
- 38f7ff95ba35f9305b9868327ef6b04fa5a24e381b8a9a2a255757ef15e32ace
-