11f0900461094bd0a8e16f3e4e6d7200.zip
This report is generated from a file or URL submitted to this webservice on April 10th 2015 14:17:28 (UTC)
Report generated by
Falcon Sandbox v1.66 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 7
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "WINWORD.EXE" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
-
Sets the process error mode to suppress error box
-
General
-
Reads configuration files
- details
-
"WINWORD.EXE" read file "C:\Users\desktop.ini"
"WINWORD.EXE" read file "%USERPROFILE%\Desktop\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Searches\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Videos\desktop.ini" - source
- API Call
-
Reads configuration files
-
Installation/Persistance
-
Monitors specific registry key for changes
- details
- "WINWORD.EXE" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\Windows\CurrentVersion\Explorer" (Filter: 15, Subtree: 1)
- source
- API Call
-
Monitors specific registry key for changes
-
Network Related
-
Found potential URL in binary/memory
- details
-
"R4J3|\z9jcLTI$gRb"F0jEvqhev<~ztG--:[P`2O{\;'O?{o|_~?~/=8l>{m d'K@[=y:`@V~cv}3`Y"6NR/tH/a--jj|B6RT5 \0%+L^I&4q0(Ixb;(9vcuXm|V@nZ>~6*AWA#\aA7'%,wj W$`$1AHE_W^w%/}6LJ^;G[@>}U;3vNvA+6oo\=X9zr^Bxs184<Q`\h4<28^_(/7"NaJ1e%b !+a7jfK}*! Zqz6NE4?G4in[wPp2<>L$$)
:(0A[r.Az" - source
- String
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E92319DAF0" to virtual address "0x764E3D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "00B23E38" to virtual address "0x2FA51634" (part of module "WINWORD.EXE") - source
- Hooks
-
Installs hooks/patches the running process
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 5
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS" - source
- Created Mutant
-
Loads modules at runtime
- details
-
"WINWORD.EXE" loaded module "SHLWAPI.DLL" at base 76570000
"WINWORD.EXE" loaded module "COMCTL32.DLL" at base 747E0000
"WINWORD.EXE" loaded module "UXTHEME.DLL" at base 74660000
"WINWORD.EXE" loaded module "%PROGRAMFILES%\MICROSOFT OFFICE\OFFICE12\WWLIB.DLL" at base 69020000 - source
- API Call
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 65E00000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"DecodePointer@KERNELBASE.dll"
"wnsprintfW@SHLWAPI.dll"
"PathQuoteSpacesW@SHLWAPI.dll"
"PathFindFileNameW@SHLWAPI.dll"
"PathRemoveArgsW@SHLWAPI.dll"
"PathUnquoteSpacesW@SHLWAPI.dll"
"PathRemoveFileSpecW@SHLWAPI.dll" - source
- API Call
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~$Normal.dotm" has type "data"
"~WRS{4C9EFE48-6064-44F1-A9B8-E4409E42A597}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"~$e8ab113b64c63eec94d38281ef08f6d47d2e8c0de21c3e88618a0b793a1340.doc" has type "data" - source
- Dropped File
-
Dropped files
File Details
11f0900461094bd0a8e16f3e4e6d7200.zip
- Filename
- 11f0900461094bd0a8e16f3e4e6d7200.zip
- Size
- 1.7MiB (1807586 bytes)
- Type
- data compressed zip
- Description
- Zip archive data, at least v2.0 to extract
- Architecture
- WINDOWS
- SHA256
- 6be8ab113b64c63eec94d38281ef08f6d47d2e8c0de21c3e88618a0b793a1340
- MD5
- 0dbbce790e5e36be048126b7043f2f5a
- SHA1
- d80af9b1858270fe189f45cc5c2e6de72717784f
Resources
- Icon
Visualization
-
Classification (TrID)
- 100.0% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n /dde (PID: 3980)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 3
-
-
~WRS{4C9EFE48-6064-44F1-A9B8-E4409E42A597}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 3e82dbbb9c8e196f25daab1b34f2472b
- SHA1
- 19781f9442b603edd1e8e2e1e2724edb6252a23c
- SHA256
- 922e4e1b2dc7fca2606f3ef18eed4e387b16d8cff9f2af1fd10289447dc5c1cf
-
~$e8ab113b64c63eec94d38281ef08f6d47d2e8c0de21c3e88618a0b793a1340.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- d293a492dc28d25f219c7c7ae73f5fb4
- SHA1
- 1ee563caf157ae8b832fe4093ebdcb9e737ba09f
- SHA256
- 7ad0f37d43b0ded5da4ac6dbbbaa3631191a87ddd12360b43642662a61df6d7e
-