HTE_4_02_0003_S7272.msi
This report is generated from a file or URL submitted to this webservice on July 20th 2016 02:08:41 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.50 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
System Security
-
References security related windows services
- details
- "8J4#$UyMQ%MwibLqoHsbfe"
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Suspicious Indicators 5
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
");3uD}QMcIV0:pV?m5rqemuygqZXTW5laPSem0~g<*iP968R4tOkC*xx?W" (Indicator: "qemu")
"T|3tV:__$l==bTI+o+a3j7.ko("@958g0@Dbm@U02c+V:;\Yu"c+1>hTsY~!W1%lfRve~,T:74fOOR{{3(<M0?.eE"F}~OQ(vboxyUC," (Indicator: "vbox") - source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{209447B0-9694-4D28-84F0-C791245D0D89}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\mlang.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\system32\mlang.dat" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "16.0.0.328"
Heuristic match: "version="1.0.0.0""
Heuristic match: "version="6.0.0.0""
Heuristic match: "0H`@4VS_VERSION_INFOH?StringFileInfo040904B0LCompanyNameAcresso Software Inc.PFileDescriptionISRegSvr.dll Module6FileVersion16.0.0.328:" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "ShowWindow" which indicates: "May hide the application"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "FindWindow" which indicates: "May enumerate application windows (if combined with Shell.Application object)" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "b2d6bc37" to virtual address "0x673910AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e99e487cf0" to virtual address "0x76D63D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "8a853fea" to virtual address "0x69E3F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "8e9f31ea" to virtual address "0x687878E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "c4cad57680bbd57652bad5769fbbd57608bbd57646ced5766138d676de2fd676d0d9d576000000001779a9764f91a9767f6fa976f4f7a97611f7a976f283a976857ea97600000000" to virtual address "0x6FA61000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "12af9737" to virtual address "0x62679904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "3f62cea2" to virtual address "0x2FDB1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "9072aeeb" to virtual address "0x67780BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "47da33ea" to virtual address "0x69ABCA70" (part of module "GFX.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 7
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/48 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"symbols\dll\winhttp.pdb"
"To Directory:MSCFn,JB"o+q empty.cat
X^ spmsg.dll",#y winhttp.dll, spuninst.exeD,"y symbols\dll\winhttp.pdb
0 update\q321856.cat(, update\spcustom.dll ,`update\update.exec4,$ update\update.infj[,J update\eula.txtXf,k update\update.ver(HnF6[ $q@$1`_A8uuJ;WVURuwR*0([xK^DKo72F3QzrN", "To Directory:MSCF,F"o+q empty.cat, spmsg.dll"* svcpack1.dll-1, winhttp.dll-, spuninst.exeD-,g symbols\dll\winhttp.pdb-, update\q321856.cat(, update\spcustom.dll ",`update\update.exe?B,. update\update.inf^, update\eula.txtXZ, update\update.ver1[ q@$1v_B%NUJS{VzU]&uwW\\PS`aMD6)8@0~=X._C@g", "To Directory:MSCFTt
winhttp.dllu
x`hotfix.exe$1
hotfix.infDU
a symbols\dll\winhttp.pdbQ|"9[-"RP4kUi9]KZ[ZfkZR:-59O(&E-*e$c29r*KI5k5ef><w;B6#jU @R}OHT:UHnZTu!eW`Hfs$04$DU@EjTxD p <<NNE#" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF4D5FA1C75806B607.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF63A009C813AD8F96.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFE35126487B879D4C.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62630000
- source
- Loaded Module
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{209447B0-9694-4D28-84F0-C791245D0D89}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"index.dat" has type "data"
"~WRS{0DB9A3F4-FA88-463F-80ED-65854FEF0327}.tmp" has type "data"
"~$1f4eae6fe5fedff7b3166ddb8e8d2ee1737adff2b80ce1b5fac22ca4fe4cc5.rtf" has type "data"
"~$Normal.dotm" has type "data"
"271f4eae6fe5fedff7b3166ddb8e8d2ee1737adff2b80ce1b5fac22ca4fe4cc5.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Wed Jul 20 00:10:07 2016 mtime=Wed Jul 20 00:10:07 2016 atime=Wed Jul 20 09:09:16 2016 length=6789632 window=hide" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "empty.cat"
Heuristic match: "update\q321856.cat"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://ocsp.verisign.com/ocsp/status0"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "crl.microsoft.com/pki/crl/products/WindowsPCA.crl0"
Pattern match: "http://www.microsoft.com0"
Pattern match: "www.microsoft.com/technet/security/current.asp"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "https://www.verisign.com/rpa01"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0"
Pattern match: "http://www.acresso.com0"
Pattern match: "S.Zz/}#/YacnCvHED3^1`RU=Vs}cf&'6:m%f[7WOpz&hw72t#JuZTA"
Pattern match: "g.Vvg/%]Isp;sqX1iR_" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
HTE_4_02_0003_S7272.msi
- Filename
- HTE_4_02_0003_S7272.msi
- Size
- 6.5MiB (6789632 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: ASHostPlatform, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Access Solutions Host Platform Terminal Emulator and Host Print Manager, Author: Hewlett-Packard, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2010 Professional - AdminStudio Edition 16, Last Saved Time/Date: Thu
- Architecture
- WINDOWS
- SHA256
- 271f4eae6fe5fedff7b3166ddb8e8d2ee1737adff2b80ce1b5fac22ca4fe4cc5
- MD5
- 904a1c4c1fee3f73d7b39a87095f8c25
- SHA1
- ecc7735aab0c9a6038dbafd76e74d4b882653a9e
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\271f4eae6fe5fedff7b3166ddb8e8d2ee1737adff2b80ce1b5fac22ca4fe4cc5.rtf" (PID: 2500)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 6
-
-
271f4eae6fe5fedff7b3166ddb8e8d2ee1737adff2b80ce1b5fac22ca4fe4cc5.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Wed Jul 20 00:10:07 2016, mtime=Wed Jul 20 00:10:07 2016, atime=Wed Jul 20 09:09:16 2016, length=6789632, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 32a9ecd5f203ddb30437a7ce01b58f45
- SHA1
- dd54dc909c47224cdfcd3051837f6253cc371556
- SHA256
- c0c5547de59fa26ba413f1a68678cbc76e639de10fd50f127cb2b86119f521b0
-
index.dat
- Size
- 637B (637 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- b168277792f30654d30a013da38299c7
- SHA1
- e333d4679fd44365f7f82223e4fd0ea94703ec3e
- SHA256
- 79746fac2d5943727fab98b24598592cd821c133db69ea720c20e5c47b4464d6
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- a65ef703999a56a1708a09fa29126315
- SHA1
- f4b5b9a219d4a6ae0bde69f15bede304599216fc
- SHA256
- c3599d56013d7fc217cda16e694c4d420f7e73d939c7890863f985ca1b1160d1
-
~WRS{0DB9A3F4-FA88-463F-80ED-65854FEF0327}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- a834d689e1df4061199658d652e196a9
- SHA1
- b47787de44a116159c09e72124d1f6f521af2dfc
- SHA256
- e6a9ac1d30309a9817728942e798b217a782d57e88cfc66c5a819b55bafb2bdc
-
~WRS{209447B0-9694-4D28-84F0-C791245D0D89}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$1f4eae6fe5fedff7b3166ddb8e8d2ee1737adff2b80ce1b5fac22ca4fe4cc5.rtf
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- a65ef703999a56a1708a09fa29126315
- SHA1
- f4b5b9a219d4a6ae0bde69f15bede304599216fc
- SHA256
- c3599d56013d7fc217cda16e694c4d420f7e73d939c7890863f985ca1b1160d1
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)