ICC WT20.doc
This report is generated from a file or URL submitted to this webservice on August 3rd 2015 08:10:09 (UTC)
Report generated by
Falcon Sandbox v2.10 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 4
-
Network Related
-
Found potential URL in binary/memory
- details
-
"http://i30.fastpic.ru/big/2012/0210/18/b21481e0a1a7f7c6750fafd98b43df18.jpg"
"http://www.toyota.com/index.html"
"https://raafayawan.files.wordpress.com/2011/04/131065.jpg" - source
- File/Memory
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "=3??7xqVsrPm0!w*Coovnc" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
- Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
- source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "A907BE46" to virtual address "0x2FAA1634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E9231926F0" to virtual address "0x77703D01" ("SetUnhandledExceptionFilter@kernel32.dll") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 3
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 664E0000
- source
- Loaded Module
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Creates mutants
File Details
ICC WT20.doc
- Filename
- ICC WT20.doc
- Size
- 1.2MiB (1304064 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Sai, Template: Normal, Last Saved By: wpuser02, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 07:00, Create Time/Date: Mon Jun 29 11:32:00 2015, Last Saved Time/Date: Mon Jun 29 11:32:00 2015, Number of Pages: 2, Number of Words: 760, Number of Characters: 4338, Security: 0
- Architecture
- WINDOWS
- SHA256
- 3b88796a028f479cdd4df12fd51218b0948cace28ffdc596b1f5aecc6c9be341
- MD5
- 6382be19ebd19ae68a37f0698352fd2b
- SHA1
- 7c5e3418ce35db6cb7ca4e3f96b6c20d3a1bdde0
Resources
- Icon
Visualization
-
Classification (TrID)
- 45.7% (.DOC) Microsoft Word document
- 42.8% (.XLS) Microsoft Excel sheet
- 11.4% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n /dde (PID: 3412)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.