Detection.msi
This report is generated from a file or URL submitted to this webservice on May 13th 2015 10:54:21 (UTC)
Report generated by
Falcon Sandbox v1.72 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 6
-
Environment Awareness
-
Queries volume information
- details
-
"WINWORD.EXE" queries volume information of "Z:\" at 00137640-00002660-77A76268-156234
"WINWORD.EXE" queries volume information of "Z:\share" at 00137640-00002660-77A76268-156235 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "WINWORD.EXE" queries volume information of "Z:\" at 00137640-00002660-77A76268-156234
- source
- API Call
- relevance
- 8/10
-
Queries volume information
-
General
-
Reads configuration files
- details
-
"WINWORD.EXE" read file "C:\Users\desktop.ini"
"WINWORD.EXE" read file "%USERPROFILE%\Desktop\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Searches\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Videos\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Pictures\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Contacts\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Favorites\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Music\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Downloads\desktop.ini"
"WINWORD.EXE" read file "C:\Users\%USERNAME%\Documents\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Network Related
-
Found potential URL in binary/memory
- details
- "xmS.WD<xB,$t>(?+/\0W9*3M^krlyf)o5^{k<9M6Cv4-\?;~dGzV--U!&SJ-nt(.Uz"
- source
- String
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)" - source
- String
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "4E863088" to virtual address "0x2F351634" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "E92319D6F1" to virtual address "0x76933D01" ("SetUnhandledExceptionFilter@kernel32.dll") - source
- Hooks
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 5
-
General
-
Contains PDB pathways
- details
- "HO(Tj8`alPxQR-r1x:8?S2yh%g`$f+m(=$;00<HwTu`UlxT6~VWXY < ,v8D[P"Pd\l|\4(4]3@z@@L8\9h t^n(_5|@ b0`4{x'io$0<HTF`parbgcazh-CHScsdadeelenesfifrhehuisitjakonlnoplptroruhrsksqsvthtruridukbesletlvltfavihyazeumkafkafohimskkkyswuzttpagutateknmrsamnglkoksyrdivar-SAbg-BGca-EScs-CZda-DKde-DEel-GRfi-FIfr-FRhe-ILhu-HUis-ISit-ITnl-NLnb-NOpl-PLpt-BRro-ROru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTfa-IRvi-VNhy-AMaz-AZ-Latneu-ESmk-MKtn-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INmt-MTse-NOms-MYkk-KZky-KGsw-KEuz-UZ-Latntt-RUbn-INpa-INgu-INta-INte-INkn-INml-INmr-INsa-INmn-MNcy-GBgl-ESkok-INsyr-SYdiv-MVquz-BOns-ZAmi-NZar-IQde-CHen-GBes-MXfr-BEit-CHnl-BEnn-NOpt-PTsr-SP-Latnsv-FIaz-AZ-Cyrlse-SEms-BNuz-UZ-Cyrlquz-ECar-EGzh-HKde-ATen-AUes-ESfr-CAsr-SP-Cyrlse-FIquz-PEar-LYzh-SGde-LUen-CAes-GTfr-CHhr-BAsmj-NOar-DZzh-MOde-LIen-NZes-CRfr-LUbs-BA-Latnsmj-SEar-MAen-IEes-PAfr-MCsr-BA-Latnsma-NOar-TNen-ZAes-DOsr-BA-Cyrlsma-SEar-OMen-JMes-VEsms-FIar-YEen-CBes-COsmn-FIar-SYen-BZes-PEar-JOen-TTes-ARar-LBen-ZWes-ECar-KWen-PHes-CLar-AEes-UYar-BHes-PYar-QAes-BOes-SVes-HNes-NIes-PRzh-CHTsraf-zaar-aear-bhar-dzar-egar-iqar-joar-kwar-lbar-lyar-maar-omar-qaar-saar-syar-tnar-yeaz-az-cyrlaz-az-latnbe-bybg-bgbn-inbs-ba-latnca-escs-czcy-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ares-boes-cles-coes-cres-does-eces-eses-gtes-hnes-mxes-nies-paes-pees-pres-pyes-sves-uyes-veet-eeeu-esfa-irfi-fifo-fofr-befr-cafr-chfr-frfr-lufr-mcgl-esgu-inhe-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inkok-inko-krky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-bnms-mymt-mtnb-nonl-benl-nlnn-nons-zapa-inpl-plpt-brpt-ptquz-boquz-ecquz-pero-roru-rusa-inse-fise-nose-sesk-sksl-sisma-nosma-sesmj-nosmj-sesmn-fisms-fisq-alsr-ba-cyrlsr-ba-latnsr-sp-cyrlsr-sp-latnsv-fisv-sesw-kesyr-syta-inte-inth-thtn-zatr-trtt-ruuk-uaur-pkuz-uz-cyrluz-uz-latnvi-vnxh-zazh-chszh-chtzh-cnzh-hkzh-mozh-sgzh-twzu-zaAe+000USER32.DLLMessageBoxWGetActiveWindowGetLastActivePopupGetUserObjectInformationWGetProcessWindowStationCONOUT$EEE00P('8PW700PP (`h`hhhxppwpp1#SNAN1#IND1#INF1#QNANH@0RSDSXYFHC:\src\wix39\build\ship\x86\wixca.pdb1i0Gad s $|'W69z;^addeffh z|!Hd2T!!./pc@NFS"/qyY"
- source
- String
- relevance
- 1/10
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 67210000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
- "DecodePointer@KERNELBASE.dll"
- source
- API Call
- relevance
- 1/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"~$Normal.dotm" has type "data"
"~WRS{6CD846E2-F0D3-433A-9927-89BE92BB26CB}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"~$a92389a6df044f0b172e53b4fabe5d6e39933197f8a0659302f69e79c96688.doc" has type "data"
"~WRS{F2DB7009-6996-4BF0-AC51-F055E595528C}.tmp" has type "data"
"~WRD0000.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRD0001.doc" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"" - source
- Dropped File
- relevance
- 3/10
-
Dropped files
File Details
Detection.msi
- Filename
- Detection.msi
- Size
- 624KiB (638976 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: System Requirements Lab Detection, Author: Husdawg, LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install System Requirements Lab Detection., Template: Intel;1033, Create Time/Date: Thu Apr 16 18:01:02 2015, Last Saved Time/Date: Thu Apr 16 18:01:02 2015, Number of Pages: 200, Number of Words: 2, Name of Creating Applicati
- Architecture
- WINDOWS
- SHA256
- 60a92389a6df044f0b172e53b4fabe5d6e39933197f8a0659302f69e79c96688
- MD5
- 77ca040bdf9d37bc1c8d9d8898ef5e51
- SHA1
- 7cde7370f036a9470282b112d88ecc4d9cebb24b
Resources
- Icon
Visualization
-
Classification (TrID)
- 93.1% (.MSI) Microsoft Windows Installer
- 5.6% (.4CM) ClickyMouse macro set
- 1.2% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n /dde (PID: 2660)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 6
-
-
~WRD0000.doc
- Size
- 1.2MiB (1277952 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- 12277535025bf65b767117cd768cc040
- SHA1
- 94b51dfbbf04c1f562562d98810c1f709436b9dd
- SHA256
- 3ae288a382c389da8182321cc10958e86da62a17c12a5d8904264b0933aaa20c
-
~WRD0001.doc
- Size
- 1.2MiB (1245184 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- 9fe0cb6585512541d2f68202792fc784
- SHA1
- d9e4bf2d4928ae043e25648f911dd79add96ebfe
- SHA256
- 2d2260da6fe2e2d515662de952d17cd29e1e6621094fbd87d075a4f8416f3d1c
-
~WRS{6CD846E2-F0D3-433A-9927-89BE92BB26CB}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{F2DB7009-6996-4BF0-AC51-F055E595528C}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 87a6e6812947286246710ed51c559129
- SHA1
- 59a78ef0358116b509535098d5c7371903854fb6
- SHA256
- 21e002180c34947c7763ac2ac74fa42200625cb822790f72de5032b3b23f2411
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- fdc1d2b6dc6a14a70101daf5f1b8b06d
- SHA1
- 3157f53e1a563d757e758465d45b830bc5e5da29
- SHA256
- 652d4eef1ec7337048df663746f9c13d05d17e0ecb1fd77d0ef90f435ac421da
-
~$a92389a6df044f0b172e53b4fabe5d6e39933197f8a0659302f69e79c96688.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 94b42917141a24b2e1c96f2b62d90c87
- SHA1
- 933c93cec87d4d5fb8aae43b74426e5a506ce2c2
- SHA256
- 3f5fd1c2e6d24c31faae9781612555b354343ce547ae7df05c57f96e2e2b5d65
-