Inventory+Planogram Portal User Guide- STORES and DP'S- New DSD System- Updated February 2017.doc
This report is generated from a file or URL submitted to this webservice on August 8th 2018 23:23:39 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 2
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "rk@o.n"
Pattern match: "d@da7nu.z"
Pattern match: "y@f.81"
Pattern match: "8euz@h.fjzn9"
Pattern match: "jl@mf.d"
Pattern match: "dahxnr@aqc.x"
Pattern match: "j@jx_dv.r"
Pattern match: "qe@a.8"
Pattern match: "d@c8iiqazd.w"
Pattern match: "0@jgwc.ymqlyb"
Pattern match: "3@e.pnfc"
Pattern match: "dhxnj@aqc.x"
Pattern match: "p@pb.tf2"
Pattern match: "qa0agewczuieyr@tlxr3.dwd"
Pattern match: "wceoz@h.z7"
Pattern match: "lv2t4@l.i"
Pattern match: "ovn@p.b" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
- "kFcMD=:IKK+7{cg3{" (Indicator: "cmd=")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Informative 11
-
General
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\~DFFFA71929FF0CA680.TMP"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59802"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59802"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACB10_S-1-5-5-0-59802"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\10MU_ACBPIDS_S-1-5-5-0-59802" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6CDF0000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "Q{E")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "{`E")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "JXE")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\3D0EC6"; Key: "3D0EC6")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\3D0EC6")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "NetUICtrlNotifySink" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Dropped files
- details
-
"~$ventory_PlanogramPortalUserGuide-STORESandDP_S-NewDSDSystem-UpdatedFebruary2017.doc" has type "data"
"Inventory_PlanogramPortalUserGuide-STORESandDP_S-NewDSDSystem-UpdatedFebruary2017.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed Aug 8 21:24:56 2018 mtime=Wed Aug 8 21:24:56 2018 atime=Wed Aug 8 21:25:24 2018 length=2309120 window=hide"
"index.dat" has type "data"
"~WRS{194397E1-6A79-4AF5-936A-A56EB78344D3}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"ExcludeDictionaryEN0409.lex" has type "Little-endian UTF-16 Unicode text with no line terminators"
"~WRS{DCAF315E-5360-4D0F-9B70-F08703AEBE3D}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\367""
"~WRS{AEFFD67C-AC22-475B-BD06-A0DB7C3F0851}.tmp" has type "data"
"~WRD0001.tmp" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: Author: lsenn00 Template: Normal Last Saved By: lwJDUmh Revision Number: 4 Name of Creating Application: Microsoft Office Word Total Editing Time: 03:00 Create Time/Date: Fri Feb 10 20:35:00 2017 Last Saved Time/Date: Wed Aug 8 22:28:00 2018 Number of Pages: 7 Number of Words: 875 Number of Characters: 4988 Security: 0"
"~WRD0000.tmp" has type "Composite Document File V2 Document No summary info"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://storeportal.blackhawk-net.com/"
Heuristic match: "$@H $@H $L?pJ3~L $@H $@H $`W+4T;T10C^?BgtS5d(e4Jt_v(c2b:WuC(u=w}wZNN^[-jWQX+6Sj8U)7|V%ZPPF^U;D}Z?]7Hj@JgGte:N.Nu"
Pattern match: "jQDh.VO/XcZ|{l;wxzsi"
Pattern match: "n.PsS/f`al/rSbq%&M=o4V=ni"
Pattern match: "L5.mm/{+^"
Heuristic match: ")8VY! VH`6th[Hk-$(3_d%Kqr+ZSNN_#+>177yj,8aqz1jQ&aLc@%.,'UQ:r-H5jc#0%%UBhg4B4O]9za:O5D}HCDv1(p5J}PS,-]clk=\/0YP,vI+ek?CEE3</ 2km%+2P(KXz#>[.Fm"
Heuristic match: "b$X/Kzl=};dH,uNJJs}E.<y#=],savneCTEJHWb\Q=]1g-''D!%e%.7(5^!UWDiyD#H)^{-SBdWTTXZ'3SvdOmwn~{=O*>ZMsGp{;O,<xgJ/|BYr]fo.mN"
Heuristic match: "D..va"
Heuristic match: "&CFo=w\ZN>^-^;wyso(TH,.Tp"
Pattern match: "uEgN.OF/syD}K"
Pattern match: "c.bu/Woj,si6PFb9C"
Heuristic match: "JT4SEiEY<])ZHIG=POr2.HM"
Pattern match: "kg.xCxz/8e~9A6RJ-bgWulbXsT,9`6x*lpZ=/SmX1OYR"
Pattern match: "x7kC.jzb/=gckevKf" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "4a87f561" to virtual address "0x61F11F20" (part of module "OSPPCEXT.DLL")
"WINWORD.EXE" wrote bytes "9ea53508" to virtual address "0x67F678E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "4b97c709" to virtual address "0x6CF410AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e93655efef" to virtual address "0x76E53EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e4818f1" to virtual address "0x75B83D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "66ea34d8" to virtual address "0x61C72A00" (part of module "CSS7DATA0009.DLL")
"WINWORD.EXE" wrote bytes "513ee909" to virtual address "0x66F60BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e9c53294f0" to virtual address "0x769A6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "725fd70e" to virtual address "0x2F401B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "f5eb20d8" to virtual address "0x61D73408" (part of module "MSCSS7EN.DLL")
"WINWORD.EXE" wrote bytes "17e1d409" to virtual address "0x6CE39904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "cbe10c08" to virtual address "0x6D0ECA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "e92399f1ef" to virtual address "0x76E55DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "c4cab77580bbb775aa6eb8759fbbb77508bbb77546ceb7756138b875de2fb875d0d9b77500000000177930774f9130777f6f3077f4f7307711f73077f2833077857e307700000000" to virtual address "0x6EE21000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "fb75592e" to virtual address "0x61E542C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e96033efef" to virtual address "0x76E54731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "7bdc3508" to virtual address "0x6946F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "e99a54eeef" to virtual address "0x76E53E59" ("SysFreeString@OLEAUT32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
Inventory+Planogram Portal User Guide- STORES and DP'S- New DSD System- Updated February 2017.doc
- Filename
- Inventory+Planogram Portal User Guide- STORES and DP'S- New DSD System- Updated February 2017.doc
- Size
- 2.2MiB (2309120 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: , Author: lsenn00, Template: Normal.dotm, Last Saved By: Brandee Velasquez, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Feb 10 18:35:00 2017, Last Saved Time/Date: Fri Feb 10 18:35:00 2017, Number of Pages: 7, Number of Words: 874, Number of Characters: 4988, Security: 0
- Architecture
- WINDOWS
- SHA256
- cf225bc6834a3501b175dd8ab6c636155148bfb5cfa6b99ebe676c4af1db185e
- MD5
- f32b31b58c6587ad28080fc68703e6d4
- SHA1
- f27a4bd565e574cdd24d0e987ead8e9526cefcb2
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- WINWORD.EXE /n "C:\Inventory_PlanogramPortalUserGuide-STORESandDP_S-NewDSDSystem-UpdatedFebruary2017.doc" (PID: 2292)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 10
-
-
Inventory_PlanogramPortalUserGuide-STORESandDP_S-NewDSDSystem-UpdatedFebruary2017.LNK
- Size
- 818B (818 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 8 21:24:56 2018, mtime=Wed Aug 8 21:24:56 2018, atime=Wed Aug 8 21:25:24 2018, length=2309120, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- 3e0b1c6645c9fffd5ec42305c381aefa
- SHA1
- 73660bb86da9fbd18088374c7557c0db36acffe6
- SHA256
- 13a231c1108882e17096b49b2784de708b56552993c91ac4f8321bd73b6fe27c
-
index.dat
- Size
- 291B (291 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- 6345732237fbbf7ac0803d09395e3426
- SHA1
- 031ec5846af78fd72c12983576349d4868957f90
- SHA256
- 0b7cd2c20d56bdb5defd15cf6ff2653ef4c04722ae716fe73ff14c8b174574f9
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- f22c9ee5bbbc8c45be583f07fe26b147
- SHA1
- a46f5eda876d97f1843a496dbbdb547fc217d063
- SHA256
- aac070bd8d937d780c826f7ca5b3d2ff6a5d79e7bb5d8fd013703bfa41fa6571
-
ExcludeDictionaryEN0409.lex
- Size
- 2B (2 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with no line terminators
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
~WRS{194397E1-6A79-4AF5-936A-A56EB78344D3}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{AEFFD67C-AC22-475B-BD06-A0DB7C3F0851}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- 1f9d0f1f27ff2772aa3874469a654c8d
- SHA1
- 3b1af71390111a299df7d2c5b0f1d08c80a8c8c2
- SHA256
- acb97cba2e55ee69214e71be60924e3e38ec80095bf5cfcd69e9e9fe9842faf1
-
~WRS{DCAF315E-5360-4D0F-9B70-F08703AEBE3D}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\367"
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- fd0605491e91581695c69d02f28c9f11
- SHA1
- 76973033a178d3940f156aabc938b806418f2395
- SHA256
- 6149401962e118bc9b6b677a564c6848bfdae7b8413936d100e66e05be033097
-
~$ventory_PlanogramPortalUserGuide-STORESandDP_S-NewDSDSystem-UpdatedFebruary2017.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- f22c9ee5bbbc8c45be583f07fe26b147
- SHA1
- a46f5eda876d97f1843a496dbbdb547fc217d063
- SHA256
- aac070bd8d937d780c826f7ca5b3d2ff6a5d79e7bb5d8fd013703bfa41fa6571
-
~WRD0000.tmp
- Size
- 11KiB (10752 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, No summary info
- Runtime Process
- WINWORD.EXE (PID: 2292)
- MD5
- 302a6bf622d4faceb3cf8e75be44d4e0
- SHA1
- 41201715ab0af7e91ac270a8b628da457789de1b
- SHA256
- ab2ab6e8bd7aadfacbc390d775e8bd6eaa9104153244495cfffe2ec903c37b1c
-
~WRD0001.tmp
- Size
- 2.2MiB (2307584 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: , Author: lsenn00, Template: Normal, Last Saved By: lwJDUmh, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Fri Feb 10 20:35:00 2017, Last Saved Time/Date: Wed Aug 8 22:28:00 2018, Number of Pages: 7, Number of Words: 875, Number of Characters: 4988, Security: 0
- MD5
- f9374efe13b05920e388e80f47606e15
- SHA1
- bb58258aa3d478d4ebd009216db657eca2a30c06
- SHA256
- 0768723fe5cb13f162d2f1797043a89cfd29d308f2dcc2a5d6f63023b754e1a9
-
Notifications
-
Runtime
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-70" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)