f60c84e6002cffca3d35b3a3d2ca0781
This report is generated from a file or URL submitted to this webservice on August 17th 2015 12:46:35 (UTC)
Report generated by
Falcon Sandbox v2.20 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 4
-
Network Related
-
Found potential URL in binary/memory
- details
-
"InstallerIntel;1033'{DC0592F2-432D-4951-A835-9170B576FD3D}@gW@gWMSI Wrapper (4.1.50.0)@Installer wrapped by MSI Wrapper (4.1.50.0) from www.exemsi.com"
"www.exemsi.com" - source
- File/Memory
- relevance
- 2/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "R2.EJm#i7mz- =%^vnc5Fd){D>uj;^^x4!mM#O5xQlzF4f3RM;Ml/mh|[1oW7\j7f.v\mkY4"<=][FA^[vPtDV[#~z<=VwuNL6/97#]YBxm}H_QX**>%5)z\ A{D" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E923191FF0" to virtual address "0x77703D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "15410F4A" to virtual address "0x2FB51634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
-
Informative 3
-
General
-
Contains PDB pathways
- details
-
"!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~HH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSunEEE00P('8PW700PP (`h`hhhxppwppCONOUT$SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecMSI Proxy Error,Unable to parse command lineInvalid parameter count [%d].Original command line=%sMe=%sInvalid parameter offset [%d].Working Dir=%sSuccess Codes=%sMarker not found in command line.Embedded command line=[%s]Unable to get temp dir.MSIUnable to get temp file name.rbError opening input file. Error number %d.w+bError opening output file. Error number %d.Error moving file pointer to offset.Error reading input file.Error writing output file."" Run '%s'.Error running '%s'. Error %ld (0x%lx).Error getting exit code.Error removing temp executable.HAp@RSDSciX6JGVC:\ss2\Projects\MsiWrapper\MsiWinProxy\Release\MsiWinProxy.pdb460@@@!@"@$@$@{$@$@3@&8@9@9@rC@L@KP@Q@T@^@^@@a@Oa@c@c@g@~j@Ln@q@@v@k@~@@@@W@@Y@@"
"=L9o<{Oyzhc.q-- CUSTOM ACTION -- SetProperty: Name=SetProperty: Value=GetProperty: Name=GetProperty: Value=SubstProperties: Input=SourceDirOriginalDatabase[SourceDir][OriginalDatabase]SubstProperties: Output=SubstWrappedArguments: Start.BZ.VERUILevelWRAPPED_ARGUMENTSPBZ.FIXED_INSTALL_ARGUMENTS2BZ.UINONE_INSTALL_ARGUMENTS3BZ.UIBASIC_INSTALL_ARGUMENTS4BZ.UIREDUCED_INSTALL_ARGUMENTS5BZ.UIFULL_INSTALL_ARGUMENTS SubstWrappedArguments: Show WRAPPED_ARGUMENTS warning.MSI WrapperThe WRAPPED_ARGUMENTS command line switch is only supported by MSI packages compiled by the Professional version of MSI Wrapper. More information is available at www.exemsi.com.SubstWrappedArguments: Done.ReadRegStr: Key=, ValueName=, 32 bit, 64 bit, defaultReadRegStr: Value=ReadRegStr: Unable to query string value.ReadRegStr: Unable to open key.SetDWordValue: Unable to set DWORD in registry.SetDWordValue: Key name=SetDWordValue: Value name=SetDWordValue: bitness is 64SetDWordValue: bitness is 32SetDWordValue: Unable to open registry key.DeleteRegValue: Unable to delete value in registry.DeleteRegValue: Key name=DeleteRegValue: Value name=DeleteRegValue: bitness is 64DeleteRegValue: bitness is 32DeleteRegValue: Unable to open registry key.ModifyRegistry: Start.CustomActionDataModifyRegistry: Application id is empty.SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UninstallStringModifyRegistry: Error getting UninstallString value from registry.SystemComponentModifyRegistry: Done.UninstallWrapped: Start.UPGRADINGPRODUCTCODEBZ.WRAPPED_APPIDBZ.FIXED_UNINSTALL_ARGUMENTSUninstallWrapped: Registry key name=UninstallWrapped: Remove the system component entry.UninstallWrapped: No uninstall string was found.UninstallWrapped: Uninstaller="UninstallWrapped: exe1=UninstallWrapped: params1=BZ.UINONE_UNINSTALL_ARGUMENTSBZ.UIBASIC_UNINSTALL_ARGUMENTSBZ.UIREDUCED_UNINSTALL_ARGUMENTSBZ.UIFULL_UNINSTALL_ARGUMENTSUninstallWrapped: Launch the uninstaller.UninstallWrapped: exe2=UninstallWrapped: params2=runasShellExecuteEx failed (%d).UninstallWrapped: Done.x.zbad exceptionHP.RSDSeS8Jeds9C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdbP---P@-Q-..0.Q@-Q@L.\.0.QL._...0._@.S])i(X0KtDDFOP///QPQTWS[]]W_c_ <qbq-1}ra0D`_l33"3"3P"3"$4"P4"4 "4P"4"5"L5 ("x5.@5"66fovz66/_
89l7989dx7:8>:T8\:\9999:?99(989J9 ?l9z99?4?Z9$<>>>h:~::::::;;;6;N;X;d;v;;;;;;;;;;<<P?6<N<d<~<<<<<<<" - source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 66470000
- source
- Loaded Module
-
Contains PDB pathways
File Details
f60c84e6002cffca3d35b3a3d2ca0781
- Filename
- f60c84e6002cffca3d35b3a3d2ca0781
- Size
- 577KiB (590776 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- de8d52f88eea3269c1565b373800f544731f46d5af5292e741c38ebf810b2644
- MD5
- f60c84e6002cffca3d35b3a3d2ca0781
- SHA1
- f2b7ff9034c6aa980023ea3a134a60cef7befcdd
Resources
- Icon
Visualization
-
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 2992)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.