INV-BC0830.doc
This report is generated from a file or URL submitted to this webservice on June 4th 2018 20:13:12 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes - Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process - Evasive
-
Possibly tries to evade analysis by sleeping many times
Reads the keyboard layout followed by a significant code branch decision - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://accountingpayable.com/INV-BC0830.doc
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 10
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
- "ACF94AC9.exe" created file "%TEMP%\remcos\remcos.exe:Zone.Identifier"
- source
- API Call
- relevance
- 8/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
Exploit/Shellcode
-
Possible document exploit detected
- details
- Document can spawn a new process although no macro was present in the original file
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible document exploit detected
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 32/60 Antivirus vendors marked sample as malicious (53% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 32/60 Antivirus vendors marked sample as malicious (53% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
Contains ability to start/interact with device drivers
- details
- DeviceIoControl@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"ACF94AC9.exe" wrote 32 bytes to a remote process "C:\ACF94AC9.exe" (Handle: 328)
"ACF94AC9.exe" wrote 52 bytes to a remote process "C:\ACF94AC9.exe" (Handle: 328)
"ACF94AC9.exe" wrote 4 bytes to a remote process "C:\ACF94AC9.exe" (Handle: 328)
"ACF94AC9.exe" wrote 110592 bytes to a remote process "C:\ACF94AC9.exe" (Handle: 328)
"ACF94AC9.exe" wrote 472 bytes to a remote process "C:\ACF94AC9.exe" (Handle: 328)
"ACF94AC9.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\wscript.exe" (Handle: 488)
"ACF94AC9.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\wscript.exe" (Handle: 488)
"ACF94AC9.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\wscript.exe" (Handle: 488) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
ExitWindowsEx@USER32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 27
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
OpenServiceW@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
OpenServiceW@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
ControlService@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
OpenServiceW@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
ControlService@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
ControlService@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
ControlService@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Possibly tries to hide a process launching it with different user credentials
- details
-
CreateProcessWithLogonW@ADVAPI32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
CreateProcessAsUserW@ADVAPI32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Contains ability to open/control a service
-
Anti-Reverse Engineering
-
Contains ability to block user input
- details
- BlockInput@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 7/10
-
Possibly checks for known debuggers/analysis tools
- details
- "PROCMON_WINDOW_CLASS" (Indicator: "procmon_window_class")
- source
- File/Memory
- relevance
- 2/10
-
Contains ability to block user input
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid from ACF94AC9.exe (PID: 2412) (Show Stream)
cpuid from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to evade analysis by sleeping many times
- details
- "ACF94AC9.exe" (Thread ID: 2572) slept "520" times (threshold: 500)
- source
- API Call
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
- details
- "HARDWARE\ACPI\DSDT\VBOX__" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Reads the keyboard layout followed by a significant code branch decision
- details
- Found API call GetKeyboardLayout@USER32.DLL directly followed by "cmp ax, cx" and "je 004040ABh" from ACF94AC9.exe (PID: 3108) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query CPU information
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
FindResourceA@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "ACF94AC9.exe.bin" has type "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"
- source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
- "ACF94AC9.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "REMCOS"; Value: ""%TEMP%\remcos\remcos.exe"")
- source
- Registry Access
- relevance
- 8/10
-
Drops executable files
-
Pattern Matching
-
Contains ability to download files from the internet
- details
-
InternetReadFile@WININET.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
InternetReadFile@WININET.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
recv@WS2_32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
recv@WS2_32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
InternetReadFile@WININET.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
URLDownloadToFileW@URLMON.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
URLDownloadToFileW@URLMON.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
OpenClipboard@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
OpenClipboard@USER32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
OpenClipboard@USER32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to retrieve keyboard strokes
- details
-
GetAsyncKeyState@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetKeyboardState@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetKeyboardState@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetKeyboardState@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetKeyboardState@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetKeyboardState@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetKeyboardState@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Modifies proxy settings
- details
-
"ACF94AC9.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"ACF94AC9.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Uncategorized Behavior
-
Contains ability to read the monitor info
- details
- GetMonitorInfoW@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to read the monitor info
-
Unusual Characteristics
-
Contains ability to simulate user keyboard/mouse input
- details
-
mouse_event@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
mouse_event@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
keybd_event@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
mouse_event@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
mouse_event@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
keybd_event@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 6/10
-
Contains ability to simulate user keyboard/mouse input
-
Hiding 9 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 21
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream)
GetLocalTime@KERNEL32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
- GetVersionExW@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetLocalTime@KERNEL32.DLL directly followed by "cmp word ptr [esi], 0000h" and "je 00432B89h" from ACF94AC9.exe (PID: 2412) (Show Stream)
Found API call GetKeyboardLayout@USER32.DLL directly followed by "cmp ax, cx" and "je 004040ABh" from ACF94AC9.exe (PID: 3108) (Show Stream)
Found API call EnumServicesStatusW@ADVAPI32.DLL directly followed by "cmp dword ptr [ebp-08h], edi" and "jbe 00410184h" from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contains ability to register hotkeys
- details
- UnregisterHotKey@USER32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Creates a writable file in a temporary directory
- details
-
"ACF94AC9.exe" created file "%TEMP%\remcos\remcos.exe"
"ACF94AC9.exe" created file "%TEMP%\remcos\remcos.exe:Zone.Identifier"
"ACF94AC9.exe" created file "%TEMP%\install.vbs" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\10MU_ACBPIDS_S-1-5-5-0-58975"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACB10_S-1-5-5-0-58975"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-58975"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-58975"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 61240000
- source
- Loaded Module
-
Process launched with changed environment
- details
- Process "ACF94AC9.exe" (Show Process) was launched with missing environment variables: "MEOW"
- source
- Monitored Target
- relevance
- 10/10
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
- "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "?)C"), "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: " VC"), "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "K'C"), "WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS")
- source
- Registry Access
- relevance
- 10/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "ACF94AC9.exe" (Show Process)
Spawned process "wscript.exe" with commandline ""%TEMP%\install.vbs"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains ability to register hotkeys
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
-
GetUserNameW@ADVAPI32.DLL from ACF94AC9.exe (PID: 2412) (Show Stream)
GetUserNameW@ADVAPI32.DLL from ACF94AC9.exe (PID: 3108) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"ACF94AC9.exe.bin" has type "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"
"INV-BC0830.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Tue Jun 5 02:14:09 2018 mtime=Tue Jun 5 02:17:20 2018 atime=Tue Jun 5 02:17:20 2018 length=801922 window=hide"
"install.vbs" has type "data"
"~$V-BC0830.doc" has type "data"
"index.dat" has type "data"
"~WRS{C879901D-4936-4261-BA09-36C80C54395E}.tmp" has type "data"
"~WRD0000.tmp" has type "Microsoft Word 2007+"
"~WRD0002.tmp" has type "Microsoft Word 2007+"
"~WRS{AE989A53-B50C-4955-BE83-F40881DAE1BF}.tmp" has type "data"
"2AE18BC2.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "* Breaking-Security.Net"
Pattern match: "C.zYg/PK!%Xword/theme/theme1.xmlYo6"
Heuristic match: "!oTCzruzpC}~%{VT,I&!L]T]IEH+ftz+%!KN<>`Kp<U/C%+?89.jp"
Pattern match: "w.kQ.Gw/13s_K6&oguwpv6U}W?6y@k"
Heuristic match: "t0'\X@g]~>'3p_$%K3<=<l0bF:>C$Bi?] uX(72Su!;suujio Y!Uk1ROOa+J6'=:y%f<\dUzg>f3<K>Dg.Nq%#bo#71tEt8$6O''tG;^>wyx HTR!l;%&B>KrxBC{8_:Jm=WRx*OIcd%^uqhy$#BbLDT>UYQ69A*i4K} >L1Vd5`J@H<@w[@}H jR.Ht"
Heuristic match: "zR<tZ<uLe|;88(pLHTxKKA)P\p<u0`!:((&'VxS*D`7?PLQSv!Z.RS"
Heuristic match: "j?;WB>P+9[(8[#Gshr_Za.BI"
Pattern match: "GZ.vkT/al@%n"
Pattern match: "iVvyv.pvGC/S++1"
Pattern match: "A.mc/,3Y]5G:t9jg[fvZ\:&"
Pattern match: "uc8Nlm8SEkI.GY/o_}cR%V"
Heuristic match: "TI_0N){wx.Sc"
Pattern match: "5.VV//In=*H_bVoAM"
Heuristic match: "*|.NG" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "1ac064fd" to virtual address "0x69C7BE64" (part of module "WPFT532.CNV")
"WINWORD.EXE" wrote bytes "e9365508ef" to virtual address "0x76F03EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "4a000500" to virtual address "0x69C816CC" (part of module "WPFT532.CNV")
"WINWORD.EXE" wrote bytes "f300f300" to virtual address "0x69C663DC" (part of module "MSCONV97.DLL")
"WINWORD.EXE" wrote bytes "0233db8b" to virtual address "0x69C3BE64" (part of module "WPFT632.CNV")
"WINWORD.EXE" wrote bytes "5a015a01" to virtual address "0x69C6BE64" (part of module "MSCONV97.DLL")
"WINWORD.EXE" wrote bytes "bac2f24b" to virtual address "0x69EBCA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "6689b518" to virtual address "0x69C363DC" (part of module "WPFT632.CNV")
"WINWORD.EXE" wrote bytes "d210b01b" to virtual address "0x69C81524" (part of module "WPFT532.CNV")
"WINWORD.EXE" wrote bytes "e99e480fef" to virtual address "0x76E53D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "b7b21048" to virtual address "0x61289904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e9c532b6f0" to virtual address "0x759C6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "9fedf24b" to virtual address "0x671A78E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "c4cae47680bbe476aa6ee5769fbbe47608bbe47646cee4766138e576de2fe576d0d9e47600000000177977764f9177767f6f7776f4f7777611f77776f2837776857e777600000000" to virtual address "0x69E91000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x69C5BE64" (part of module "WPFT532.CNV")
"WINWORD.EXE" wrote bytes "8484f24b" to virtual address "0x686AF530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "c2be344b" to virtual address "0x2FBA1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "ef9444a1" to virtual address "0x60ED42C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e9603308ef" to virtual address "0x76F04731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "78636570" to virtual address "0x69C4BE64" (part of module "WPFT632.CNV") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
INV-BC0830.doc
- Filename
- INV-BC0830.doc
- Size
- 696KiB (712948 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- e4d8e5269c2705a7bfd67f228a922d9e8ab319fbfb406d4ca8d50113dab96d90
- MD5
- 6f9536cd0b794415760566ce16af44ef
- SHA1
- c2f7fd9cd68c82e043f6b6416ae63cb2ce20b9e1
Classification (TrID)
- 91.8% (.DOCX) Word Microsoft Office Open XML Format document
- 8.1% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total.
- WINWORD.EXE /n "C:\INV-BC0830.doc" (PID: 2520)
-
ACF94AC9.exe
(PID: 2412)
-
ACF94AC9.exe
(PID: 3108)
- wscript.exe "%TEMP%\install.vbs" (PID: 3416)
-
ACF94AC9.exe
(PID: 3108)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
autoitscript.com | Domain/IP reference | 00023108-00002412-8561-2564-0040D590 |
Extracted Strings
Extracted Files
-
Informative Selection 1
-
-
install.vbs
- Size
- 428B (428 bytes)
- Type
- data
- Runtime Process
- ACF94AC9.exe (PID: 3108)
- MD5
- e35442b0d49e5adcc7707a559ff041cc
- SHA1
- e786ad1e55a3e1f578ea5421f06c392e9561f643
- SHA256
- 4d36b2714b40ff5f7a41da93b0431c8921a1c7342a1a81aabea421dbb485b14e
-
-
Informative 10
-
-
INV-BC0830.LNK
- Size
- 463B (463 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 5 02:14:09 2018, mtime=Tue Jun 5 02:17:20 2018, atime=Tue Jun 5 02:17:20 2018, length=801922, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2520)
- MD5
- c2f6b9edf4126e952d60eb9303abab59
- SHA1
- 96542bf1c1d48468c4971083d9b56d853d0b696a
- SHA256
- 8b99d61d357fd96744f1947f2f747ea42d7958bdd746a4a0c9825d1348369a10
-
index.dat
- Size
- 149B (149 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2520)
- MD5
- c9d37b8a2b91475c406807d2ffcf451b
- SHA1
- 283b29f5d94042c3ac4a091d6bfca37ab16d9f12
- SHA256
- d7a27d89146fb9adb9950ac2fa9b9d4243beef9e5077dd83c4d9cfbc647624ae
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2520)
- MD5
- 93768f9f12b9b9196a95719c27192412
- SHA1
- 6830510261a78f778da1131242706caf716c7f58
- SHA256
- 2f6eb2401da4e0c264096d792e25e6daf0bc17efd4e5457fef933904174a5813
-
2AE18BC2.emf
- Size
- 5.1KiB (5216 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 2520)
- MD5
- 57bfed8b053d752d78b241310f6d1d00
- SHA1
- da7d6a3605c7b91fb63c9be36a3c53b5ff113419
- SHA256
- 7827a67d6343f0adcbffdd17c824dead1653b47029183e5b5f9c6778a53d73b5
-
~WRS{AE989A53-B50C-4955-BE83-F40881DAE1BF}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2520)
- MD5
- 078251309a6696169d8cf338f367b748
- SHA1
- 2522f46ee5372ad12b00965408778783118c1b6d
- SHA256
- 20d97b84b161870a507f7d1f5817d25e431e01ffaa0da031cbf0e89cdbbc9380
-
~WRS{C879901D-4936-4261-BA09-36C80C54395E}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2520)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$V-BC0830.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2520)
- MD5
- 93768f9f12b9b9196a95719c27192412
- SHA1
- 6830510261a78f778da1131242706caf716c7f58
- SHA256
- 2f6eb2401da4e0c264096d792e25e6daf0bc17efd4e5457fef933904174a5813
-
ACF94AC9.exe.bin
- Size
- 2.5MiB (2595461 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- MD5
- eba49d1d810302c9ba464568b93b856d
- SHA1
- 9c4395b32160da425e1155d82dbe04ba773bb67a
- SHA256
- 135680c4f77f826cc3201126de10a6c2593fdfd485d34688e84dce75ca29cd4f
-
~WRD0000.tmp
- Size
- 1.4MiB (1441792 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- MD5
- ad2b824af9ff1391d84266c01096bf82
- SHA1
- 31b8e99134f8554cad8316dcd456a8bcbb9a28fc
- SHA256
- 9505ba94a73d5b8370d7436d6fd083ed3d152fafca5c078a6626909ab799d074
-
~WRD0002.tmp
- Size
- 1.4MiB (1441792 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- MD5
- dcdd6215ae2c579e41097bcc11aae3e9
- SHA1
- b8ef0e4d69543c97456653f8238b0a58b8d21d85
- SHA256
- 735842247a8dd9905f2a364b8a878b064af92e77a9302dbf7859d62ef7ac08ba
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "~WRD0002.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/735842247a8dd9905f2a364b8a878b064af92e77a9302dbf7859d62ef7ac08ba/analysis/1528139975/")
- Not all file accesses are visible for wscript.exe (PID: 3416)
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)