Loading ...

Analysis Report

Overview

General Information

Analysis ID:58944
Start time:23:56:41
Start date:10/03/2015
Overall analysis duration:0h 3m 2s
Report type:full
Sample file name:C2840591748.doc
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2007, Java 1.6.0, Acrobat Reader 9.4.6, Internet Explorer 8, Firefox 8.0.1, Chrome 15)
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:true
HCA success:
  • true, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Internet access has been disabled
Warnings:
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationProcess calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file://
Source: WINWORD.EXEString found in binary or memory: file:///c:
Source: WINWORD.EXEString found in binary or memory: file:///c:/c2840591748.doc
Source: WINWORD.EXEString found in binary or memory: ftp://
Source: WINWORD.EXEString found in binary or memory: http://
Source: WINWORD.EXEString found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca2.crl0o
Source: WINWORD.EXEString found in binary or memory: http://crl.microsoft.com/pki/crl/products/cspca.crl0h
Source: WINWORD.EXEString found in binary or memory: http://crl.microsoft.com/pki/crl/products/tspca.crl0h
Source: WINWORD.EXEString found in binary or memory: http://crl.verisign.com/thawtetimestampingca.crl0
Source: WINWORD.EXEString found in binary or memory: http://crl.verisign.com/tss-ca.crl0
Source: WINWORD.EXEString found in binary or memory: http://microsoft.com0
Source: WINWORD.EXEString found in binary or memory: http://msdn.microsoft.com/developer/default.htm
Source: WINWORD.EXEString found in binary or memory: http://ocsp.verisign.com0
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/dcmitype/
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/elements/1.1/
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/terms
Source: WINWORD.EXEString found in binary or memory: http://purl.org/dc/terms/
Source: WINWORD.EXEString found in binary or memory: http://sch
Source: WINWORD.EXEString found in binary or memory: http://schemas.microsoft.com/office/2006/relationships/vbaproject
Source: WINWORD.EXEString found in binary or memory: http://schemas.microsoft.com/office/2006/relationships/wordvbadata
Source: WINWORD.EXEString found in binary or memory: http://schemas.microsoft.com/office/2006/relationships/wordvbadatatargetvbadata.xmlargetitemprops1.x
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.microsoft.com/office/word/2006/wordml
Source: document.xml, theme1.xmlString found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/main
Source: document.xmlString found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/picture
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/drawingml/2006/wordprocessingdrawing
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/markup-compatibility/2006
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/bibliography
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/math
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/mathxmlns:vurn:schemas-microsoft-com:vmlxmlns:
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/customxml
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/extended-properties
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/fonttable
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/fonttabletargetfonttable.xml.xml
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/footnotes
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/header
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/image
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/numbering
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/officedocument
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/settings
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/styles
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/theme
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationships/websettings
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/officedocument/2006/relationshipsxmlns:mhttp://schemas.openxmlform
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/package/2006/relationships
Source: WINWORD.EXEString found in binary or memory: http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties
Source: WINWORD.EXE, document.xml, header1.xml, numbering.xmlString found in binary or memory: http://schemas.openxmlformats.org/wordprocessingml/2006/main
Source: WINWORD.EXEString found in binary or memory: http://www.ilaunchmanager.com/x/wp-content/plugins/fb-infil
Source: vbaProject.binString found in binary or memory: http://www.ilaunchmanager.com/x/wp-content/plugins/fb-infiltrator-personal/dl.php
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/pki/certs/codesignpca2.crt0
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/pki/certs/cspca.crt0
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/pki/certs/tspca.crt0
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/2001/03/xml.xsd
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/2001/schema-instance
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/2001/xmlschema
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/tr/wd-xsl
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/xml/1998/namespace
Source: WINWORD.EXEString found in binary or memory: http://www.w3w
Source: WINWORD.EXEString found in binary or memory: https://
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{281214E6-2F48-4949-A0EC-D8DCA1F7F523}.tmp

System Summary:

barindex
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile opened: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: t:\oleo\x86\ship\0\Cultures\office.pdb source: WINWORD.EXE
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\C2840591748.doc.LNK
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tst3.tmp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEFile read: C:\Documents and Settings\Administrator\Application Data\desktop.ini
Enables driver privilegesShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess token adjusted: Load Driver
Tries to load missing DLLsShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXESection loaded: xpsp2res.dll
Document contains an embedded VBA macro which executes code when the document is openedShow sources
Source: vbaProject.binBinary or memory string: Document_Open
Document contains an embedded VBA macro which may execute processesShow sources
Source: vbaProject.binBinary or memory string: ShellExecute
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: vbaProject.binBinary or memory string: ShellExecuteA
Source: vbaProject.binBinary or memory string: URLDownloadToFileA
Source: vbaProject.binBinary or memory string: >urlmonE=
Source: vbaProject.binBinary or memory string: ShellExecute
Source: vbaProject.binBinary or memory string: URLDownloadToFile
Source: vbaProject.binBinary or memory string: urlmonX
Unable to load, office file is protected or invalidShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEWindow title found: microsoft office word okword cannot start the converter mswrd632.wpc.show h&elp >>

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXEBinary or memory string: Progman
Source: WINWORD.EXEBinary or memory string: Program Manager
Source: WINWORD.EXEBinary or memory string: Shell_TrayWnd

Anti Debugging and Sandbox Evasion:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEMemory protected: page read and write and page guard
Is looking for software installed on the systemShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXERegistry key enumerated: More than 282 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXE TID: 1048Thread sleep time: -60000ms >= -60000ms

Virtual Machine Detection:

barindex
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: WINWORD.EXEBinary or memory string: \??\C:\WINDOWS\system32\VBoxService.exe
Source: WINWORD.EXEBinary or memory string: \??\C:\WINDOWS\system32\VBoxTray.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXERegistry key monitored for changes: \REGISTRY\USER

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\C2840591748.doc VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\Documents and Settings\Administrator\Application Data\Microsoft\UProof\CUSTOM.DIC VolumeInformation
Source: C:\Program Files\Microsoft Office\Office12\WINWORD.EXEQeruies volume information: C:\Documents and Settings\Administrator\Application Data\Microsoft\UProof\CUSTOM.DIC VolumeInformation

Yara Overview

No Yara matches

Screenshot

windows-stand

Startup

  • system is xp4
  • WINWORD.EXE (PID: 1784 MD5: 130A22AB4F3C09B804457650D185EDB3)
  • cleanup

Created / dropped Files

File PathType and Hashes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mso9.tmp
  • Type: GIF image data, version 89a, 15 x 15
  • MD5: ED3C1C40B68BA4F40DB15529D5443DEC
  • SHA: 831AF99BB64A04617E0A42EA898756F9E0E0BCCA
  • SHA-256: 039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
  • SHA-512: C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\C2840591748.doc.LNK
  • Type: MS Windows shortcut
  • MD5: 2FD3A8D30586F4AD1E1102EB594225D5
  • SHA: 8E56AB1B8C7AEA914D5881FDB1CA23ACAB5743EF
  • SHA-256: B409C13D8EE3572ECDAE7C1CE04AAAF1FFB12496A67B1CCB61F77FC641CBD622
  • SHA-512: 77ED6FEF1DED043B39C5299BC93B19D8498E46D5C6FF6BC36F0C2F930D29CD8FD4A8B9FBCD219EE67DAC7AA5C9B18E03040292A41E87239EA57459009B95DE21
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Local Disk (C).LNK
  • Type: MS Windows shortcut
  • MD5: C81B187DB1F82C7543C826468F62BDD2
  • SHA: 3A8CF81AB4DE63B436EA5472138F2782029EF2EF
  • SHA-256: 8C0B68695660A991548D4D14C76BC95F4EABCBEF1A4F912504408869668777BC
  • SHA-512: D2CC02A1CA42BE6428B6164F117B03D5F91860E173C128D662560FECEA2C1379A48B59BB9401EB05E1C0149B2198A5DC6C7A36CFB28794C40E7797DC29C9A5BE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat
  • Type: ASCII text, with CRLF line terminators
  • MD5: 8598085B5DAA703239AA1A236B04BEDA
  • SHA: 87F219B7EE171C2CD1B3EEA4B6D5411B60673BB3
  • SHA-256: 79B5B7645B3A81309B6B11416EBA109B6781690E95B30D9BDF5F06B0F100BEFE
  • SHA-512: 5C083F9E21E8A71B1B3622851AB31F81DFDDCFCB3AC125C0CB29621C039AA9E1DA8DF41953B8D622D8635822029AF6D222D567390F24BF3DC6BE1464B54BD855
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
  • Type: data
  • MD5: 57390419A55F981471CC0408D22261B9
  • SHA: 67E67BFB129E6476C43424BE094FA191ACAB6D36
  • SHA-256: BC66D0032E95636A1C5FA78768F3F5B2CA9BB15318CCCDE35F5DC4F6465ACE20
  • SHA-512: D919F302101B3CD5939DF935DDBE1EB93247E1FE66B94A6C84FE7BF34E33A65B640CC5A9C9E107B158B2E41BA09751B9419CFD8401926490A472AA2B06FFF592
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{281214E6-2F48-4949-A0EC-D8DCA1F7F523}.tmp
  • Type: data
  • MD5: 5D4D94EE7E06BBB0AF9584119797B23A
  • SHA: DBB111419C704F116EFA8E72471DD83E86E49677
  • SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
  • SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{7C018C2F-FE52-44B4-B388-90E01A038C45}.tmp
  • Type: data
  • MD5: CCBE546C9AD8FFC2EC44591C44BE3C60
  • SHA: EF5D01E9FB3132E4D0BAABAA7CC92B4E1B3EDD57
  • SHA-256: 734ED6EF485AC63B8C96D968CC020E493C40BCFC9E8B17C09A796FC534CA9144
  • SHA-512: 123C57C5776677D9DC8863EE338ECA27F79D1A6650D66F73E3D9DC37D1EE62BAB0FB932FB2C9017646496A93D3C131BF49402FEF473EBEAEDE076C6D3035EC71
C:\~$840591748.doc
  • Type: data
  • MD5: 6E9B5BE753DD0602CDBF5AC0C7B10C4D
  • SHA: 6872E642C157C645EECAE5C73F3D124E0CFB76CE
  • SHA-256: 41C34FE76C99C24E4D0C943D27DE8AAC5AB13A9A12420E8ED8A7D6A78DB0EF3F
  • SHA-512: 5CAFBD1FE23A03392A86418571B9B8ED97E0B6717745F95201B0E7169A0F753893F14AA8A4B42045F8AAC26DB2374046EC715B62AF17DF140EFCDCF41F602429
\srvsvc
  • Type: GLS_BINARY_LSB_FIRST
  • MD5: 00010789CF97BAA5F49E8C7BF0605D58
  • SHA: 87D5F372BA2319C3F0475EB7D6EABEA3178E7CB2
  • SHA-256: 6547A2B904DAA11D272A62264A922997366AC2156B29D54B538C81DBC2A5A17D
  • SHA-512: DF1D3889AC3A75BD9499295C951880E6F69F8501D1A981A9F241845BCD5E609F58DC8278F8B4F670E5AC31864956DA528643EF97F8F3320AD3165E0F0EDEA769

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:Zip archive data, at least v2.0 to extract
TrID:
  • Word Microsoft Office Open XML Format document with Macro (52004/1) 53.61%
  • Word Microsoft Office Open XML Format document (41004/1) 42.27%
  • ZIP compressed archive (4004/1) 4.13%
File name:C2840591748.docx
File size:42908
MD5:7ed4999012308d6f63abd7652a9f1ac0
SHA1:2b22556a97fcad4f47a4e8fdab07d9bbdea22ce9
SHA256:42c9491a576ec29dac88698fd62972d6f42fb7286bd9e62d12b2a86f3e8b7634
SHA512:6ba47eac99b164d0c732f2fbd62270e9bb7acc79868347f394a0d3895496b49252ea44b1d1348772ecfee2ffce12365bf2b56946feac6f9665aafad6f0795175

File Icon

Network Behavior

No network behavior found

Hooks - Code Manipulation Behavior

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:23:57:33
Start date:10/03/2015
Path:C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x30000000
File size:408424 bytes
MD5 hash:130A22AB4F3C09B804457650D185EDB3

Disassembly

Code Analysis

< >

    Executed Functions

    Non-executed Functions