7dfc982a1d1e70.bup
This report is generated from a file or URL submitted to this webservice on January 27th 2016 06:27:38 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.20 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 3
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"WINWORD.EXE" created file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc"
"WINWORD.EXE" created file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc"
"WINWORD.EXE" created file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{36DA0D2D-8C06-4104-9396-4AD0E5807BDB}.tmp" - source
- API Call
- relevance
- 7/10
-
Creates/touches files in windows directory
-
System Destruction
-
Marks file for deletion
- details
- "%PROGRAMFILES%\Microsoft Office\Office12\WINWORD.EXE" marked "%SAMPLEDIR%\Users\PSPUBWS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc" for deletion
- source
- API Call
- relevance
- 10/10
-
Marks file for deletion
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "E92319F0F1" to virtual address "0x763E3D01" ("SetUnhandledExceptionFilter@kernel32.dll")
"WINWORD.EXE" wrote bytes "3CF7047B" to virtual address "0x2FCA1634" (part of module "WINWORD.EXE") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
-
Informative 5
-
General
-
Creates mutants
- details
-
"KYIMEShareCachedData.MutexObject.PSPUBWS"
"KYTransactionServer.MutexObject.PSPUBWS"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads modules at runtime
- details
-
"WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\PROOF\MSLID.DLL" at base 507C0000
"WINWORD.EXE" loaded module "%WINDIR%\SYSTEM32\MSCTF.DLL" at base 762C0000
"WINWORD.EXE" loaded module "LINKINFO.DLL" at base 70DB0000
"WINWORD.EXE" loaded module "USER32.DLL" at base 761F0000
"WINWORD.EXE" loaded module "NTSHRUI.DLL" at base 71E90000
"WINWORD.EXE" loaded module "SRVCLI.DLL" at base 75520000
"WINWORD.EXE" loaded module "CSCAPI.DLL" at base 71E50000
"WINWORD.EXE" loaded module "SLC.DLL" at base 73D30000
"WINWORD.EXE" loaded module "SHLWAPI.DLL" at base 75BB0000
"WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE12\RICHED20.DLL" at base 66E60000 - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 66E60000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~WRS{5FFDECD1-93E1-4E17-B733-7585147D81ED}.tmp.147671" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
"opa12.dat.148343" has type "data"
"~WRS{AB9627B4-A221-49FC-BC8F-CFDDC9B92CB3}.tmp.154187" has type "data"
"~WRD0000.doc.154312" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRD0001.doc.155203" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"~WRD0002.doc.269953" has type "dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377""
"7dfc982a1d1e70.bup.LNK.270703" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Wed Jan 27 21:28:00 2016, mtime=Wed Jan 27 21:28:00 2016, atime=Wed Jan 27 21:28:00 2016, length=1356288, window=hide"
"index.dat.270718" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "8.YXD/2/g`=+WZg`g`1,5[7g`%"
Pattern match: "bAo.Sk/bAofl4ko:jjjo"
Pattern match: "Z.jjZ/ajjReRkl?8jjn./fjje#kjjm:rNhj/:/gW*8j!jjbjjj/dS~hj:Nhj/gSf"
Pattern match: "n.ZfYe//kjjjbnjjj|"
Pattern match: "j.jhY/hjjje77a;`na.jY/f:/hjjjf8$jjhYhjjje7/ia;n7/hjjj|/hjjj$.j7/o7\X/'b:;:=?f"
Pattern match: "f8k.hjn/z:hG"
Pattern match: "jKQ.ibe/:+n"
Pattern match: "mjjj.Sf/:uInk'gjjjj3541'Y57?Jbi=ZmjjjjmX57Y"
Pattern match: "j.hjzf/:n'Sso+nhY-~hjjjQJc9"
Pattern match: "fu.kjj/jjjj"
Pattern match: "z.UQR/:ei:4e/:em:$zhh'ze`oQeeAj4m'51?zjnY7?f'b'zekgQhbhheke`A7?/~:jzfb~7?/b9Y"
Pattern match: "3onj8jul.ZnJ/?54~;ja77/bv6JjjcjjjjjjbQo8jp^JjjcjjjoVj8julee&[nk:kjj3jm.Znkv~zfbz/?s&jcjjjJj77/fjjj/?b{hjj3?/b"
Pattern match: "ie2i.knj/'54Y1QZo!Q/QYzjjjS?*ikegJ:hkZ*ojYzk*binnibhizkiJjjbjihjijjI"
Pattern match: "jcjjjgoVj8julme.ZnkQ/zq*x3Jj}j|jjj93jm.Znk~zf9f/}=}jcjjj2Jj'/fjjj/47b9J3?r9"
Pattern match: "P.js/jF"
Pattern match: "jP.jjP.jZt/jF"
Pattern match: "jzQ.jP.jS.js/jF"
Pattern match: "jP.jZP.jJS.jZt/jF"
Pattern match: "j..jz/.j"
Pattern match: "n.hR/cz" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
7dfc982a1d1e70.bup
- Filename
- 7dfc982a1d1e70.bup
- Size
- 1.3MiB (1356288 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, No summary info
- Architecture
- WINDOWS
- SHA256
- c1545edc89b0d350e1be2732cddbf63037c9050cb107d9ce6f38e3bdeecd13d1
- MD5
- 2c0940e72909ab8306a1004dfa3fb5f4
- SHA1
- cca46ed2387bf724a1ca0ca94bc5fb5b28555f04
Classification (TrID)
- 100.0% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n /dde (PID: 2444)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 8
-
-
7dfc982a1d1e70.bup.LNK
- Size
- 415B (415 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Normal, ctime=Wed Jan 27 21:28:00 2016, mtime=Wed Jan 27 21:28:00 2016, atime=Wed Jan 27 21:28:00 2016, length=1356288, window=hide
- MD5
- 617bb094dae22c2f9d62ff7efd003912
- SHA256
- a8c6976d101c0957a2f41f66c2aec903f3013964913362d7fc9b813cd5a7ba8a
-
index.dat
- Size
- 61B (61 bytes)
- Type
- data
- MD5
- 0f81f01de96c1fefd825b5f336424811
- SHA1
- 04fa49a5f6195b633c366b82403643787cf03407
- SHA256
- e741edff4ec50994b80bf29be2bb7701886a4ab693b9ef47620752014e5be954
-
~WRD0000.doc
- Size
- 2.6MiB (2712576 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- f9a2340129290195e6fff30448f2f02b
- SHA1
- 7f49c0d88c1c8e758e5f3e8c533dd0e4ba5be952
- SHA256
- 995ac379016a080a604354d8d04e312c6634d376d6366285802fc40c98657acf
-
~WRD0001.doc
- Size
- 2.6MiB (2712576 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- f9a2340129290195e6fff30448f2f02b
- SHA1
- 7f49c0d88c1c8e758e5f3e8c533dd0e4ba5be952
- SHA256
- 995ac379016a080a604354d8d04e312c6634d376d6366285802fc40c98657acf
-
~WRD0002.doc
- Size
- 2.6MiB (2712064 bytes)
- Type
- dBase IV DBT of \241.DBF, blocks size 14680081, next free block index 13566160, 1st item "\377"
- MD5
- bf476e150076873259f17e4fd4df4d89
- SHA1
- 33272883f41d88bc327ead02661f515e17fad021
- SHA256
- f343596c4d435294555b35ae622a35dbc03734d0331a031c4164ff2abf787131
-
~WRS{5FFDECD1-93E1-4E17-B733-7585147D81ED}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{AB9627B4-A221-49FC-BC8F-CFDDC9B92CB3}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 7e305ac1d2f8757f4f06dc3a3379ff86
- SHA1
- 65e550eb8deac7914c657b950f6580de9d534b16
- SHA256
- 97941e3033f2db9fc98bddc16a2029b81d495cb3d176a50f7cc67ffcdd4669e7
-
opa12.dat
- Size
- 25KiB (25242 bytes)
- Type
- data
- MD5
- 13a5022c52da5bb8ebf9e7efea6b8585
- SHA1
- b97da3d898aaf7895e587496ef181dba01535ede
- SHA256
- 311b58da6b0f7740bb01d8e55f593758afaff186a185b55c1ed76f3b8883c615
-
Notifications
-
Runtime
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Not all sources for signature ID "string-3" are available in the report