General Information |
---|
Analysis ID: | 27405 |
Start time: | 11:43:48 |
Start date: | 16/11/2012 |
Overall analysis duration: | 0h 3m 19s |
Sample file name: | 46e6a921eef3dafb97bf041147244f76.doc |
Cookbook file name: | default.jbs |
Analysis system description: | XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
SCAE enabled: | true |
SCAE success: | true, ratio: 75% |
Classification / Threat Score |
---|
Persistence, Installation, Boot Survival: | |
Hiding, Stealthiness, Detection and Removal Protection: | |
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection: | |
Spreading: | |
Exploiting: | |
Networking: | |
Data spying, Sniffing, Keylogging, Ebanking Fraud: |
Matching Signatures |
---|
Behavior Signatures | |
Creates files inside the user directory | |
Creates temporary files | |
Queries a list of all running processes | |
Reads ini files | |
Spawns processes | |
Urls found in memory or binary data | |
Creates files inside the system directory | |
Creates mutexes | |
Drops PE files | |
Monitors certain registry keys / values for changes (often done to protect autostart functionality) | |
AV process strings found (often used to terminate AV products) | |
Document exploit detected (droppes PE files) | |
Document exploit detected (process start blacklist hit) | |
One or more processes crash | |
Potential document exploit detected (Application instantly terminates) |
Code Signatures | |
Contains functionality to enumerate / list files inside a directory | |
Contains functionality to dynamically determine API calls |
Startup |
---|
|
Created / dropped Files |
---|
File Path | MD5 |
---|---|
C:\46e6a921eef3dafb97bf041147244f76.doc | 38127D7381C8D2FA2E3BC93E36B75BE9 |
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw20.EXE | AC7B9760A499D342D165B8A70BE52FEE |
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$INWORD | 05A02048D6F36640223C02FE5E3F1D00 |
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WINWORD | 38127D7381C8D2FA2E3BC93E36B75BE9 |
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WRC0000.tmp | D6F83722463EBE648B7F882AE4078CCC |
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Temp.LNK | 3CD32D9B98EB392C834FE893C1FDB4D6 |
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat | 2AA6A240AF5BCCB5A1BE10AF07111FBB |
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\~WINWORD.LNK | A0504484140647E9448415099C80A7F5 |
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DIC | A8A040B900A54102E3D8DD8C458138A5 |
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC | 24C5F34DE468172070B602738919987B |
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot | 05A02048D6F36640223C02FE5E3F1D00 |
C:\WINDOWS\fxsst.dll | 08727A7100766E60026243601FA6CE3B |
C:\~$e6a921eef3dafb97bf041147244f76.doc | 05A02048D6F36640223C02FE5E3F1D00 |
\srvsvc | 00010789CF97BAA5F49E8C7BF0605D58 |
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
No contacted IP infos |
---|
Static File Info |
---|
File type: | Rich Text Format data, version 1, unknown character set |
File name: | 46e6a921eef3dafb97bf041147244f76.doc |
File size: | 237273 |
MD5: | 46e6a921eef3dafb97bf041147244f76 |
SHA1: | fbcc554ef9ef7c0181cd9f924ddf9b42b88ae2f0 |
SHA256: | a69c52cfbd315706bb23fc85a682c879557357f000756c015e9e8f6d147dd356 |
SHA512: | ee8d49c4061fc90981ae51d36df103f1e12ab74c0300c7a85e59d2c465c0b094cb90075fe900732653dda8b46809e3d8307c1f14b60de133a6dbf84e1d5b4f9d |
String Analysis |
---|
URLs |
---|
String value | Source |
---|---|
46e6a921eef3dafb97bf041147244f76.doc |
AV process names |
---|
String value | Source |
---|---|
dw20.EXE, dw20.EXE.dr |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulation Behavior |
---|
System Behavior |
---|
General |
---|
Start time: | 09:46:18 |
Start date: | 24/01/2012 |
Path: | C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x30000000 |
File size: | 12061896 bytes |
MD5 hash: | 7A0FA3A0282B4630F3768A74441D4BAE |
General |
---|
Start time: | 09:46:21 |
Start date: | 24/01/2012 |
Path: | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw20.EXE |
Wow64 process (32bit): | false |
Commandline: | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw20.EXE |
Imagebase: | 0x400000 |
File size: | 32768 bytes |
MD5 hash: | AC7B9760A499D342D165B8A70BE52FEE |
General |
---|
Start time: | 09:46:22 |
Start date: | 24/01/2012 |
Path: | C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE /n /dde C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WINWORD |
Imagebase: | 0x30000000 |
File size: | 12061896 bytes |
MD5 hash: | 7A0FA3A0282B4630F3768A74441D4BAE |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
APIs |
|
Non-executed Functions |
---|
Executed Functions |
---|
APIs |
|
Strings |
|
APIs |
|
APIs |
|
Strings |
|
Non-executed Functions |
---|