Loading ...

General Information

Analysis ID:27405
Start time:11:43:48
Start date:16/11/2012
Overall analysis duration:0h 3m 19s
Sample file name:46e6a921eef3dafb97bf041147244f76.doc
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:true, ratio: 75%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Creates files inside the user directory
Creates temporary files
Queries a list of all running processes
Reads ini files
Spawns processes
Urls found in memory or binary data
Creates files inside the system directory
Creates mutexes\BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\oleacc-msaa-loaded \BaseNamedObjects\Local\Mso97SharedDg19531106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Local\Mutex_MSOSharedMem \BaseNamedObjects\Local\Mso97SharedDg20321106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\OfficeAssistantStateMutex \BaseNamedObjects\Local\Mso97SharedDg19521106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\Local\SqmSysTray
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
AV process strings found (often used to terminate AV products)
Document exploit detected (droppes PE files)
Document exploit detected (process start blacklist hit)
One or more processes crash
Potential document exploit detected (Application instantly terminates)

Code Signatures
Contains functionality to enumerate / list files inside a directory
Contains functionality to dynamically determine API calls

Startup

  • system is xp
  • WINWORD.EXE (PID: 648 MD5: 7A0FA3A0282B4630F3768A74441D4BAE)
    • dw20.EXE (PID: 1816 MD5: AC7B9760A499D342D165B8A70BE52FEE)
    • WINWORD.EXE (PID: 1936 MD5: 7A0FA3A0282B4630F3768A74441D4BAE)
  • cleanup

Created / dropped Files

File PathMD5
C:\46e6a921eef3dafb97bf041147244f76.doc38127D7381C8D2FA2E3BC93E36B75BE9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw20.EXEAC7B9760A499D342D165B8A70BE52FEE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$INWORD05A02048D6F36640223C02FE5E3F1D00
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WINWORD38127D7381C8D2FA2E3BC93E36B75BE9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WRC0000.tmpD6F83722463EBE648B7F882AE4078CCC
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Temp.LNK3CD32D9B98EB392C834FE893C1FDB4D6
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat2AA6A240AF5BCCB5A1BE10AF07111FBB
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\~WINWORD.LNKA0504484140647E9448415099C80A7F5
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DICA8A040B900A54102E3D8DD8C458138A5
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC24C5F34DE468172070B602738919987B
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot05A02048D6F36640223C02FE5E3F1D00
C:\WINDOWS\fxsst.dll08727A7100766E60026243601FA6CE3B
C:\~$e6a921eef3dafb97bf041147244f76.doc05A02048D6F36640223C02FE5E3F1D00
\srvsvc00010789CF97BAA5F49E8C7BF0605D58

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:Rich Text Format data, version 1, unknown character set
File name:46e6a921eef3dafb97bf041147244f76.doc
File size:237273
MD5:46e6a921eef3dafb97bf041147244f76
SHA1:fbcc554ef9ef7c0181cd9f924ddf9b42b88ae2f0
SHA256:a69c52cfbd315706bb23fc85a682c879557357f000756c015e9e8f6d147dd356
SHA512:ee8d49c4061fc90981ae51d36df103f1e12ab74c0300c7a85e59d2c465c0b094cb90075fe900732653dda8b46809e3d8307c1f14b60de133a6dbf84e1d5b4f9d

String Analysis

URLs
String valueSource
http://schemas.microsoft.com/office/word/2003/wordml46e6a921eef3dafb97bf041147244f76.doc
AV process names
String valueSource
SCFManager.exedw20.EXE, dw20.EXE.dr

Network Behavior

No network behavior found

Code Manipulation Behavior

System Behavior