Layer 2 Governance Model_Revised_6-15-15.vsdx
This report is generated from a file or URL submitted to this webservice on June 17th 2016 23:12:56 (UTC) and action script Random desktop files
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.30 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 2
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6BD43E46-0867-47F7-9FE6-7F7E5D5574BD}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32"
"WINWORD.EXE" touched file "C:\Windows\system32\imageres.dll"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.BUD" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e99e487ef0" to virtual address "0x76D63D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "77152153" to virtual address "0x62699904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "58ee9651" to virtual address "0x2F7D1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "03820c50" to virtual address "0x69E6F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "c4cad57680bbd57652bad5769fbbd57608bbd57646ced5766138d676de2fd676d0d9d576000000001779a9764f91a9767f6fa976f4f7a97611f7a976f283a976857ea97600000000" to virtual address "0x69AC1000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "2fc63e53" to virtual address "0x627A10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "25fc0550" to virtual address "0x69AECA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "ce540950" to virtual address "0x687A78E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "08832b50" to virtual address "0x677A0BA8" (part of module "MSO.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
-
Informative 5
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61046"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62650000
- source
- Loaded Module
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"~$58ba0851b3f5cc3300b2deec049d06feb80bb5e8ea1f2d8fd863e790395426.doc" has type "data"
"~WRS{6BD43E46-0867-47F7-9FE6-7F7E5D5574BD}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "U#D+6C)VQ:K]WG2Q5L+5FGG.&@;i@$6I4D*n<q12\>E?+jfS(<hJvB.U ~;@#(\/t`26mwk<vi(.=+.Tr"
Heuristic match: "VUG% i25zPpb(Hv @sVQ4wMLZ4i\E(;.BbsY>c.(i@lRyoV`n@@c_`ZbY;-.IR"
Heuristic match: "G5?NGKwpxq#[ULStCEqf.AT"
Pattern match: "pA5.Sq/:F"
Pattern match: "hl.oA/m9',eLtKA^Zq*UW#CWP(iqJ0iZo!~6&.2)iH!8Rcr8t" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
Layer 2 Governance Model_Revised_6-15-15.vsdx
- Filename
- Layer 2 Governance Model_Revised_6-15-15.vsdx
- Size
- 264KiB (270778 bytes)
- Type
- docx office
- Description
- Microsoft OOXML
- Architecture
- WINDOWS
- SHA256
- 4a58ba0851b3f5cc3300b2deec049d06feb80bb5e8ea1f2d8fd863e790395426
- MD5
- ea8b19e3665f7e9ab3f2c4d5250c70d5
- SHA1
- f158d40d6d4401b85318f4113e300b5865c14192
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\4a58ba0851b3f5cc3300b2deec049d06feb80bb5e8ea1f2d8fd863e790395426.doc" (PID: 3536)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 3
-
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3536)
- MD5
- 1e615f31fef9169f6dd728019cd9d170
- SHA1
- e76a2c769042d6a16a73e7faf09afc1ae7a3e859
- SHA256
- 5b68566f371476daee0755f1b788b86f9b17f768ea39a2edbb6fa2f3ba3783fa
-
~WRS{6BD43E46-0867-47F7-9FE6-7F7E5D5574BD}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3536)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~$58ba0851b3f5cc3300b2deec049d06feb80bb5e8ea1f2d8fd863e790395426.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3536)
- MD5
- 1e615f31fef9169f6dd728019cd9d170
- SHA1
- e76a2c769042d6a16a73e7faf09afc1ae7a3e859
- SHA256
- 5b68566f371476daee0755f1b788b86f9b17f768ea39a2edbb6fa2f3ba3783fa
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-55" are available in the report