Malware analysis PowerWord.800.12012.exe Malicious activity

Add for printing

download:	PowerWord.800.12012.exe
Full analysis:	https://app.any.run/tasks/ebc86af1-f0dd-4fe8-8d3d-28641042b7e2
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 07, 2019, 11:10:04
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	installer opendir loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	14FE74F3913E49C7070A12277481D9C9
SHA1:	1B13A2F9240C433F236CF9177A29D779E9D3DF49
SHA256:	5366DCD94FEC6559AA01E6145627C4E6A92D578837DC2037562FE6406858DFF8
SSDEEP:	393216:taAHVKric3nEWTVFUkIODQmcw7cJIjGyX3kCvPLQuvtrlM584bHZATBQyy1:taNzEW/PIQASGeBzQ6RlM58wZ8QR1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - PowerWord.800.12012.exe (PID: 3372)
- Application was dropped or rewritten from another process
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
  - update.exe (PID: 1424)
  - powerwordhelper.exe (PID: 3640)
- Loads dropped or rewritten executable
  - regsvr32.exe (PID: 904)
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
  - powerwordhelper.exe (PID: 3640)
- Changes the autorun value in the registry
  - PowerWord.800.12012.exe (PID: 3372)
- Loads the Task Scheduler DLL interface
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
- Downloads executable files from the Internet
  - PowerWord.exe (PID: 1252)
SUSPICIOUS
- Creates files in the Windows directory
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
- Creates a software uninstall entry
  - PowerWord.800.12012.exe (PID: 3372)
- Creates files in the user directory
  - PowerWord.800.12012.exe (PID: 3372)
  - PowerWord.exe (PID: 1252)
  - update.exe (PID: 1424)
- Creates COM task schedule object
  - regsvr32.exe (PID: 904)
- Searches for installed software
  - PowerWord.exe (PID: 1252)
- Executable content was dropped or overwritten
  - PowerWord.exe (PID: 1252)
  - PowerWord.800.12012.exe (PID: 3372)
- Removes files from Windows directory
  - PowerWord.exe (PID: 1252)
INFO
- Dropped object may contain Bitcoin addresses
  - PowerWord.800.12012.exe (PID: 3372)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (54.3)
.exe	\|	Win64 Executable (generic) (34.8)
.exe	\|	Win32 Executable (generic) (5.6)
.exe	\|	Generic Win/DOS Executable (2.5)
.exe	\|	DOS Executable Generic (2.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1970:01:30 16:32:16+01:00
PEType:	PE32
LinkerVersion:	10
CodeSize:	1701888
InitializedDataSize:	858624
UninitializedDataSize:	-
EntryPoint:	0x10b403
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2016.2018.821.1827
ProductVersionNumber:	2016.2018.821.1827
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription:	金山词霸安装程序
FileVersion:	2016,3,3,0333
InternalName:	KPacket
LegalCopyright:	Copyright©1988-2016 Kingsoft Corporation. All rights reserved.
OriginalFileName:	KPacket.exe
ProductName:	金山词霸2016
ProductVersion:	2016,3,3,0333
MIMEType:	-

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	30-Jan-1970 15:32:16
Detected languages:	Chinese - PRC English - United States
Debug artifacts:	E:\func_powerwordv3_3_20170310_branch\Build\Release\PowerWord\bin\KPacket.pdb
CompanyName:	Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription:	金山词霸安装程序
FileVersion:	2016,3,3,0333
InternalName:	KPacket
LegalCopyright:	Copyright©1988-2016 Kingsoft Corporation. All rights reserved.
OriginalFilename:	KPacket.exe
ProductName:	金山词霸2016
ProductVersion:	2016,3,3,0333
MIMEType:	-

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000108

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	30-Jan-1970 15:32:16
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0019F74C	0x0019F800	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.73099
.rdata	0x001A1000	0x00068C84	0x00068E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.68696
.data	0x0020A000	0x00018840	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.95894
.rsrc	0x00223000	0x0003F4AC	0x0003F600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.86209
.reloc	0x00263000	0x0001851C	0x00018600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	5.87673

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.00801	609	Latin 1 / Western European	English - United States	RT_MANIFEST
2	7.97935	40801	Latin 1 / Western European	Chinese - PRC	RT_ICON
3	3.9342	67624	Latin 1 / Western European	Chinese - PRC	RT_ICON
4	3.95701	16936	Latin 1 / Western European	Chinese - PRC	RT_ICON
5	4.31119	9640	Latin 1 / Western European	Chinese - PRC	RT_ICON
6	4.1772	4264	Latin 1 / Western European	Chinese - PRC	RT_ICON
7	4.89043	2440	Latin 1 / Western European	Chinese - PRC	RT_ICON
8	5.30332	1128	Latin 1 / Western European	Chinese - PRC	RT_ICON
100	5.19154	1666	Latin 1 / Western European	Chinese - PRC	XML
101	4.85193	1401	Latin 1 / Western European	Chinese - PRC	XML

Imports


ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
Secur32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

904

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\CBGrabProxy.dll"

C:\Windows\System32\regsvr32.exe

—

PowerWord.800.12012.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1252

"C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\PowerWord.exe" -installer:main

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\PowerWord.exe

PowerWord.800.12012.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

金山词霸2016

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\powerword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

1424

update.exe /productVer:2016.3.3.0333 /productID:PG01-PW-2052-156-X-Personal /UserGUID:{E70EC19437F14307B1E0869DD7D9AFF6----} /DistSrc: /uuid:E70EC19437F14307B1E0869DD7D9AFF6 /from:ksostart

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\update.exe

PowerWord.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

Expansion tool

Exit code:

Version:

10,1,0,5491

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\update.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

3132

"C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\selfix.exe" --install

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\selfix.exe

—

PowerWord.800.12012.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

Powerword Self Fix

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\selfix.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\msvcp100.dll
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\msvcr100.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

3336

"C:\Windows\System32\regsvr32.exe" /s /u "CBGrabProxy.dll"

C:\Windows\System32\regsvr32.exe

—

PowerWord.800.12012.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3372

"C:\Users\admin\AppData\Local\Temp\PowerWord.800.12012.exe"

C:\Users\admin\AppData\Local\Temp\PowerWord.800.12012.exe

explorer.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

金山词霸安装程序

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\temp\powerword.800.12012.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

3640

"C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\powerwordhelper.exe" Power word open helper

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\powerwordhelper.exe

—

PowerWord.exe

User:

admin

Integrity Level:

MEDIUM

Description:

金山词霸辅助程序

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\powerwordhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\msvcr100.dll

Add for printing

Total events

1 097

Read events

890

Write events

205

Delete events

Modification events


(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:	write	Name:	C:\Users\admin\AppData\Local\Temp\PowerWord.800.12012.exe
Value: 1
(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Kingsoft\Power Word
Operation:	write	Name:	StartCountPinSC
Value: -1
(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\AppID\{56D46CB3-3B60-4258-917A-502FB85582E4}
Operation:	write	Name:
Value: CBGrabProxy
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\AppID\CBGrabProxy.DLL
Operation:	write	Name:	AppID
Value: {56D46CB3-3B60-4258-917A-502FB85582E4}
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin.1
Operation:	write	Name:
Value: CBRMGrabPlugin Class
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin.1\CLSID
Operation:	write	Name:
Value: {1A8AAB98-37E6-4e68-B877-1BDE7F945E89}
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin
Operation:	write	Name:
Value: CBRMGrabPlugin Class
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin\CLSID
Operation:	write	Name:
Value: {1A8AAB98-37E6-4e68-B877-1BDE7F945E89}

Add for printing

Executable files

102

Suspicious files

532

Text files

1 180

Unknown types

Dropped files

PID	Process	Filename		Type
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\20.png		image
		MD5:B6463DFDA56244FBAAD5C0B983B9A5C8	SHA256:DC336991D9114D6C86B588C3042610834B16F1994C9AD30B2E7EDA1981556F4E
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\30.png		image
		MD5:3005F169E7104557B6EFCF06E88A0515	SHA256:022F29DA06C127C36C4E7A8BB93A09899279ABAB8C0EE6D7ECEA051B7E7B2E46
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\3.png		image
		MD5:99910B7A9E80C1C5DE5A62814625EE83	SHA256:44A01AAF0D2858D092AFF2B1ECFABE8ACF57126A6E21667D9D418F67FD5A9B22
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\102.png		image
		MD5:5192DC719389684E228C5ED6EAE9A3DA	SHA256:066733B6F7B054BECE74A4FE801732E991B830A0F70FD613444AADD96E8B24D7
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\104.png		image
		MD5:CE9038D52ACD2253609CC0F57596EDEA	SHA256:35AAAB539D213EC1B93AE0BEE85DF757F2B346BB9A3454FC574A3522D6B02603
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\10.png		image
		MD5:FEAF35246015524B3B335462EA0E7C5B	SHA256:0C06BF07D4CFBB68C1901A4E3B9B5D649145396F07FE2433ED4F64CCFF5FB87A
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\101.png		image
		MD5:20FCFD436541CC9A931C9C68C18C60DE	SHA256:029B53CAE4EE97BDC6CD383E8A61E7161F6FF46F4ECAAB2CB7E2602BA1F2080F
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\103.png		image
		MD5:16F538546506DC4130444497208C93E1	SHA256:E7F69D26EDBA0BC03F083FE986490FC2D4FE9B4C3122E4C961885D133EF92673
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\100.png		image
		MD5:F4F713DB58B4364A072B94A3B05AC5FA	SHA256:8488CCB8D08B19AF4BD04B73404D2085EDAECE9862DCC741D2EEDD4F454DDA93
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\2.jpg		image
		MD5:F179A0CA31A7FA7D1B62BF76B8DED22F	SHA256:77C059D87D8598FFA91558FE28459510D37CE801BBA3D93381E5F3AF6275FCD4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1252	PowerWord.exe	POST	200	120.92.91.106:80	http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E1&d=ZG09L3dwcy9jbGllbnQvcGx1Z2lucyZhY3Rpb249cXVnX21pc3MyX3Bvd2Vyd29yZCZwbnVtPTQmcDA9RTcwRUMxOTQzN0YxNDMwN0IxRTA4NjlERDdEOUFGRjZ8OEI5RkUwRTUwMUJDOEE5RDY4RDAzNDYxRDE4NUMxMDV8NzQ0ZWI5YmJjMzU5NGE5YWY3ODMyNzI4Nzc5MmVhNmYmcDE9MjAxNi4zLjMuMDMzMyZwMj0mcDM9MQ==	CN	—	—	suspicious
3372	PowerWord.800.12012.exe	GET	—	120.92.3.55:80	http://push.wps.cn/bundled.php?distsrc=1.1&version=&type=install&platform=5	CN	—	—	suspicious
1252	PowerWord.exe	POST	200	120.92.5.151:80	http://sentence.iciba.com/index.php?&c=dailysentence&m=getList&duration=10&title=2019-04-07&period=0&v=2016.3.3.0333&sv=Windows+7+Professional&uid=defaultuid&uuid=E70EC19437F14307B1E0869DD7D9AFF6&client=5	CN	text	3.48 Kb	suspicious
1252	PowerWord.exe	GET	200	120.92.59.60:80	http://service.iciba.com/popo/pc/icon_red_packets/every_normal.png	CN	image	1.17 Kb	suspicious
1252	PowerWord.exe	GET	200	120.92.59.60:80	http://service.iciba.com/popo/pc/icon_red_packets/every_all.png	CN	image	2.05 Kb	suspicious
1252	PowerWord.exe	POST	200	120.92.91.106:80	http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E2	CN	—	—	suspicious
1252	PowerWord.exe	GET	200	117.91.177.228:80	http://cdn.iciba.com/news/word/big_20190407b.jpg	CN	image	103 Kb	malicious
1252	PowerWord.exe	GET	200	120.92.59.60:80	http://service.iciba.com/popo/pc/icon_red_packets/every.gif	CN	image	7.52 Kb	suspicious
1252	PowerWord.exe	POST	200	120.92.20.54:80	http://mini.wps.cn/v2.php/iconflicker/api/config	CN	text	12 b	suspicious
1252	PowerWord.exe	POST	200	120.92.59.60:80	http://service.iciba.com/popo/ad?client=5&timestamp=1554635560&uuid=E70EC19437F14307B1E0869DD7D9AFF6&v=2016.3.3.0333&sv=Windows+7+Professional&channel=&uid=&sign=d07b12a9acad2cbe	CN	html	1.49 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3372	PowerWord.800.12012.exe	120.92.3.55:80	push.wps.cn	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	120.92.3.58:80	dict-mobile.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	120.92.59.60:80	oxford.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	suspicious
1252	PowerWord.exe	120.92.20.54:80	mini.wps.cn	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	suspicious
1252	PowerWord.exe	120.92.5.165:80	dict-pc.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	120.92.5.151:80	minisite.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	183.134.19.1:80	activity.iciba.com	No.31,Jin-rong Street	CN	suspicious
1252	PowerWord.exe	120.92.91.106:80	ic.wps.cn	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	suspicious
1252	PowerWord.exe	183.131.200.84:80	download.iciba.com	DaLi	CN	suspicious
1252	PowerWord.exe	117.91.177.228:80	cdn.iciba.com	No.31,Jin-rong Street	CN	unknown

DNS requests

Domain	IP	Reputation
push.wps.cn	120.92.3.55	suspicious
oxford.iciba.com	120.92.59.60	suspicious
dict-mobile.iciba.com	120.92.3.58	suspicious
service.iciba.com	120.92.59.60	suspicious
mini.wps.cn	120.92.20.54	suspicious
minisite.iciba.com	120.92.5.151	suspicious
activity.iciba.com	183.134.19.1 114.236.92.129 123.8.171.1 61.147.122.129 124.239.226.1 183.236.60.129 118.112.254.1 218.60.15.1 60.221.17.1 124.232.182.1 183.214.10.1 223.112.143.1 113.113.101.1 222.216.122.1 60.28.125.129	suspicious
dict-pc.iciba.com	120.92.5.165	suspicious
sentence.iciba.com	120.92.5.151	suspicious
ic.wps.cn	120.92.91.106	suspicious

Threats

PID	Process	Class	Message
1252	PowerWord.exe	A Network Trojan was detected	ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
1252	PowerWord.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
PowerWord.exe	2019/04/07 12:12:37 I Powerword program start!
PowerWord.exe	2019/04/07 12:12:38 I Powerword http://service.iciba.com/popo/open/screens/pc?client=5&v=2016.3.3.0333&sv=Windows+7+Professional&uuid=E70EC19437F14307B1E0869DD7D9AFF6&uid=defaultuid&timestamp=1554635558&key=1000005&sign=df367ce495b956fb
PowerWord.exe	2019/04/07 12:12:40 I Powerword initialize
PowerWord.exe	2019/04/07 12:12:40 I Powerword C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\PowerWord.exe
PowerWord.exe	2019/04/07 12:12:40 I Powerword -installer:main
update.exe	2019/04/07 12:12:40 I update 00000590:00000a20 wpsupdate cmdline = /productVer:2016.3.3.0333 /productID:PG01-PW-2052-156-X-Personal /UserGUID:{E70EC19437F14307B1E0869DD7D9AFF6----} /DistSrc: /uuid:E70EC19437F14307B1E0869DD7D9AFF6 /from:ksostart
update.exe	2019/04/07 12:12:40 I update 00000590:00000ec8 [WorkerMain]Update work thread begin.
update.exe	2019/04/07 12:12:40 I update 00000590:00000a20 Update Exit.

General Info

PowerWord.800.12012.exe

14FE74F3913E49C7070A12277481D9C9

1B13A2F9240C433F236CF9177A29D779E9D3DF49

5366DCD94FEC6559AA01E6145627C4E6A92D578837DC2037562FE6406858DFF8

393216:taAHVKric3nEWTVFUkIODQmcw7cJIjGyX3kCvPLQuvtrlM584bHZATBQyy1:taNzEW/PIQASGeBzQ6RlM58wZ8QR1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Changes the autorun value in the registry

Loads the Task Scheduler DLL interface

Downloads executable files from the Internet

SUSPICIOUS

Creates files in the Windows directory

Creates a software uninstall entry

Creates files in the user directory

Creates COM task schedule object

Searches for installed software

Executable content was dropped or overwritten

Removes files from Windows directory

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings