Malware analysis PowerWord.800.12012.exe Malicious activity

Add for printing

download:	PowerWord.800.12012.exe
Full analysis:	https://app.any.run/tasks/ebc86af1-f0dd-4fe8-8d3d-28641042b7e2
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 07, 2019, 11:10:04
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	installer opendir loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	14FE74F3913E49C7070A12277481D9C9
SHA1:	1B13A2F9240C433F236CF9177A29D779E9D3DF49
SHA256:	5366DCD94FEC6559AA01E6145627C4E6A92D578837DC2037562FE6406858DFF8
SSDEEP:	393216:taAHVKric3nEWTVFUkIODQmcw7cJIjGyX3kCvPLQuvtrlM584bHZATBQyy1:taNzEW/PIQASGeBzQ6RlM58wZ8QR1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - PowerWord.800.12012.exe (PID: 3372)
- Application was dropped or rewritten from another process
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
  - update.exe (PID: 1424)
  - powerwordhelper.exe (PID: 3640)
- Changes the autorun value in the registry
  - PowerWord.800.12012.exe (PID: 3372)
- Loads the Task Scheduler DLL interface
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
- Loads dropped or rewritten executable
  - regsvr32.exe (PID: 904)
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
  - powerwordhelper.exe (PID: 3640)
- Downloads executable files from the Internet
  - PowerWord.exe (PID: 1252)
SUSPICIOUS
- Creates a software uninstall entry
  - PowerWord.800.12012.exe (PID: 3372)
- Creates files in the Windows directory
  - selfix.exe (PID: 3132)
  - PowerWord.exe (PID: 1252)
- Creates COM task schedule object
  - regsvr32.exe (PID: 904)
- Creates files in the user directory
  - PowerWord.800.12012.exe (PID: 3372)
  - PowerWord.exe (PID: 1252)
  - update.exe (PID: 1424)
- Executable content was dropped or overwritten
  - PowerWord.exe (PID: 1252)
  - PowerWord.800.12012.exe (PID: 3372)
- Searches for installed software
  - PowerWord.exe (PID: 1252)
- Removes files from Windows directory
  - PowerWord.exe (PID: 1252)
INFO
- Dropped object may contain Bitcoin addresses
  - PowerWord.800.12012.exe (PID: 3372)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (54.3)
.exe	\|	Win64 Executable (generic) (34.8)
.exe	\|	Win32 Executable (generic) (5.6)
.exe	\|	Generic Win/DOS Executable (2.5)
.exe	\|	DOS Executable Generic (2.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1970:01:30 16:32:16+01:00
PEType:	PE32
LinkerVersion:	10
CodeSize:	1701888
InitializedDataSize:	858624
UninitializedDataSize:	-
EntryPoint:	0x10b403
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2016.2018.821.1827
ProductVersionNumber:	2016.2018.821.1827
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription:	金山词霸安装程序
FileVersion:	2016,3,3,0333
InternalName:	KPacket
LegalCopyright:	Copyright©1988-2016 Kingsoft Corporation. All rights reserved.
OriginalFileName:	KPacket.exe
ProductName:	金山词霸2016
ProductVersion:	2016,3,3,0333
MIMEType:	-

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	30-Jan-1970 15:32:16
Detected languages:	Chinese - PRC English - United States
Debug artifacts:	E:\func_powerwordv3_3_20170310_branch\Build\Release\PowerWord\bin\KPacket.pdb
CompanyName:	Zhuhai Kingsoft Office Software Co.,Ltd
FileDescription:	金山词霸安装程序
FileVersion:	2016,3,3,0333
InternalName:	KPacket
LegalCopyright:	Copyright©1988-2016 Kingsoft Corporation. All rights reserved.
OriginalFilename:	KPacket.exe
ProductName:	金山词霸2016
ProductVersion:	2016,3,3,0333
MIMEType:	-

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000108

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	30-Jan-1970 15:32:16
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0019F74C	0x0019F800	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.73099
.rdata	0x001A1000	0x00068C84	0x00068E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.68696
.data	0x0020A000	0x00018840	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.95894
.rsrc	0x00223000	0x0003F4AC	0x0003F600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.86209
.reloc	0x00263000	0x0001851C	0x00018600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	5.87673

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.00801	609	Latin 1 / Western European	English - United States	RT_MANIFEST
2	7.97935	40801	Latin 1 / Western European	Chinese - PRC	RT_ICON
3	3.9342	67624	Latin 1 / Western European	Chinese - PRC	RT_ICON
4	3.95701	16936	Latin 1 / Western European	Chinese - PRC	RT_ICON
5	4.31119	9640	Latin 1 / Western European	Chinese - PRC	RT_ICON
6	4.1772	4264	Latin 1 / Western European	Chinese - PRC	RT_ICON
7	4.89043	2440	Latin 1 / Western European	Chinese - PRC	RT_ICON
8	5.30332	1128	Latin 1 / Western European	Chinese - PRC	RT_ICON
100	5.19154	1666	Latin 1 / Western European	Chinese - PRC	XML
101	4.85193	1401	Latin 1 / Western European	Chinese - PRC	XML

Imports


ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
Secur32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

904

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\CBGrabProxy.dll"

C:\Windows\System32\regsvr32.exe

—

PowerWord.800.12012.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1252

"C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\PowerWord.exe" -installer:main

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\PowerWord.exe

PowerWord.800.12012.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

金山词霸2016

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\powerword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

1424

update.exe /productVer:2016.3.3.0333 /productID:PG01-PW-2052-156-X-Personal /UserGUID:{E70EC19437F14307B1E0869DD7D9AFF6----} /DistSrc: /uuid:E70EC19437F14307B1E0869DD7D9AFF6 /from:ksostart

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\update.exe

PowerWord.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

Expansion tool

Exit code:

Version:

10,1,0,5491

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\update.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

3132

"C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\selfix.exe" --install

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\selfix.exe

—

PowerWord.800.12012.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

Powerword Self Fix

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\selfix.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\msvcp100.dll
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\msvcr100.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

3336

"C:\Windows\System32\regsvr32.exe" /s /u "CBGrabProxy.dll"

C:\Windows\System32\regsvr32.exe

—

PowerWord.800.12012.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3372

"C:\Users\admin\AppData\Local\Temp\PowerWord.800.12012.exe"

C:\Users\admin\AppData\Local\Temp\PowerWord.800.12012.exe

explorer.exe

User:

admin

Company:

Zhuhai Kingsoft Office Software Co.,Ltd

Integrity Level:

MEDIUM

Description:

金山词霸安装程序

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\temp\powerword.800.12012.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

3640

"C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\powerwordhelper.exe" Power word open helper

C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\powerwordhelper.exe

—

PowerWord.exe

User:

admin

Integrity Level:

MEDIUM

Description:

金山词霸辅助程序

Exit code:

Version:

2016,3,3,0333

Modules

Images
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\powerwordhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\kingsoft\power word 2016\2016.3.3.0333\msvcr100.dll

Add for printing

Total events

1 097

Read events

890

Write events

205

Delete events

Modification events


(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:	write	Name:	C:\Users\admin\AppData\Local\Temp\PowerWord.800.12012.exe
Value: 1
(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Kingsoft\Power Word
Operation:	write	Name:	StartCountPinSC
Value: -1
(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3372) PowerWord.800.12012.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\AppID\{56D46CB3-3B60-4258-917A-502FB85582E4}
Operation:	write	Name:
Value: CBGrabProxy
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\AppID\CBGrabProxy.DLL
Operation:	write	Name:	AppID
Value: {56D46CB3-3B60-4258-917A-502FB85582E4}
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin.1
Operation:	write	Name:
Value: CBRMGrabPlugin Class
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin.1\CLSID
Operation:	write	Name:
Value: {1A8AAB98-37E6-4e68-B877-1BDE7F945E89}
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin
Operation:	write	Name:
Value: CBRMGrabPlugin Class
(PID) Process:	(904) regsvr32.exe	Key:	HKEY_CLASSES_ROOT\CBGrabProxy.CBRMGrabPlugin\CLSID
Operation:	write	Name:
Value: {1A8AAB98-37E6-4e68-B877-1BDE7F945E89}

Add for printing

Executable files

102

Suspicious files

532

Text files

1 180

Unknown types

Dropped files

PID	Process	Filename		Type
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\704.png		image
		MD5:FEECC2413F763F1CE7E1783B45DB099F	SHA256:C1046C28A0B181A642FA4A3F5AFCF401CCB9968B626DAB9092020D949D9A5538
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\801.png		image
		MD5:67208170A3553909CF283F7C659B9467	SHA256:60F23D3A7972D31AB8E9E0C19E859A15248EE149A72CA0DA357C81C38B9AAE1C
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\30.png		image
		MD5:3005F169E7104557B6EFCF06E88A0515	SHA256:022F29DA06C127C36C4E7A8BB93A09899279ABAB8C0EE6D7ECEA051B7E7B2E46
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\800.png		image
		MD5:27D3004B5EE33AB41821388CFA6D4EB0	SHA256:C86D9369F1FDF3361603A9EDB9C45210A8E5379BF60DD775C3A2ABFBE1148F66
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\10.png		image
		MD5:FEAF35246015524B3B335462EA0E7C5B	SHA256:0C06BF07D4CFBB68C1901A4E3B9B5D649145396F07FE2433ED4F64CCFF5FB87A
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\20.png		image
		MD5:B6463DFDA56244FBAAD5C0B983B9A5C8	SHA256:DC336991D9114D6C86B588C3042610834B16F1994C9AD30B2E7EDA1981556F4E
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\705.png		image
		MD5:816ECB5DDAA76A70E2D796C7336963EB	SHA256:880F7384A831440A88306DCDED6961DA2E42888E984EA2AC820C4F92C4743379
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\708.png		image
		MD5:4C4CB6A3E79055D9485B1952E2827C0E	SHA256:C115772FB9E20D9AFDF3FF3CDFAB87595B3023345CF9854E4CA10954E155674E
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\1.png		image
		MD5:9179721463E747E379FE103222E124EC	SHA256:85F21DE1E3806D6A46DBB2259E52883CDAE40F3F977FDA0288DDB43E3CF42D62
3372	PowerWord.800.12012.exe	C:\Users\admin\AppData\Local\Temp\Power Word\~eaa07\install_res\703.png		image
		MD5:FFB2D95C20652FBC715A81E24DFAE4F3	SHA256:C6B236C38664DBE3B0B96CAB6021892B3A7675E5C2B5FD598449EFA958722AFA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1252	PowerWord.exe	POST	200	120.92.91.106:80	http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E1&d=ZG09L3dwcy9jbGllbnQvcGx1Z2lucyZhY3Rpb249cXVnX21pc3MyX3Bvd2Vyd29yZCZwbnVtPTQmcDA9RTcwRUMxOTQzN0YxNDMwN0IxRTA4NjlERDdEOUFGRjZ8OEI5RkUwRTUwMUJDOEE5RDY4RDAzNDYxRDE4NUMxMDV8NzQ0ZWI5YmJjMzU5NGE5YWY3ODMyNzI4Nzc5MmVhNmYmcDE9MjAxNi4zLjMuMDMzMyZwMj0mcDM9MQ==	CN	—	—	suspicious
3372	PowerWord.800.12012.exe	GET	—	120.92.3.55:80	http://push.wps.cn/bundled.php?distsrc=1.1&version=&type=install&platform=5	CN	—	—	suspicious
1252	PowerWord.exe	POST	200	120.92.59.60:80	http://service.iciba.com/popo/ad?client=5&timestamp=1554635560&uuid=E70EC19437F14307B1E0869DD7D9AFF6&v=2016.3.3.0333&sv=Windows+7+Professional&channel=&uid=&sign=d07b12a9acad2cbe	CN	html	1.49 Kb	suspicious
1252	PowerWord.exe	POST	200	120.92.5.151:80	http://sentence.iciba.com/index.php?&c=dailysentence&m=getList&duration=10&title=2019-04-07&period=0&v=2016.3.3.0333&sv=Windows+7+Professional&uid=defaultuid&uuid=E70EC19437F14307B1E0869DD7D9AFF6&client=5	CN	text	3.48 Kb	suspicious
1252	PowerWord.exe	GET	200	120.92.59.60:80	http://service.iciba.com/popo/pc/icon_red_packets/every_all.png	CN	image	2.05 Kb	suspicious
1252	PowerWord.exe	GET	200	120.92.59.60:80	http://service.iciba.com/popo/pc/icon_red_packets/every.gif	CN	image	7.52 Kb	suspicious
1252	PowerWord.exe	POST	200	120.92.91.106:80	http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E2	CN	—	—	suspicious
1252	PowerWord.exe	GET	200	117.91.177.228:80	http://cdn.iciba.com/news/word/big_20190407b.jpg	CN	image	103 Kb	malicious
1252	PowerWord.exe	GET	200	120.92.3.58:80	http://dict-mobile.iciba.com/msg/index.php?act=pc&starttime=8&endtime=21&type=000&uid=0&timestamp=1554635560&client=5&uuid=E70EC19437F14307B1E0869DD7D9AFF6&v=2016.3.3.0333&sv=Windows%207%20Professional&mac_address=52:54:00:4A:04:AF	CN	text	57 b	suspicious
1252	PowerWord.exe	POST	200	120.92.5.165:80	http://dict-pc.iciba.com/interface/index.php?client=5&type=1&timestamp=1554635560&uuid=E70EC19437F14307B1E0869DD7D9AFF6&c=personal_center&m=get_personal_center_list&v=2016.3.3.0333&sv=Windows+7+Professional&sign=53e5606818fd23a0&uid=defaultuid&hdid=8B9FE0E501BC8A9D68D03461D185C105	CN	text	51 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3372	PowerWord.800.12012.exe	120.92.3.55:80	push.wps.cn	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	120.92.3.58:80	dict-mobile.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	120.92.5.165:80	dict-pc.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	120.92.20.54:80	mini.wps.cn	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	suspicious
1252	PowerWord.exe	120.92.5.151:80	minisite.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	unknown
1252	PowerWord.exe	120.92.91.106:80	ic.wps.cn	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	suspicious
1252	PowerWord.exe	183.134.19.1:80	activity.iciba.com	No.31,Jin-rong Street	CN	suspicious
1252	PowerWord.exe	117.91.177.228:80	cdn.iciba.com	No.31,Jin-rong Street	CN	unknown
1252	PowerWord.exe	183.131.200.84:80	download.iciba.com	DaLi	CN	suspicious
1252	PowerWord.exe	120.92.59.60:80	oxford.iciba.com	Beijing Kingsoft Cloud Internet Technology Co., Ltd	CN	suspicious

DNS requests

Domain	IP	Reputation
push.wps.cn	120.92.3.55	suspicious
oxford.iciba.com	120.92.59.60	suspicious
dict-mobile.iciba.com	120.92.3.58	suspicious
service.iciba.com	120.92.59.60	suspicious
mini.wps.cn	120.92.20.54	suspicious
minisite.iciba.com	120.92.5.151	suspicious
activity.iciba.com	183.134.19.1 114.236.92.129 123.8.171.1 61.147.122.129 124.239.226.1 183.236.60.129 118.112.254.1 218.60.15.1 60.221.17.1 124.232.182.1 183.214.10.1 223.112.143.1 113.113.101.1 222.216.122.1 60.28.125.129	suspicious
dict-pc.iciba.com	120.92.5.165	suspicious
sentence.iciba.com	120.92.5.151	suspicious
ic.wps.cn	120.92.91.106	suspicious

Threats

PID	Process	Class	Message
1252	PowerWord.exe	A Network Trojan was detected	ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
1252	PowerWord.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
PowerWord.exe	2019/04/07 12:12:37 I Powerword program start!
PowerWord.exe	2019/04/07 12:12:38 I Powerword http://service.iciba.com/popo/open/screens/pc?client=5&v=2016.3.3.0333&sv=Windows+7+Professional&uuid=E70EC19437F14307B1E0869DD7D9AFF6&uid=defaultuid&timestamp=1554635558&key=1000005&sign=df367ce495b956fb
PowerWord.exe	2019/04/07 12:12:40 I Powerword initialize
PowerWord.exe	2019/04/07 12:12:40 I Powerword C:\Users\admin\AppData\Local\Kingsoft\Power Word 2016\2016.3.3.0333\PowerWord.exe
PowerWord.exe	2019/04/07 12:12:40 I Powerword -installer:main
update.exe	2019/04/07 12:12:40 I update 00000590:00000a20 wpsupdate cmdline = /productVer:2016.3.3.0333 /productID:PG01-PW-2052-156-X-Personal /UserGUID:{E70EC19437F14307B1E0869DD7D9AFF6----} /DistSrc: /uuid:E70EC19437F14307B1E0869DD7D9AFF6 /from:ksostart
update.exe	2019/04/07 12:12:40 I update 00000590:00000ec8 [WorkerMain]Update work thread begin.
update.exe	2019/04/07 12:12:40 I update 00000590:00000a20 Update Exit.

General Info

PowerWord.800.12012.exe

14FE74F3913E49C7070A12277481D9C9

1B13A2F9240C433F236CF9177A29D779E9D3DF49

5366DCD94FEC6559AA01E6145627C4E6A92D578837DC2037562FE6406858DFF8

393216:taAHVKric3nEWTVFUkIODQmcw7cJIjGyX3kCvPLQuvtrlM584bHZATBQyy1:taNzEW/PIQASGeBzQ6RlM58wZ8QR1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Application was dropped or rewritten from another process

Changes the autorun value in the registry

Loads the Task Scheduler DLL interface

Loads dropped or rewritten executable

Downloads executable files from the Internet

SUSPICIOUS

Creates a software uninstall entry

Creates files in the Windows directory

Creates COM task schedule object

Creates files in the user directory

Executable content was dropped or overwritten

Searches for installed software

Removes files from Windows directory

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings