Edit tour

Windows Analysis Report
WordConv.exe

Overview

General Information

Sample Name:	WordConv.exe
Analysis ID:	601124
MD5:	ecc2a36707204069a32d57fee090e326
SHA1:	9ad6dc50747eb6c5d9d45a5a5bfd6ff6d86cbf83
SHA256:	4212aa0d9f76e06ef3cff25c0dca6679ac7ae990bb73da80f18d16a0688146e9
Tags:	exe

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

May infect USB drives

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

WordConv.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\WordConv.exe" MD5: ECC2A36707204069A32D57FEE090E326)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WordConv.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: WordConv.exe	Virustotal: Detection: 44%	Perma Link
Source: WordConv.exe	Metadefender: Detection: 22%	Perma Link
Source: WordConv.exe	ReversingLabs: Detection: 61%

Machine Learning detection for sample

Source: WordConv.exe

Joe Sandbox ML: detected

Source: WordConv.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: WordConv.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: e:\fx19rel\WINNT_5.2_Depend\mozilla\obj-fx-trunk\browser\app\firefox.pdb source: WordConv.exe
Source:	Binary string: p:\Target\x86\ship\setuptools\x-none\Flattener.pdb source: WordConv.exe
Source:	Binary string: AcroBroker.pdb source: WordConv.exe
Source:	Binary string: e\msosync.pdb source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\wordconv.pdb source: WordConv.exe
Source:	Binary string: \wordconv.pdb source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\wordconv.pdb\wordconv.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordConv.exe
Source:	Binary string: dismhost.pdb source: WordConv.exe
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\msosync.pdb source: WordConv.exe
Source:	Binary string: dismhost.pdbH source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\msosync.pdbe\msosync.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordConv.exe
Source:	Binary string: AppVDllSurrogate32.pdb source: WordConv.exe

Source: WordConv.exe	Binary or memory string: :\autorun.inf
Source: WordConv.exe	Binary or memory string: [Autorun]

Source: WordConv.exe	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl02
Source: WordConv.exe	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: WordConv.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WordConv.exe	String found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: WordConv.exe	String found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: WordConv.exe	String found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: WordConv.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: WordConv.exe	String found in binary or memory: http://translationproject.org/team/
Source: WordConv.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: WordConv.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: WordConv.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WordConv.exe	String found in binary or memory: http://www.gnu.org/software/coreutils/
Source: WordConv.exe	String found in binary or memory: http://www.gnu.org/software/coreutils/GNU
Source: WordConv.exe	String found in binary or memory: http://www.mozilla.com0
Source: WordConv.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: WordConv.exe	String found in binary or memory: http://www.symauth.com/cps09
Source: WordConv.exe	String found in binary or memory: http://www.symauth.com/rpa04

Source: WordConv.exe, 00000000.00000002.355064803.00000000007FA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: WordConv.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: WordConv.exe	Binary or memory string: OriginalFilenameFlattener.exep' vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenameAppVDllSurrogate32.exez- vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenameAcroBroker.exe~/ vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenameicons.exeL vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenameFirewall.exe vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenameEQNEDT32.EXET vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenameDismHost.exej% vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenamefirefox.exe0 vs WordConv.exe
Source: WordConv.exe	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L"OriginalFilenamevcredist_x86.exe vs WordConv.exe
Source: WordConv.exe	Binary or memory string: OriginalFilenamemsosync.exeL vs WordConv.exe

Source: C:\Users\user\Desktop\WordConv.exe

Section loaded: appvisvsubsystems32.dll

Source: WordConv.exe	Virustotal: Detection: 44%
Source: WordConv.exe	Metadefender: Detection: 22%
Source: WordConv.exe	ReversingLabs: Detection: 61%

Source: WordConv.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WordConv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: WordConv.exe

Binary or memory string: @`@*\AC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp

Source: WordConv.exe	String found in binary or memory: Try '%s --help' for more information
Source: WordConv.exe	String found in binary or memory: Try '%s --help' for more information
Source: WordConv.exe	String found in binary or memory: -h, --help this help text
Source: WordConv.exe	String found in binary or memory: -h, --help this help text
Source: WordConv.exe	String found in binary or memory: Try '%s --help' for more information.
Source: WordConv.exe	String found in binary or memory: Try '%s --help' for more information.
Source: WordConv.exe	String found in binary or memory: --help display this help and exit
Source: WordConv.exe	String found in binary or memory: --help display this help and exit
Source: WordConv.exe	String found in binary or memory: cyggcj-16.dll_Jv_RegisterClassesunamearch[ invocationTry '%s --help' for more information.
Source: WordConv.exe	String found in binary or memory: cyggcj-16.dll_Jv_RegisterClassesunamearch[ invocationTry '%s --help' for more information.
Source: WordConv.exe	String found in binary or memory: This equation was created with MathType. Tab-stop formatting will be lost; User 1 & 2 styles will be converted to the Text style; User 1 & 2 typesizes will be converted to the Full typesize.
Source: WordConv.exe	String found in binary or memory: Re-install Equation Editor to properly install its fonts.9The %s%s font is not available; %s%s will be substituted.
Source: WordConv.exe	String found in binary or memory: Re-install Equation Editor to properly install its fonts.lThe application could not be run, perhaps it is not installed. Use Windows Setup to install the application.
Source: WordConv.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: WordConv.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %lsFailed to get current process path.Failed to get command line.e:\delivery\dev\wix36_dev11\src\burn\engine\engine.cpp

Source: classification engine

Classification label: mal60.winEXE@1/0@0/0

Source: WordConv.exe

Static file information: File size 3042689 > 1048576

Source: WordConv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WordConv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WordConv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WordConv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WordConv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WordConv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WordConv.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: WordConv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: e:\fx19rel\WINNT_5.2_Depend\mozilla\obj-fx-trunk\browser\app\firefox.pdb source: WordConv.exe
Source:	Binary string: p:\Target\x86\ship\setuptools\x-none\Flattener.pdb source: WordConv.exe
Source:	Binary string: AcroBroker.pdb source: WordConv.exe
Source:	Binary string: e\msosync.pdb source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\wordconv.pdb source: WordConv.exe
Source:	Binary string: \wordconv.pdb source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\wordconv.pdb\wordconv.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordConv.exe
Source:	Binary string: dismhost.pdb source: WordConv.exe
Source:	Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\msosync.pdb source: WordConv.exe
Source:	Binary string: dismhost.pdbH source: WordConv.exe
Source:	Binary string: F:\Office\Target\x86\ship\postc2r\x-none\msosync.pdbe\msosync.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordConv.exe
Source:	Binary string: AppVDllSurrogate32.pdb source: WordConv.exe

Source: WordConv.exe

Static PE information: real checksum: 0xaa66 should be: 0x2e7e44

Source: C:\Users\user\Desktop\WordConv.exe

Code function: 0_2_009F2AFA push ecx; ret

Source: WordConv.exe

Static PE information: section name: .c2r

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WordConv.exe

Code function: 0_2_009F305A VirtualQuery,GetSystemInfo,

Source: C:\Users\user\Desktop\WordConv.exe

Code function: 0_2_009F287F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\WordConv.exe

Code function: 0_2_009F2063 GetProcessHeap,HeapSetInformation,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,VirtualProtect,VirtualProtect,WerRegisterMemoryBlock,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WordConv.exe	Code function: 0_2_009F2A0B SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\WordConv.exe	Code function: 0_2_009F2353 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\WordConv.exe	Code function: 0_2_009F287F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\WordConv.exe

Code function: 0_2_009F2B65 cpuid

Source: C:\Users\user\Desktop\WordConv.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	1 Input Capture	1 System Time Discovery	1 Replication Through Removable Media	1 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WordConv.exe	44%	Virustotal		Browse
WordConv.exe	23%	Metadefender		Browse
WordConv.exe	62%	ReversingLabs	Win32.Trojan.Generic
WordConv.exe	100%	Avira	HEUR/AGEN.1201252
WordConv.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://translationproject.org/team/	0%	Virustotal		Browse
http://translationproject.org/team/	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://translationproject.org/team/	WordConv.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gnu.org/software/coreutils/	WordConv.exe	false		high
http://www.gnu.org/software/coreutils/GNU	WordConv.exe	false		high
http://www.symauth.com/rpa04	WordConv.exe	false		high
http://crl.thawte.com/ThawteCodeSigningCA.crl02	WordConv.exe	false		high
http://crl.thawte.com/ThawtePremiumServerCA.crl0	WordConv.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	WordConv.exe	false		high
http://www.symauth.com/cps09	WordConv.exe	false		high
http://www.symauth.com/cps0(	WordConv.exe	false		high
http://ocsp.thawte.com0	WordConv.exe	false	URL Reputation: safe	unknown
http://www.mozilla.com0	WordConv.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	601124
Start date and time:	2022-03-31 20:30:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 13s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	WordConv.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 92.1%) Quality average: 71.3% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 20.82.210.154, 80.67.82.235, 80.67.82.211
Excluded domains from analysis (whitelisted): arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, a1449.dscg2.akamai.net, arc.msn.com
Execution Graph export aborted for target WordConv.exe, PID 6884 because there are no executed function

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.177455865411722
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.65% Win32 Executable (generic) a (10002005/4) 49.60% Windows ActiveX control (116523/4) 0.58% UPX compressed Win32 Executable (30571/9) 0.15% Generic Win/DOS Executable (2004/3) 0.01%
File name:	WordConv.exe
File size:	3042689
MD5:	ecc2a36707204069a32d57fee090e326
SHA1:	9ad6dc50747eb6c5d9d45a5a5bfd6ff6d86cbf83
SHA256:	4212aa0d9f76e06ef3cff25c0dca6679ac7ae990bb73da80f18d16a0688146e9
SHA512:	30e3c3a24ea0c652a7edc7961b982b99883d5d5d4e7b966e4129e7539256950728ca310736542f539424a3dc28919da4249bbc6ce62c5d77f9531e8eda7722a7
SSDEEP:	49152:DM84pXv9MYV7uLPTM+V8tgJd82WSytLd0/IabjKoh9WsRT:gff97io+Cga2stJ0IabjKoh9Ws
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Pw....w...w...w..n....w..Ov...w..Ot...w..Or...w..Os...w..Os...w.......w.......w...v.@.w..Or...w..O....w..Ou...w.Rich..w........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x402349
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x575469FF [Sun Jun 5 18:05:51 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	1597a1a52f47e476fef33f49742fedfb

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F57C8CE514Ah
jmp 00007F57C8CE52B5h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00404064h]
push dword ptr [ebp+08h]
call dword ptr [00404068h]
push C0000409h
call dword ptr [00404060h]
push eax
call dword ptr [0040405Ch]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F57C8CE6576h
test eax, eax
je 00007F57C8CE5437h
push 00000002h
pop ecx
int 29h
mov dword ptr [00406200h], eax
mov dword ptr [004061FCh], ecx
mov dword ptr [004061F8h], edx
mov dword ptr [004061F4h], ebx
mov dword ptr [004061F0h], esi
mov dword ptr [004061ECh], edi
mov word ptr [00406218h], ss
mov word ptr [0040620Ch], cs
mov word ptr [004061E8h], ds
mov word ptr [004061E4h], es
mov word ptr [004061E0h], fs
mov word ptr [004061DCh], gs
pushfd
pop dword ptr [00406210h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00406204h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00406208h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00406214h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00406150h], 00010001h
mov eax, dword ptr [00406208h]
mov dword ptr [0000000Ch], eax

Rich Headers

Programming Language:

[ C ] VS2015 build 23026
[RES] VS2015 build 23026
[C++] VS2015 build 23026
[IMP] VS2008 SP1 build 30729
[LNK] VS2015 build 23026

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7000	0xdc	.c2r
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0xb64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5600	0x3ec8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9000	0x4a4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x34f0	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4428	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x49ec	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2660	0x2800	False	0.58623046875	data	6.19207464918	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x132c	0x1400	False	0.4306640625	data	4.72924079546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x490	0x200	False	0.203125	data	1.83479054022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.c2r	0x7000	0x104	0x200	False	0.2734375	data	1.56854059264	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0xb64	0xc00	False	0.267578125	data	3.26682082399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9000	0x4a4	0x600	False	0.708333333333	data	5.7676499222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x80a0	0x8b4	data	English	United States
RT_MANIFEST	0x8954	0x20e	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	English	United States

Imports

DLL	Import
AppVIsvSubsystems32.dll
ole32.dll	CoRevokeClassObject, CoRegisterClassObject, CoInitializeEx, CoUninitialize
KERNEL32.dll	LoadLibraryExA, VirtualQuery, GetSystemInfo, RaiseException, GetStartupInfoW, GetCommandLineW, GetLastError, FreeLibrary, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GlobalAlloc, GlobalReAlloc, GlobalLock, GlobalUnlock, GlobalFree, MultiByteToWideChar, WideCharToMultiByte, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WerRegisterMemoryBlock, VirtualProtect, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, HeapSetInformation, GetProcessHeap, QueryPerformanceCounter, InitializeSListHead, IsProcessorFeaturePresent, IsDebuggerPresent
OLEAUT32.dll	SysStringLen, SysAllocString
VCRUNTIME140.dll	__CxxFrameHandler3, memset, __telemetry_main_return_trigger, _except_handler4_common, __std_exception_copy, __std_exception_destroy, __telemetry_main_invoke_trigger, _CxxThrowException, memmove
api-ms-win-crt-runtime-l1-1-0.dll	_controlfp_s, terminate, _crt_atexit, _register_thread_local_exe_atexit_callback, _register_onexit_function, _cexit, _initialize_onexit_table, _exit, exit, _initterm_e, _get_narrow_winmain_command_line, _initialize_narrow_environment, _configure_narrow_argv, _c_exit, _set_app_type, _seh_filter_exe, _initterm
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, malloc, free, _callnewh

Version Infos

Description	Data
InternalName	WordConv
FileVersion	16.0.6741.2048
CompanyName	Microsoft Corporation
LegalTrademarks1	Microsoft is a registered trademark of Microsoft Corporation.
LegalTrademarks2	Windows is a registered trademark of Microsoft Corporation.
ProductName	Microsoft Office 2016
SDClient	BB6543
ProductVersion	16.0.6741.2048
FileDescription	Word Converter
MOSEVersion	BETA
OriginalFilename	WordConv.exe
Translation	0x0000 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	22:31:15
Start date:	31/03/2022
Path:	C:\Users\user\Desktop\WordConv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WordConv.exe"
Imagebase:	0x9f0000
File size:	3042689 bytes
MD5 hash:	ECC2A36707204069A32D57FEE090E326
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WordConv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

System Behavior

Analysis Process: WordConv.exePID: 6884, Parent PID: 6736

General

Disassembly

Windows Analysis Report
WordConv.exe