URL Details

URL
http://luceidclfbuq.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL March 6, 2019, 5:52 a.m. March 6, 2019, 5:58 a.m. 315 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-03-06 05:52:54 2019-03-06 05:58:09

Analyzer Log

2019-03-05 21:52:51,030 [analyzer] DEBUG: Starting analyzer from: C:\jxemqoxdo
2019-03-05 21:52:51,265 [analyzer] DEBUG: Pipe server name: \\.\PIPE\QPVKIlzKaHqIchFzMtNQiLeZjplhaYS
2019-03-05 21:52:51,265 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\dbMpuTXcrxWEfbmtgavNuUoXn
2019-03-05 21:52:53,901 [analyzer] DEBUG: Started auxiliary module Disguise
2019-03-05 21:52:54,463 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-03-05 21:52:54,477 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-03-05 21:52:54,477 [analyzer] DEBUG: Started auxiliary module Human
2019-03-05 21:52:54,477 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-03-05 21:52:54,477 [analyzer] DEBUG: Started auxiliary module Reboot
2019-03-05 21:52:55,632 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-03-05 21:52:55,632 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-03-05 21:52:55,632 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-03-05 21:52:56,444 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Microsoft Office\\Office12\\WINWORD.EXE' with arguments ['http://luceidclfbuq.com/'] and pid 2308
2019-03-05 21:52:58,736 [analyzer] DEBUG: Loaded monitor into process with pid 2308
2019-03-05 21:53:05,913 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Temp\74038.od
2019-03-05 21:53:10,483 [analyzer] INFO: Added new file to list with pid 2308 and path C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
2019-03-05 21:53:12,605 [analyzer] DEBUG: Ignoring Office process C:\Windows\splwow64.exe 12288!
2019-03-05 21:53:18,986 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
2019-03-05 21:53:39,109 [analyzer] INFO: Added new file to list with pid 2308 and path \Device\NamedPipe\DAV RPC SERVICE
2019-03-05 21:54:07,329 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
2019-03-05 21:54:07,392 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
2019-03-05 21:54:07,595 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9219AFF3.gif
2019-03-05 21:54:07,657 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D623C158.gif
2019-03-05 21:54:07,704 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25F8DF08-5446-4A79-BBCD-4170DE03A971}.tmp
2019-03-05 21:54:07,798 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A66D8717-31B3-4748-B1F6-E7D47E0BEA92}.tmp
2019-03-05 21:54:07,798 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71E179.gif
2019-03-05 21:54:07,861 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{53529CBB-834C-42F7-9868-6CBC23914971}.tmp
2019-03-05 21:54:07,923 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A6FA926.gif
2019-03-05 21:54:07,986 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69C6BAEF.gif
2019-03-05 21:54:08,078 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CEE9B824.jpeg
2019-03-05 21:54:08,125 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso14B9.tmp
2019-03-05 21:54:08,125 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso14C9.tmp
2019-03-05 21:54:09,000 [analyzer] INFO: Added new file to list with pid 2308 and path C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
2019-03-05 21:56:58,836 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-03-05 21:57:51,658 [lib.common.results] ERROR: Exception uploading file c:\users\zamen\appdata\local\temp\tmpsm6x5z to host: [Errno 9] Bad file descriptor
2019-03-05 21:57:51,674 [lib.api.process] INFO: Memory dump of process with pid 2308 completed
2019-03-05 21:57:51,690 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-03-05 21:57:51,690 [lib.api.process] INFO: Successfully terminated process with pid 2308.
2019-03-05 21:57:51,752 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\mso14b9.tmp'" does not exist, skip.
2019-03-05 21:57:51,783 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\9219aff3.gif'" does not exist, skip.
2019-03-05 21:57:51,783 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\71e179.gif'" does not exist, skip.
2019-03-05 21:57:51,783 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\69c6baef.gif'" does not exist, skip.
2019-03-05 21:57:51,815 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\dav rpc service'" does not exist, skip.
2019-03-05 21:57:51,815 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\6a6fa926.gif'" does not exist, skip.
2019-03-05 21:57:51,815 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\d623c158.gif'" does not exist, skip.
2019-03-05 21:57:51,877 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\cee9b824.jpeg'" does not exist, skip.
2019-03-05 21:57:51,940 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\mso14c9.tmp'" does not exist, skip.
2019-03-05 21:57:51,986 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-03-06 05:52:54,385 [lib.cuckoo.core.scheduler] INFO: Task #1369: acquired machine win7x64 (label=win7x64)
2019-03-06 05:52:54,419 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 1797 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1369/dump.pcap)
2019-03-06 05:53:06,786 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-03-06 05:58:05,591 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-03-06 05:58:06,351 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-03-06 05:58:16,272 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-03-06 05:58:24,018 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6b84d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 05:58:24,019 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6b8f10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 05:58:24,020 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6b8d90>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 05:58:24,020 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6b89d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 05:58:24,021 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f6b89d0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f6b89d0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)
cve CVE-2013-3906
Generates some ICMP traffic

Screenshots

No screenshots available.

Network

DNS

Name Response Post-Analysis Lookup
luceidclfbuq.com
javadl-esd-secure.oracle.com 23.14.119.135

Hosts

No hosts contacted.

Summary

Process WINWORD.EXE (2308)

  • Opened files

    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\
    • C:\Windows\AppPatch\sysmain.sdb
    • C:\
    • C:\Windows\SysWOW64\wininet.dll
    • C:\Users\zamen\AppData\Roaming\Microsoft\
    • C:\Program Files (x86)\Microsoft Office\Office12\WWLIB.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\1033\Building Blocks.dotx
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • \device\webdavredirector
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Word\STARTUP\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Network\Connections\Pbk\
    • C:\Users\zamen\Desktop\desktop.ini
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9219AFF3.gif
    • \\?\PIPE\DAV RPC SERVICE
    • C:\Users\zamen\AppData\Local\Temp\CVR1FDE.tmp
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\1033\MSO.ACL
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
    • C:\Users\zamen\AppData\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Proof\
    • C:\Users\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
    • C:\ProgramData\Microsoft\OFFICE\DATA\OPA12.BAK
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71E179.gif
    • C:\Program Files (x86)\Microsoft Office\Office12\
    • C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
    • C:\Users\zamen\AppData\Roaming
    • C:\Windows\SysWOW64\shell32.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
    • C:\Windows\WindowsShell.Manifest
    • C:\Users
    • C:\Windows\SysWOW64\en-US\urlmon.dll.mui
    • C:\Users\zamen
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A6FA926.gif
    • C:\Windows\System32\cryptui.dll
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks
    • C:\Users\zamen\AppData\Roaming\
    • C:\Program Files (x86)\Microsoft Office\Office12\STARTUP\
    • C:\Users\desktop.ini
    • C:\Program Files (x86)\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\
    • C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
    • C:\ProgramData\Microsoft\OFFICE\DATA\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\ID_00030.DPC
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69C6BAEF.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D623C158.gif
    • C:\Windows\System32\davhlpr.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\1033\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    • C:\Users\zamen\AppData
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\
    • C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    • C:\Users\zamen\AppData\Local\Microsoft\Office\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Templates\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    • C:\Program Files (x86)\Microsoft Office\Office12\MSOHEV.DLL
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CEE9B824.jpeg
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Program Files (x86)\Microsoft Office\Office12\WORD.PIP
    • C:\Program Files (x86)\Common Files\Microsoft Shared\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • C:\Windows\Fonts\staticcache.dat
    • C:\Program Files (x86)\Microsoft Office\Office12\OART.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\RICHED20.DLL
    • C:\Windows\System32\rsaenh.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
    • C:\Users\zamen\AppData\Roaming\Microsoft
    • C:\Users\zamen\
    • C:\Windows\System32\ras\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO
  • Written files

    • C:\Users\zamen\AppData\Local\Temp\74038.od
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso14B9.tmp
    • C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{53529CBB-834C-42F7-9868-6CBC23914971}.tmp
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9219AFF3.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71E179.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69C6BAEF.gif
    • \\?\PIPE\DAV RPC SERVICE
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25F8DF08-5446-4A79-BBCD-4170DE03A971}.tmp
    • C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A6FA926.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D623C158.gif
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
    • C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A66D8717-31B3-4748-B1F6-E7D47E0BEA92}.tmp
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso14C9.tmp
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CEE9B824.jpeg

Process WINWORD.EXE (2308)

Process WINWORD.EXE (2308)

Process WINWORD.EXE (2308)

Process WINWORD.EXE (2308)

  • DLLs Loaded

    • netutils.dll
    • API-MS-Win-Security-LSALookup-L1-1-0.dll
    • DNSAPI.dll
    • UxTheme.dll
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\uxtheme.dll
    • MPR.DLL
    • API-MS-WIN-Service-Management-L2-1-0.dll
    • wwlib.dll
    • SspiCli.dll
    • ole32.dll
    • SHLWAPI.dll
    • USER32.dll
    • RASMAN.DLL
    • VERSION.DLL
    • WININET.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\riched20.dll
    • WTSAPI32.DLL
    • C:\Windows\System32\mswsock.dll
    • SHELL32.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Windows\System32\wship6.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\MSOHEV.DLL
    • HLINK.DLL
    • C:\Windows\SysWOW64\KERNEL32.DLL
    • rpcrt4.dll
    • C:\Windows\System32\wshtcpip.dll
    • IMM32.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\1033\wwintl.dll
    • C:\Windows\System32\drprov.dll
    • urlmon.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
    • WINSTA.dll
    • kernel32.dll
    • CRYPTBASE.dll
    • Netapi32.DLL
    • C:\Windows\system32\napinsp.dll
    • C:\Windows\system32\apphelp.dll
    • shlwapi.dll
    • URLMON.DLL
    • UxTheme.DLL
    • Comctl32.dll
    • C:\Windows\System32\fwpuclnt.dll
    • rtutils.dll
    • IPHLPAPI.DLL
    • RASAPI32.dll
    • winspool.drv
    • profapi.dll
    • comctl32.dll
    • SETUPAPI.dll
    • C:\Windows\system32\kernel32.dll
    • VERSION.dll
    • RpcRtRemote.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dll
    • Winspool.DRV
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\mso.dll
    • C:\Windows\system32\rsaenh.dll
    • Shlwapi.DLL
    • iphlpapi
    • C:\Windows\SysWOW64\ADVAPI32.DLL
    • CRYPTSP.dll
    • API-MS-WIN-Service-winsvc-L1-1-0.dll
    • sensapi.dll
    • C:\Windows\system32\normaliz.dll
    • C:\Windows\system32\NLAapi.dll
    • mso.dll
    • ADVAPI32.dll
    • C:\Windows\System32\davclnt.dll
    • WS2_32.dll
    • gdi32.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • imm32.dll
    • ntmarta.dll
    • C:\Windows\system32\mscoree.dll
    • API-MS-WIN-Service-Management-L1-1-0.dll
    • rasadhlp.dll
    • C:\Windows\System32\ntlanman.dll
    • dnsapi
    • OLEAUT32.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
    • DwmApi.DLL
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • C:\Windows\system32\pnrpnsp.dll
    • MSO.dll
    • version.dll
    • wininet.dll
    • Kernel32.DLL
    • OLEAUT32.dll
    • RPCRT4.dll
    • SHLWAPI.DLL
    • C:\Windows\System32\winrnr.dll
    • cryptui.dll
    • ws2_32
    • C:\Windows\system32\mswsock.dll
    • SHELL32.DLL
    • Shlwapi.dll
    • Normaliz.dll
No static analysis available.
No antivirus signatures available.

Process Tree


WINWORD.EXE, PID: 2308, Parent PID: 2284

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
luceidclfbuq.com
javadl-esd-secure.oracle.com 23.14.119.135

TCP

Source Source Port Destination Destination Port
192.168.128.109 49161 192.168.128.112 139
192.168.128.109 49162 192.168.128.112 139

UDP

Source Source Port Destination Destination Port
192.168.128.109 50522 192.168.128.111 53
192.168.128.109 60037 192.168.128.111 53
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 65476 192.168.128.111 53
192.168.128.109 137 192.168.128.255 137
192.168.128.109 138 192.168.128.255 138
192.168.128.109 50839 224.0.0.252 5355
192.168.128.109 52096 224.0.0.252 5355
192.168.128.109 53446 224.0.0.252 5355
192.168.128.112 137 192.168.128.109 137
192.168.128.112 5355 192.168.128.109 50839
192.168.128.112 5355 192.168.128.109 53446

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.128.109 192.168.128.112 3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 4bb7acdcc7a632ac_~$ilding blocks.dotx
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
Size 162.0B
Processes 2308 (WINWORD.EXE)
Type data
MD5 e1511f37b2a7a9a9a98ab011c59ed8b9
SHA1 6dbccbe61dd629681942c60b5342010663e2c0ff
SHA256 4bb7acdcc7a632acb1246e5b5e6df55673dc3b14875364cb45172672b218ff81
CRC32 2BCAB543
ssdeep 3:fBplxl/Zlxl/vHlBgXl:fJ3HlBgX
Yara None matched
VirusTotal Search for analysis
Name e7416309217bc7af_~wrs{25f8df08-5446-4a79-bbcd-4170de03a971}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25F8DF08-5446-4A79-BBCD-4170DE03A971}.tmp
Size 158.0KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 f5c245830d816de96834d3607576a10f
SHA1 7bf1a64b59b70a03c86d36898a741abbc1b9ea0e
SHA256 e7416309217bc7af97ab7c299d666129d544398c943dc36f1aee7e760d410239
CRC32 54D2945B
ssdeep 1536:nGEQkLrSkxdJVnU/J/XVdQa9TFBv84N0bW:nWkdyT8g
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
VirusTotal Search for analysis
Name 6e9bd1e5638d48c1_building blocks.dotx
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
Size 314.8KB
Processes 2308 (WINWORD.EXE)
Type Microsoft Word 2007+
MD5 89e2626a866bc9a18da185e35228a404
SHA1 4bc5718e114fa9cd2d60af37ba3d58d382ed18da
SHA256 6e9bd1e5638d48c1219c2312b67f2134ff404ab9f9644431df9b3b33ec33de66
CRC32 9DF23CE3
ssdeep 6144:nxl82xfVaZUt2Km7Jh+u0O7Ss5SuSfNaEf1e/PR5Oa52G0jlE0:n78+VamMKicBO7SaSuSx85Oa5CR
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name f39b28973c9a2cb5_~wrs{53529cbb-834c-42f7-9868-6cbc23914971}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{53529CBB-834C-42F7-9868-6CBC23914971}.tmp
Size 1.0KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 56a2252c2105483711f139e3a5a2581f
SHA1 c2a33886128dda42f029e56db7a4e71ffde29f66
SHA256 f39b28973c9a2cb5d2a77f72d456663ad3de83a2df6f83af823dd24d14d8b3ce
CRC32 237E28EE
ssdeep 24:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNwwNouE6HPqW:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNwe
Yara None matched
VirusTotal Search for analysis
Name a2234014ce405e8e_~wrs{a66d8717-31b3-4748-b1f6-e7d47e0bea92}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A66D8717-31B3-4748-B1F6-E7D47E0BEA92}.tmp
Size 1.5KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 3fc73377d2603734a54aa99cf25eec0c
SHA1 75b06bf60252441e8587118498573f82c70a3cf2
SHA256 a2234014ce405e8e8fe20e448d4134cc9cf330627dcffd61bec1a835f9f93a43
CRC32 7DEFD8FF
ssdeep 3:Nzyxwnml0baZ4PON8DCBPl7l2xllVlzlpDll3/J/jvfllZtLQXZlhlhlhlZ/Z/nO:NmWmG2GW2GJxl2oXlgdRpj4y
Yara None matched
VirusTotal Search for analysis
Name b3d510ef04275ca8_custom.dic
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Size 2.0B
Processes 2308 (WINWORD.EXE)
Type Little-endian UTF-16 Unicode text, with no line terminators
MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
CRC32 88F83096
ssdeep 3:Qn:Qn
Yara None matched
VirusTotal Search for analysis
Name bedde6a60ca8a1c3_74038.od
Filepath C:\Users\zamen\AppData\Local\Temp\74038.od
Size 134.0B
Processes 2308 (WINWORD.EXE)
Type ASCII text, with CRLF line terminators
MD5 ae10890ff647a043c672176bb0abed5d
SHA1 3199f10c70e4cc075a1e879892ec16b72fef081c
SHA256 bedde6a60ca8a1c30bee28ff8e5f43d9da4473421b01389d4343cb136718f865
CRC32 9F11013A
ssdeep 3:OFrpRCMKLovyafNREalYEBicIEcK99wWbHIdd/hX3XBk2:OKMKcaaYal1b/9FHGBF
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers0 - Looks for big numbers 20:sized
VirusTotal Search for analysis
Name 34364e27b46a7410_mso1033.acl
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
Size 36.9KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 07bcb121db210f5cb7c24c2335f26265
SHA1 dd74c5d5fa7248a8bbcffb3761e93920c40b5c63
SHA256 34364e27b46a7410834dba6c2f3c97f6104cf4474a64fab8dedee0defa22bfea
CRC32 68326484
ssdeep 768:RatNbFeZKdogeyHMOeYhYVi+iOFOwbPXdEma1b:s/eLAhYVzbw
Yara None matched
VirusTotal Search for analysis
Name 3d5bc0c3c759609b_opa12.dat
Filepath C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
Size 8.0KB
Processes 2308 (WINWORD.EXE)
Type data
MD5 0e7e24ed21bd5da96b0d882d5a043ad4
SHA1 543bba04369e50dfb74d27d24e1069810a5707ea
SHA256 3d5bc0c3c759609b3637e8efb7508600ec8a175e601779916097537c80092f2d
CRC32 E4BF56FA
ssdeep 192:12xaaUyse71abxl0fatpNnxa/2WvVJBZHp5isu/dY/tBNLqu5Xw2a:12x3slgatpNnxZGplu1Yte2ba
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1369
Mongo ID 5c7fa7d311d30812ab7205d3
Cuckoo release 2.0-dev