File name: | 0b09abda2b241b7a0e8a184ba7ee36ba1249d47f919c91d0c11542b1a0811e52.xlsx |
Full analysis: | https://app.any.run/tasks/ce3b9f1f-463e-4469-917a-f4a67a81ce9d |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | March 22, 2019, 05:32:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | E76DB749A4AC374A8578EDFD83F4E9EA |
SHA1: | 882278EE4552BC69F39EEFA19A0D8D7514056C4E |
SHA256: | 0B09ABDA2B241B7A0E8A184BA7EE36BA1249D47F919C91D0C11542B1A0811E52 |
SSDEEP: | 192:pUG/SrkDUqr+J0G/a1hVwcWAQ/m+8shk1crWoKW3ZTV/NgCUqN3UbijLhoapw:yYxwV/Ai/m+8ak1RoTZJ+CVZUujLhoa+ |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:03:21 22:50:02 |
ZipCRC: | 0x39057cd8 |
ZipCompressedSize: | 413 |
ZipUncompressedSize: | 1758 |
ZipFileName: | [Content_Types].xml |
KSOProductBuildVer: | 2052-10.1.0.7023 |
---|---|
Keywords: | - |
LastModifiedBy: | USER |
RevisionNumber: | 1 |
LastPrinted: | 2010:04:07 12:10:17Z |
CreateDate: | 2008:05:20 03:39:22Z |
ModifyDate: | 2019:03:12 11:19:38Z |
Category: | - |
Template: | - |
Pages: | - |
Words: | - |
Characters: | - |
Application: | Microsoft Excel |
DocSecurity: | None |
PresentationFormat: | - |
Lines: | - |
Paragraphs: | - |
Slides: | - |
Notes: | - |
HiddenSlides: | - |
MMClips: | - |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Sheet1 |
Manager: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | - |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15.03 |
Title: | - |
---|---|
Subject: | - |
Creator: | USER |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
720 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1180 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2072 | "C:\Users\admin\AppData\Roaming\4326rtyvubvsczsecxzfdvhjy.exe" | C:\Users\admin\AppData\Roaming\4326rtyvubvsczsecxzfdvhjy.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Description: retries Exit code: 0 Version: 1.0.0.0 | ||||
3304 | "C:\Users\admin\AppData\Roaming\4326rtyvubvsczsecxzfdvhjy.exe" | C:\Users\admin\AppData\Roaming\4326rtyvubvsczsecxzfdvhjy.exe | 4326rtyvubvsczsecxzfdvhjy.exe | |
User: admin Integrity Level: MEDIUM Description: retries Version: 1.0.0.0 | ||||
1728 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpB40F.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | 4326rtyvubvsczsecxzfdvhjy.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2200 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpE0BE.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | 4326rtyvubvsczsecxzfdvhjy.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | d&6 |
Value: 64263600D0020000010000000000000000000000 | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: D0020000D47A17B870E0D40100000000 | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | d&6 |
Value: 64263600D0020000010000000000000000000000 | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (720) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\F9226 |
Operation: | write | Name: | F9226 |
Value: 04000000D00200006700000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0030006200300039006100620064006100320062003200340031006200370061003000650038006100310038003400620061003700650065003300360062006100310032003400390064003400370066003900310039006300390031006400300063003100310035003400320062003100610030003800310031006500350032002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000A079DCB970E0D40126920F0026920F0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
720 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8A64.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1180 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\4326rtyvubvsczsecxzfdvhjy.exe | executable | |
MD5:4C300232A274151C0AA4321A0D798BB5 | SHA256:D36B44DC5F0D90F0B79B06F95BC903C16786804B16028FFFF1F620A975A28285 | |||
1180 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@dominiquerioux[1].txt | text | |
MD5:71F8F0024241D32C9C4E09B44B304433 | SHA256:848E9099C2DFD2A4CF1F60C8C0CBC8D012FBEF53E505C95C171A6C0D5C2D8BFA | |||
1180 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\shipping[1].exe | executable | |
MD5:4C300232A274151C0AA4321A0D798BB5 | SHA256:D36B44DC5F0D90F0B79B06F95BC903C16786804B16028FFFF1F620A975A28285 | |||
3304 | 4326rtyvubvsczsecxzfdvhjy.exe | C:\Users\admin\AppData\Local\Temp\c4e681c3-f0d5-5260-1e84-0e7fc68922c3 | text | |
MD5:AD5E34466166F358C9DD29DC2A40B5E7 | SHA256:3B5D84802BBBDDB8152E8050EDC341A786A5F54A86B5526CA3C2B7BC1EC36675 | |||
2200 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpE0BE.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
1728 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpB40F.tmp | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3304 | 4326rtyvubvsczsecxzfdvhjy.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 11 b | shared |
1180 | EQNEDT32.EXE | GET | 200 | 104.28.16.22:80 | http://dominiquerioux.com/old/wp-content/plugins/ubh/shipping.exe | US | executable | 907 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3304 | 4326rtyvubvsczsecxzfdvhjy.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
3304 | 4326rtyvubvsczsecxzfdvhjy.exe | 50.87.154.10:26 | mail.deltawaterways.in | Unified Layer | US | malicious |
1180 | EQNEDT32.EXE | 104.28.16.22:80 | dominiquerioux.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
dominiquerioux.com |
| malicious |
bot.whatismyipaddress.com |
| shared |
mail.deltawaterways.in |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1180 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1180 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1180 | EQNEDT32.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3304 | 4326rtyvubvsczsecxzfdvhjy.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |
3304 | 4326rtyvubvsczsecxzfdvhjy.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3304 | 4326rtyvubvsczsecxzfdvhjy.exe | A Network Trojan was detected | MALWARE [PTsecurity] HawkEye Reborn8 Stealing Data via SMTP |