File name: | Hazel-invoice.doc |
Full analysis: | https://app.any.run/tasks/e2f6268b-0669-48f6-997c-9539e710aa91 |
Verdict: | Malicious activity |
Threats: | Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous. |
Analysis date: | July 17, 2019, 17:15:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 4C0908BCBC60802B07FB62217312FE4E |
SHA1: | E62E4CA507724A28F563DF8C027053D2ED2621FE |
SHA256: | 2D1BFF7952F2C570CC768674D38DD271654FF6816EB1F7511170D96D553E336F |
SSDEEP: | 1536:l0CyY2/xgTYYSEVC5mlagcO1LhC3ODy1lVOoeRA5wY:2CUxsZvC5mlagcyC3v1lVOo7GY |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Hazel-invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3284 | wmic os get /format:"C:\\Windows\\Temp\\aXwZvnt48.xsl" | C:\Windows\System32\Wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147614729 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3632 | "C:\Windows\Temp\awMiOFl.exe" | C:\Windows\Temp\awMiOFl.exe | wmic.exe | |
User: admin Company: Adobe Systems, Incorporated Integrity Level: MEDIUM Description: AWSCommonSymbols Version: 3.0.0.278 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRCF65.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF85825A1029F935C8.TMP | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF372AA49363CF7C16.TMP | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE0ACF1140546438F.TMP | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF20DC3F6C24ADA62D.TMP | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF83C09795D2D42704.TMP | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF33C7B17F170D2329.TMP | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71F06213.png | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF8A254196534965EC.TMP | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE797C16BABF3D250.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3284 | wmic.exe | GET | 200 | 23.229.224.0:80 | http://stingersrestaurant.com/wp-admin/js/firefox.bin | US | executable | 138 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3284 | wmic.exe | 23.229.224.0:80 | stingersrestaurant.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
stingersrestaurant.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3284 | wmic.exe | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin |
3284 | wmic.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3284 | wmic.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
Process | Message |
---|---|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|