analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL_Invoice_Shipping.doc

Full analysis: https://app.any.run/tasks/11f0b8bb-a20a-4275-84d6-c29bf8f6d9ac
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 19, 2019, 12:31:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
opendir
loader
rat
netwire
trojan
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

369A2DC3DA6BA652A7C30F61ABEA43CC

SHA1:

CB2E8396875FA14B6246E401A10C79D3E6DC8908

SHA256:

522EB4B0179FCC99D8A1A48095751FA3AE05C78ED021133D8AD7436BA562678A

SSDEEP:

24576:se+wxme+wxme+wxzo9huHVo9cVe+wxme+wxme+wxzo9huHVo9cg:x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • OneDrive.exe (PID: 2820)
      • drive.exe (PID: 1856)

    • NETWIRE was detected

      • OneDrive.exe (PID: 2820)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 1664)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1664)

    • Writes to a start menu file

      • drive.exe (PID: 1856)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1664)

    • Downloads executable files from IP

      • WINWORD.EXE (PID: 1664)

    • Connects to CnC server

      • OneDrive.exe (PID: 2820)

  • SUSPICIOUS

    • Starts itself from another location

      • drive.exe (PID: 1856)

    • Creates files in the user directory

      • drive.exe (PID: 1856)

    • Executable content was dropped or overwritten

      • drive.exe (PID: 1856)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1664)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winword.exe drive.exe #NETWIRE onedrive.exe

Process information

PID
CMD
Path
Indicators
Parent process
1664"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DHL_Invoice_Shipping.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1856"C:\Users\admin\AppData\Roaming\drive.exe" C:\Users\admin\AppData\Roaming\drive.exe
WINWORD.EXE
User:
admin
Company:
Neat Decisions
Integrity Level:
MEDIUM
Description:
NeatMouse - neat mouse emulator
Exit code:
0
Version:
1.5.0.1
2820"C:\Users\admin\AppData\Roaming\drive.exe" C:\Users\admin\AppData\Roaming\OneDrive.exe
drive.exe
User:
admin
Company:
Neat Decisions
Integrity Level:
MEDIUM
Description:
NeatMouse - neat mouse emulator
Version:
1.5.0.1
Total events
1 102
Read events
1 059
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
1664WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6FFB.tmp.cvr
MD5:
SHA256:
1664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4CC4AAD.png
MD5:
SHA256:
1664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F05B8CA.png
MD5:
SHA256:
1664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B77EB44C-ED10-48EC-9516-5A79BCD6C085}.tmp
MD5:
SHA256:
1664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{070FC94A-289A-424D-BEBD-77DDE72FDFEF}.tmp
MD5:
SHA256:
1664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{891A174F-6621-4F3C-AB00-491F236EA7C2}.tmp
MD5:
SHA256:
1664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3DF3236C-1FD8-4436-96CF-C707FFB60AC8}.tmp
MD5:
SHA256:
1664WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$L_Invoice_Shipping.docpgc
MD5:A233EFAD84065EB7FB687C3D200A626D
SHA256:29A3702933B50CAA55A59DEE81D3FE626C2C0900B6289EB114416356A6445F63
1664WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:BAEC04A54AC968DB29FEE2F2ABDA0EA1
SHA256:230C0E0381E2EA1B4CED9700B32635C2548CB4B0CE50C1D60F5BF49BA8E63985
1856drive.exeC:\Users\admin\AppData\Roaming\OneDrive.exeexecutable
MD5:727C5BFAFB58E675457B1136B4BB0A1C
SHA256:0C66CAA1548DC63E85135F44FD3FF7F44C6B00AF27554C01918D230BFF9EC542
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1664
WINWORD.EXE
GET
200
188.209.52.180:80
http://188.209.52.180/drive.exe
NL
executable
5.19 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2820
OneDrive.exe
185.165.153.54:39560
wealthgrace.ddns.me
NL
malicious
1664
WINWORD.EXE
188.209.52.180:80
Dotsi, Unipessoal Lda.
NL
suspicious

DNS requests

Domain
IP
Reputation
wealthgrace.ddns.me
  • 185.165.153.54
malicious

Threats

PID
Process
Class
Message
1664
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1664
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
1664
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1664
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
1664
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2820
OneDrive.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
2820
OneDrive.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
2820
OneDrive.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2820
OneDrive.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2820
OneDrive.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DHL_Invoice_Shipping.doc