analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TT_180000 WIRE TRANSFER8JNBLGGH5FV99_0_0010.doc

Full analysis: https://app.any.run/tasks/4731c677-7a79-4c81-a999-b42e690fbcf7
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 04:25:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
exploit
CVE-2017-11882
trojan
rat
remcos
keylogger
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

752B042E0E1AEFAD3F60CD9A957C2ED5

SHA1:

833DAEAEFBF19B84266FD42F33061B096F1AE237

SHA256:

59D9F25B236A9256623FF95C2236FE9E40979B6E85E4C0BA7436DCC61C895067

SSDEEP:

96:n7B6vxNFLpbyRVtgqH9krd5XFbDxn5yy4+kRrGKix3E8BGag6:N6xNFlb+jxqRln5pLgMVpBe6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2292)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2292)

    • Application was dropped or rewritten from another process

      • naonsultane.exe (PID: 2336)
      • naonsultane.exe (PID: 280)
      • hpsupport.exe (PID: 2844)
      • hpsupport.exe (PID: 2024)

    • Changes the autorun value in the registry

      • naonsultane.exe (PID: 280)
      • hpsupport.exe (PID: 2024)

    • Connects to CnC server

      • hpsupport.exe (PID: 2024)

    • Detected logs from REMCOS RAT

      • hpsupport.exe (PID: 2024)

    • REMCOS was detected

      • hpsupport.exe (PID: 2024)

  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2292)
      • naonsultane.exe (PID: 280)
      • hpsupport.exe (PID: 2024)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2292)
      • naonsultane.exe (PID: 280)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2292)

    • Application launched itself

      • naonsultane.exe (PID: 2336)
      • hpsupport.exe (PID: 2844)

    • Executes scripts

      • naonsultane.exe (PID: 280)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2548)

    • Writes files like Keylogger logs

      • hpsupport.exe (PID: 2024)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2264)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2264)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe naonsultane.exe no specs naonsultane.exe wscript.exe no specs cmd.exe no specs hpsupport.exe no specs #REMCOS hpsupport.exe

Process information

PID
CMD
Path
Indicators
Parent process
2264"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\TT_180000 WIRE TRANSFER8JNBLGGH5FV99_0_0010.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
2292"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2336"C:\Users\admin\AppData\Roaming\naonsultane.exe"C:\Users\admin\AppData\Roaming\naonsultane.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Binjhawari8
Exit code:
0
Version:
1.07.0009
280C:\Users\admin\AppData\Roaming\naonsultane.exe"C:\Users\admin\AppData\Roaming\naonsultane.exe
naonsultane.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Binjhawari8
Exit code:
0
Version:
1.07.0009
2548"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\SysWOW64\WScript.exenaonsultane.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3052"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe"C:\Windows\SysWOW64\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2844C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exeC:\Users\admin\AppData\Roaming\hpsupport\hpsupport.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Binjhawari8
Exit code:
0
Version:
1.07.0009
2024:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exeC:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe
hpsupport.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Binjhawari8
Version:
1.07.0009
Total events
923
Read events
818
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
2264WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5291.tmp.cvr
MD5:
SHA256:
2264WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7A7A3C4-97B4-4776-B4D7-DD7E49EB823F}.tmp
MD5:
SHA256:
2264WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1AE8E3B9-4848-43C6-B5C9-961F093538ED}.tmp
MD5:
SHA256:
2264WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D8BE822-95B4-42F4-B4B5-CD63AB21AA00}.tmp
MD5:
SHA256:
2292EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\a[1].exeexecutable
MD5:2E860E4197F93BE2A6F3C60646E7AE5A
SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515
2292EQNEDT32.EXEC:\Users\admin\AppData\Roaming\naonsultane.exeexecutable
MD5:2E860E4197F93BE2A6F3C60646E7AE5A
SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515
2264WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\TT_180000 WIRE TRANSFER8JNBLGGH5FV99_0_0010.LNKlnk
MD5:0B6F08BE736DAAEE005A16539D759A50
SHA256:D8AC7854B46A96B4A4ADADD63F6376953F02E2CCCE8C46C2ED134803B7979849
280naonsultane.exeC:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exeexecutable
MD5:2E860E4197F93BE2A6F3C60646E7AE5A
SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515
2024hpsupport.exeC:\Users\admin\AppData\Roaming\hpsupport\logs.dattext
MD5:EB2BB624C352E6305C36BC0C8B80DA8C
SHA256:2F3473C44003AD4BD9DAD159E98594B261D904ABF1982D416220A40A1EAC2A17
2264WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:32961079F760BF92D37F32E87ADE710F
SHA256:9B8EA81C4C0B5F40C49439C2C61C55F1F5BBEE77A89DF5489E2F14013A0FD33E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2292
EQNEDT32.EXE
GET
200
136.243.69.18:443
https://www.arshadconsultancy.com/a/a.exe
DE
executable
492 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2292
EQNEDT32.EXE
136.243.69.18:443
www.arshadconsultancy.com
Hetzner Online GmbH
DE
unknown
2024
hpsupport.exe
185.247.228.250:5001
cemileorucs.ddns.net
malicious

DNS requests

Domain
IP
Reputation
www.arshadconsultancy.com
  • 136.243.69.18
unknown
cemileorucs.ddns.net
  • 185.247.228.250
malicious

Threats

PID
Process
Class
Message
2024
hpsupport.exe
A Network Trojan was detected
ET TROJAN Remcos RAT Checkin 23
2024
hpsupport.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Remcos RAT Checkin
2024
hpsupport.exe
A Network Trojan was detected
MALWARE [PTsecurity] Remcos RAT
2024
hpsupport.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Remcos RAT Checkin
2024
hpsupport.exe
A Network Trojan was detected
MALWARE [PTsecurity] Remcos RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
TT_180000 WIRE TRANSFER8JNBLGGH5FV99_0_0010.doc