URL:	http://smart-fax.com/Documents/Invoice&MSO-Request.doc
Full analysis:	https://app.any.run/tasks/36596d3e-e2ce-4467-8d45-b3309698e50c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	June 27, 2019, 21:18:31
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader rat netwire trojan maldoc-12
Indicators:
MD5:	3A4A431C6DA305FF014F48635999CA47
SHA1:	B52AB69982D0C843E46FC2A86DA9F3FD49DD77B8
SHA256:	607A1652C5134DD401D2AA73493A14B0B8E0897B534FC49FAD71719CDE864375
SSDEEP:	3:N1KNIEBIDEXsKGA0a3Wvd:CaE+KGA0D1


(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:	write	Name:	{25B5B86F-9921-11E9-A370-5254004A04AF}
Value: 0
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Type
Value: 4
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Count
Value: 1
(PID) Process:	(344) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Time
Value: E307060004001B00150012002F001B00

PID	Process	Filename		Type
344	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico		—
		MD5:—	SHA256:—
344	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3440	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRF233.tmp.cvr		—
		MD5:—	SHA256:—
3440	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\{02666A6F-9B11-4CD9-865B-8F7F99EC60A5}		—
		MD5:—	SHA256:—
3440	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\{98353D6D-3CDD-4B0E-81D4-AFF5B612557A}		—
		MD5:—	SHA256:—
3504	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:—	SHA256:—
3504	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:—	SHA256:—
3440	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:—	SHA256:—
3440	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4A20F55A-0710-48AD-9157-2CFF9A851CF0}.FSD		binary
		MD5:—	SHA256:—
3440	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF		binary
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3440	WINWORD.EXE	OPTIONS	200	107.180.50.162:80	http://smart-fax.com/Documents/	US	—	—	malicious
3440	WINWORD.EXE	HEAD	200	107.180.50.162:80	http://smart-fax.com/Documents/Invoice&MSO-Request.doc	US	—	—	malicious
3440	WINWORD.EXE	HEAD	200	107.180.50.162:80	http://smart-fax.com/Documents/Invoice&MSO-Request.doc	US	—	—	malicious
984	svchost.exe	PROPFIND	—	107.180.50.162:80	http://smart-fax.com/Documents/	US	—	—	malicious
984	svchost.exe	PROPFIND	404	107.180.50.162:80	http://smart-fax.com/Documents/	US	html	8.55 Kb	malicious
984	svchost.exe	PROPFIND	301	107.180.50.162:80	http://smart-fax.com/Documents	US	html	239 b	malicious
984	svchost.exe	OPTIONS	200	107.180.50.162:80	http://smart-fax.com/Documents/	US	html	239 b	malicious
984	svchost.exe	PROPFIND	301	107.180.50.162:80	http://smart-fax.com/Documents	US	html	239 b	malicious
984	svchost.exe	PROPFIND	200	107.180.50.162:80	http://smart-fax.com/	US	html	10.5 Kb	malicious
984	svchost.exe	PROPFIND	404	107.180.50.162:80	http://smart-fax.com/Documents/	US	html	8.55 Kb	malicious

Domain	IP	Reputation
smart-fax.com	107.180.50.162	malicious
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
dunlop.hopto.org	23.105.131.229	malicious

PID	Process	Class	Message
3440	WINWORD.EXE	Potentially Bad Traffic	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3440	WINWORD.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1476	tng.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
1476	tng.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
1476	tng.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
1476	tng.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
1476	tng.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
1476	tng.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
1476	tng.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
1476	tng.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2

General Info

http://smart-fax.com/Documents/Invoice&MSO-Request.doc

3A4A431C6DA305FF014F48635999CA47

B52AB69982D0C843E46FC2A86DA9F3FD49DD77B8

607A1652C5134DD401D2AA73493A14B0B8E0897B534FC49FAD71719CDE864375

3:N1KNIEBIDEXsKGA0a3Wvd:CaE+KGA0D1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Requests a remote executable file from MS Office

Executable content was dropped or overwritten

Unusual execution from Microsoft Office

Application was dropped or rewritten from another process

Connects to CnC server

NETWIRE was detected

Changes the autorun value in the registry

SUSPICIOUS

Creates files in the user directory

Reads Internet Cache Settings

Starts itself from another location

Executed via COM

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Application launched itself

Starts Microsoft Office Application

INFO

Reads Internet Cache Settings

Application launched itself

Reads internet explorer settings

Changes internet zones settings

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings