File name: | Urgently Order.xlsx |
Full analysis: | https://app.any.run/tasks/7d2c764e-a52f-435f-88b1-7fbe97e43da4 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | March 14, 2019, 20:25:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | F6EABF2AB5993F7ED66C53E5750D5B81 |
SHA1: | B67E061D98CFC3BC2AF56EC48E876F6D4F39FC0F |
SHA256: | 7F1C4FDDC848B4ECC53C2CE0850DCD3335A31BD11E2A48E3A25DCD1EC5602451 |
SSDEEP: | 768:4gvauxqm+bAPQODPxsvWITTKosiG5F6XuFWiuI4p:4J9iPQODPxsvWIaosdsqWiF8 |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
AppVersion: | 12 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2018:11:29 09:53:26Z |
CreateDate: | 2018:11:29 09:50:53Z |
LastModifiedBy: | Modey |
Creator: | Modey |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1811 |
ZipCompressedSize: | 405 |
ZipCRC: | 0x6096dbee |
ZipModifyDate: | 2019:03:14 17:43:30 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3016 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3104 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2812 | "C:\Users\admin\AppData\Roaming\profrankj76584.exe" | C:\Users\admin\AppData\Roaming\profrankj76584.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2660 | "C:\Users\admin\AppData\Roaming\frankq\frankfio.exe" | C:\Users\admin\AppData\Roaming\frankq\frankfio.exe | — | profrankj76584.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2736 | "C:\Users\admin\AppData\Roaming\frankq\frankfio.exe" | C:\Users\admin\AppData\Roaming\frankq\frankfio.exe | frankfio.exe | |
User: admin Integrity Level: MEDIUM | ||||
2244 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp3FF.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | frankfio.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2436 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp2CE5.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | frankfio.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | 3)& |
Value: 33292600C80B0000010000000000000000000000 | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: C80B0000F0CE4A28A4DAD40100000000 | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | 3)& |
Value: 33292600C80B0000010000000000000000000000 | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3016) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1AE1C7 |
Operation: | write | Name: | 1AE1C7 |
Value: 04000000C80B00002C00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0055007200670065006E0074006C00790020004F0072006400650072002E0078006C0073007800000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C00010000000000000080524029A4DAD401C7E11A00C7E11A0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRDD13.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2812 | profrankj76584.exe | C:\Users\admin\AppData\Roaming\frankq\frankfio.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
3016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\687BC178.png | — | |
MD5:— | SHA256:— | |||
3016 | EXCEL.EXE | C:\Users\admin\Downloads\~$Urgently Order.xlsx | — | |
MD5:— | SHA256:— | |||
3016 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Urgently Order.xlsx.LNK | lnk | |
MD5:E3682D2FB61DF63855E0C7F84B7C07B6 | SHA256:806E4BCCC6B9DF29B58AD71BC86098A38AD3ABC49B7F19BDC22448B2103C13CD | |||
2244 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp3FF.tmp | text | |
MD5:C48992AAE0E8FD5463A7B1617B2E0B88 | SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE | |||
2812 | profrankj76584.exe | C:\Users\admin\AppData\Roaming\frankq\frankfio.exe | executable | |
MD5:7F7ED4064CFAFE1F629038D342F51363 | SHA256:96A1C05C25331E549AC46CD52B4278F7D6D0D28D3B50664F9BB3E46C702E5F62 | |||
3104 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\frankjoe[1].exe | executable | |
MD5:7F7ED4064CFAFE1F629038D342F51363 | SHA256:96A1C05C25331E549AC46CD52B4278F7D6D0D28D3B50664F9BB3E46C702E5F62 | |||
3016 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:95B8E254DC80D71786B2601CEFF72078 | SHA256:CE7E3E126305208B0966356D378977DA63B36AC274E19342BF45F36751479CC3 | |||
3104 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\profrankj76584.exe | executable | |
MD5:7F7ED4064CFAFE1F629038D342F51363 | SHA256:96A1C05C25331E549AC46CD52B4278F7D6D0D28D3B50664F9BB3E46C702E5F62 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3104 | EQNEDT32.EXE | GET | 200 | 217.182.138.150:80 | http://megaklik.top/frankjoe/frankjoe.exe | FR | executable | 989 Kb | malicious |
2736 | frankfio.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2736 | frankfio.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2736 | frankfio.exe | 198.54.122.60:587 | mail.privateemail.com | Namecheap, Inc. | US | suspicious |
3104 | EQNEDT32.EXE | 217.182.138.150:80 | megaklik.top | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
megaklik.top |
| malicious |
bot.whatismyipaddress.com |
| shared |
mail.privateemail.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3104 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
3104 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3104 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3104 | EQNEDT32.EXE | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
3104 | EQNEDT32.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
2736 | frankfio.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |
2736 | frankfio.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |