File name: | SWIFT_MT103_1009673AF1.doc |
Full analysis: | https://app.any.run/tasks/300065dc-97aa-4b27-9e27-9f97a4601552 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | November 14, 2018, 15:17:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | D2C06F07538FD449CBEF796C4DB720CF |
SHA1: | 6124366C3122CBCCCE441DECB97531757D204903 |
SHA256: | 895EE05FF0EA2B1CCD1746954BCD51238DC4E2D4960CF86A7F9D8A209752B09C |
SSDEEP: | 24576:PwpoU/u8n1XmszwiaiQgfkSBIb8ggnsapomEV/r3jOh2iznj36bioIdMRps7SgRM:X |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3660 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\SWIFT_MT103_1009673AF1.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
3416 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3872 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2084 | C:\Windows\system32\cmd.exe /K itnqknf5.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2368 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3368 | cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs" | C:\Windows\system32\cscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2080 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3140 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2032 | TASkKILL /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2764 | reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8D60.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4080 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
2456 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\a.ScT | xml | |
MD5:93522467EA6A1B96B85DDC1AEC79DA43 | SHA256:FAB6F1444B9550EF2EF06B651EFAE615C358F5DA51F267C94B78DD115240E9A1 | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uffm.cmd | text | |
MD5:955DFB33CD8846C2214A71956B51F68B | SHA256:4A169CBDB43CE32975DCBC5B97DAB03466479A1A6AEFE9BE8C3677A34740C118 | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\itnqknf5.cmd | text | |
MD5:A3B2EC295AD5A65C83A52892A2ABE0FE | SHA256:5A8956E665402C41F00377A5F5F2900B1A3DBC8B04099D8293207D3C65CAA238 | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1.zip | compressed | |
MD5:7A75756C9346A31A96541893A0BE3D25 | SHA256:839CE54A73BDA54840D9F5C3E538B648180323AB0884A7E43169EA7041DDFD35 | |||
3368 | cscript.exe | C:\Users\admin\AppData\Local\Temp\gondi.doc | text | |
MD5:61FBFE216675785D54F9B3B15B9FD5F4 | SHA256:8FE6B84D7D2B08A0B22D2ABC863383A07F8DC038BD79070E6990F89EFE1C5630 | |||
3368 | cscript.exe | C:\Users\admin\AppData\Local\Temp\saver.scr | executable | |
MD5:D976BFBDA292EAED35F10972C2CB4D11 | SHA256:DCF06012F087C86D1905A328AE4A8F37B30068A7D31C978AA757D2FE1C5CA025 | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7D6C5307-2974-44DC-A420-C4C610B1D5F6}.tmp | binary | |
MD5:CD464C8F1E28C6071FA574392D233367 | SHA256:FF93269B243EE6A5EEE2BC1E77CB0A39CCDA1D910F7ED21D1D7831842A03FEAD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3144 | saver.scr | GET | 403 | 104.16.19.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3144 | saver.scr | 104.16.19.96:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
3144 | saver.scr | 208.91.199.225:587 | smtp.wanjiall-group.com | PDR | US | shared |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
smtp.wanjiall-group.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3144 | saver.scr | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |
3144 | saver.scr | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |