analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SWIFT_MT103_1009673AF1.doc

Full analysis: https://app.any.run/tasks/300065dc-97aa-4b27-9e27-9f97a4601552
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: November 14, 2018, 15:17:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
evasion
keylogger
hawkeye
trojan
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

D2C06F07538FD449CBEF796C4DB720CF

SHA1:

6124366C3122CBCCCE441DECB97531757D204903

SHA256:

895EE05FF0EA2B1CCD1746954BCD51238DC4E2D4960CF86A7F9D8A209752B09C

SSDEEP:

24576:PwpoU/u8n1XmszwiaiQgfkSBIb8ggnsapomEV/r3jOh2iznj36bioIdMRps7SgRM:X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3660)
    • Runs app for hidden code execution

      • cmd.exe (PID: 3416)
      • cmd.exe (PID: 2080)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3660)
    • Application was dropped or rewritten from another process

      • saver.scr (PID: 3612)
      • saver.scr (PID: 3144)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 4080)
    • Detected Hawkeye Keylogger

      • saver.scr (PID: 3144)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3416)
      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 2080)
      • cmd.exe (PID: 2084)
    • Application launched itself

      • cmd.exe (PID: 3416)
      • cmd.exe (PID: 2084)
      • saver.scr (PID: 3612)
    • Executable content was dropped or overwritten

      • cscript.exe (PID: 3368)
    • Executes scripts

      • cmd.exe (PID: 2084)
      • saver.scr (PID: 3144)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2084)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 3796)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 3600)
      • cmd.exe (PID: 2712)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • cscript.exe (PID: 3368)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 2084)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2084)
      • saver.scr (PID: 3612)
    • Creates files in the user directory

      • saver.scr (PID: 3144)
    • Connects to SMTP port

      • saver.scr (PID: 3144)
    • Checks for external IP

      • saver.scr (PID: 3144)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 2456)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3660)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
32
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cscript.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs saver.scr no specs cscript.exe no specs #HAWKEYE saver.scr vbc.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3660"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\SWIFT_MT103_1009673AF1.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3416"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3872CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2084C:\Windows\system32\cmd.exe /K itnqknf5.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2368TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3368cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs"C:\Windows\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2080"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3140CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2032TASkKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2764reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 214
Read events
1 170
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
12
Unknown types
3

Dropped files

PID
Process
Filename
Type
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8D60.tmp.cvr
MD5:
SHA256:
4080vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
2456vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\a.ScTxml
MD5:93522467EA6A1B96B85DDC1AEC79DA43
SHA256:FAB6F1444B9550EF2EF06B651EFAE615C358F5DA51F267C94B78DD115240E9A1
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uffm.cmdtext
MD5:955DFB33CD8846C2214A71956B51F68B
SHA256:4A169CBDB43CE32975DCBC5B97DAB03466479A1A6AEFE9BE8C3677A34740C118
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\itnqknf5.cmdtext
MD5:A3B2EC295AD5A65C83A52892A2ABE0FE
SHA256:5A8956E665402C41F00377A5F5F2900B1A3DBC8B04099D8293207D3C65CAA238
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1.zipcompressed
MD5:7A75756C9346A31A96541893A0BE3D25
SHA256:839CE54A73BDA54840D9F5C3E538B648180323AB0884A7E43169EA7041DDFD35
3368cscript.exeC:\Users\admin\AppData\Local\Temp\gondi.doctext
MD5:61FBFE216675785D54F9B3B15B9FD5F4
SHA256:8FE6B84D7D2B08A0B22D2ABC863383A07F8DC038BD79070E6990F89EFE1C5630
3368cscript.exeC:\Users\admin\AppData\Local\Temp\saver.screxecutable
MD5:D976BFBDA292EAED35F10972C2CB4D11
SHA256:DCF06012F087C86D1905A328AE4A8F37B30068A7D31C978AA757D2FE1C5CA025
3660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7D6C5307-2974-44DC-A420-C4C610B1D5F6}.tmpbinary
MD5:CD464C8F1E28C6071FA574392D233367
SHA256:FF93269B243EE6A5EEE2BC1E77CB0A39CCDA1D910F7ED21D1D7831842A03FEAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3144
saver.scr
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3144
saver.scr
104.16.19.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3144
saver.scr
208.91.199.225:587
smtp.wanjiall-group.com
PDR
US
shared

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.19.96
  • 104.16.18.96
  • 104.16.16.96
  • 104.16.17.96
  • 104.16.20.96
shared
smtp.wanjiall-group.com
  • 208.91.199.225
  • 208.91.198.143
  • 208.91.199.224
  • 208.91.199.223
malicious

Threats

PID
Process
Class
Message
3144
saver.scr
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
3144
saver.scr
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3 ETPRO signatures available at the full report
No debug info