File name:	INV-98-UHX.doc
Full analysis:	https://app.any.run/tasks/f2bfec4e-5331-4701-8b16-83ec65b370d0
Verdict:	Malicious activity
Threats:	Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 18, 2019, 04:42:58
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	generated-doc exploit cve-2017-11882 loader evasion trojan hawkeye keylogger
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, version 1, unknown character set
MD5:	367C248CF6492C5650E13F9068A40B76
SHA1:	BBF70243F96CCFE692D646C8497C363AE88BE1FD
SHA256:	9044EFFCC0B538A5302A72A3FBCF052D09789F779D2170278AAA0354325571EF
SSDEEP:	1536:at7aapppppppGttC+OEi8M52TrtL8quKWlV6HNfJvwxKikBvATSKiHX99A0e83LD:yC9

Upr:	{CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}}
Author:	Mr.Duoc
LastModifiedBy:	Windows User
CreateDate:	2018:12:14 09:22:00
ModifyDate:	2018:12:14 09:22:00
LastPrinted:	2018:12:12 16:35:00
RevisionNumber:	2
TotalEditTime:	-
Pages:	2
Words:	265
Characters:	1511
CharactersWithSpaces:	1773
InternalVersionNumber:	24689


(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	-m1
Value: 2D6D31008C050000010000000000000000000000
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1311899690
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1311899774
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1311899775
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 8C05000094490B4FE8AED40100000000
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	oo1
Value: 6F6F31008C05000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	oo1
Value: 6F6F31008C05000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(1420) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
1420	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR758D.tmp.cvr		—
		MD5:—	SHA256:—
972	vbc.exe	C:\Users\admin\AppData\Local\Temp\holdermail.txt		—
		MD5:—	SHA256:—
2480	vbc.exe	C:\Users\admin\AppData\Local\Temp\bhvC6D4.tmp		—
		MD5:—	SHA256:—
2480	vbc.exe	C:\Users\admin\AppData\Local\Temp\holderwb.txt		—
		MD5:—	SHA256:—
1420	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2D4489F0-DE0F-42CF-B14E-24365EF9E989}.tmp		—
		MD5:—	SHA256:—
3000	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FR48QXLH.txt		text
		MD5:—	SHA256:—
3000	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\q[1].png		executable
		MD5:—	SHA256:—
2420	1.exe	C:\Users\admin\AppData\Local\Temp\~DFB79084D1862C1121.TMP		binary
		MD5:—	SHA256:—
3000	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\2HiWP5m[1].htm		html
		MD5:—	SHA256:—
1420	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INV-98-UHX.LNK		lnk
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2716	1.exe	GET	403	104.16.17.96:80	http://whatismyipaddress.com/	US	text	100 b	shared
3000	EQNEDT32.EXE	GET	200	65.60.35.58:443	https://aoiap.org/images/q.png	US	executable	1005 Kb	malicious
3000	EQNEDT32.EXE	GET	301	67.199.248.10:80	http://bit.ly/2HiWP5m	US	html	117 b	shared

Domain	IP	Reputation
bit.ly	67.199.248.10 67.199.248.11	shared
aoiap.org	65.60.35.58	malicious
whatismyipaddress.com	104.16.17.96 104.16.16.96 104.16.20.96 104.16.18.96 104.16.19.96	shared
mail.aoiap.org	65.60.35.58	malicious

PID	Process	Class	Message
3000	EQNEDT32.EXE	A Network Trojan was detected	MALWARE [PTsecurity] PowerShell.Downloader httpHeader
2716	1.exe	A Network Trojan was detected	MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2716	1.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction

General Info

INV-98-UHX.doc

367C248CF6492C5650E13F9068A40B76

BBF70243F96CCFE692D646C8497C363AE88BE1FD

9044EFFCC0B538A5302A72A3FBCF052D09789F779D2170278AAA0354325571EF

1536:at7aapppppppGttC+OEi8M52TrtL8quKWlV6HNfJvwxKikBvATSKiHX99A0e83LD:yC9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Suspicious connection from the Equation Editor

Application was dropped or rewritten from another process

Equation Editor starts application (CVE-2017-11882)

Downloads executable files with a strange extension

Downloads executable files from the Internet

Detected Hawkeye Keylogger

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Creates files in the user directory

Application launched itself

Executable content was dropped or overwritten

Checks for external IP

Executes scripts

Connects to SMTP port

INFO

Reads the machine GUID from the registry

Dropped object may contain Bitcoin addresses

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

RTF

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings