analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INV-98-UHX.doc

Full analysis: https://app.any.run/tasks/f2bfec4e-5331-4701-8b16-83ec65b370d0
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Malware Trends Tracker     >>>
Analysis date: January 18, 2019, 04:42:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
loader
evasion
trojan
hawkeye
keylogger
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

367C248CF6492C5650E13F9068A40B76

SHA1:

BBF70243F96CCFE692D646C8497C363AE88BE1FD

SHA256:

9044EFFCC0B538A5302A72A3FBCF052D09789F779D2170278AAA0354325571EF

SSDEEP:

1536:at7aapppppppGttC+OEi8M52TrtL8quKWlV6HNfJvwxKikBvATSKiHX99A0e83LD:yC9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3000)

    • Application was dropped or rewritten from another process

      • 1.exe (PID: 2420)
      • 1.exe (PID: 2716)

    • Downloads executable files with a strange extension

      • EQNEDT32.EXE (PID: 3000)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3000)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3000)

    • Changes the autorun value in the registry

      • 1.exe (PID: 2716)

    • Detected Hawkeye Keylogger

      • 1.exe (PID: 2716)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 972)

  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3000)
      • 1.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3000)
      • 1.exe (PID: 2716)

    • Application launched itself

      • 1.exe (PID: 2420)

    • Checks for external IP

      • 1.exe (PID: 2716)

    • Executes scripts

      • 1.exe (PID: 2716)

    • Connects to SMTP port

      • 1.exe (PID: 2716)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 1420)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1420)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1420)

    • Dropped object may contain Bitcoin addresses

      • EQNEDT32.EXE (PID: 3000)
      • 1.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Upr: {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}}
Author: Mr.Duoc
LastModifiedBy: Windows User
CreateDate: 2018:12:14 09:22:00
ModifyDate: 2018:12:14 09:22:00
LastPrinted: 2018:12:12 16:35:00
RevisionNumber: 2
TotalEditTime: -
Pages: 2
Words: 265
Characters: 1511
CharactersWithSpaces: 1773
InternalVersionNumber: 24689
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe 1.exe no specs #HAWKEYE 1.exe vbc.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1420"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\INV-98-UHX.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
3000"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2420C:\Users\admin\AppData\Local\Temp\1.exeC:\Users\admin\AppData\Local\Temp\1.exeEQNEDT32.EXE
User:
admin
Company:
interalliance
Integrity Level:
MEDIUM
Description:
HAUNTED10
Exit code:
0
Version:
3.09.0001
2716:\Users\admin\AppData\Local\Temp\1.exeC:\Users\admin\AppData\Local\Temp\1.exe
1.exe
User:
admin
Company:
interalliance
Integrity Level:
MEDIUM
Description:
HAUNTED10
Version:
3.09.0001
972C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
2480C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
Total events
1 408
Read events
737
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
1420WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR758D.tmp.cvr
MD5:
SHA256:
972vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
2480vbc.exeC:\Users\admin\AppData\Local\Temp\bhvC6D4.tmp
MD5:
SHA256:
2480vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
1420WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2D4489F0-DE0F-42CF-B14E-24365EF9E989}.tmp
MD5:
SHA256:
3000EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FR48QXLH.txttext
MD5:F860B220BFABB61BEC5D276DE308F4CB
SHA256:2BA8A05B4E599EA0FC8ADFF06D40905F614FAC483B80920495DBAD7F99D23FA0
1420WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:BDEB2D4C15E71ED37174A10B084C4B0C
SHA256:F72253F652FCC0CFA6CA9A3A305B9141EE2852D9C6EB31D3B1E918A1FB7A7EAC
3000EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\2HiWP5m[1].htmhtml
MD5:E2CC6E4DDEB1818639921B6DB9B71FF3
SHA256:85C57B52DDC5F036B3733FA1C2B0FECD17F4BB35B29A5BA8FDC7403382AFA4FE
24201.exeC:\Users\admin\AppData\Local\Temp\~DFB79084D1862C1121.TMPbinary
MD5:D24115B537CADAB89F4884B3C651C5E0
SHA256:8AFCCE0322506ADD5662970A4D4D074F23A7444D6F07B9CB9EE018E9A8D57659
1420WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INV-98-UHX.LNKlnk
MD5:347FAF42C8C7DE280F02A9B7FC6090F1
SHA256:5056F900D772FB4C32E992F432281B3BA0C8969B7AADE1569064F943E4AA0DA1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
EQNEDT32.EXE
GET
200
65.60.35.58:443
https://aoiap.org/images/q.png
US
executable
1005 Kb
malicious
2716
1.exe
GET
403
104.16.17.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3000
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2HiWP5m
US
html
117 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2716
1.exe
104.16.17.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2716
1.exe
65.60.35.58:587
aoiap.org
SingleHop, Inc.
US
suspicious
3000
EQNEDT32.EXE
65.60.35.58:443
aoiap.org
SingleHop, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
aoiap.org
  • 65.60.35.58
malicious
whatismyipaddress.com
  • 104.16.17.96
  • 104.16.16.96
  • 104.16.20.96
  • 104.16.18.96
  • 104.16.19.96
shared
mail.aoiap.org
  • 65.60.35.58
malicious

Threats

PID
Process
Class
Message
3000
EQNEDT32.EXE
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Downloader httpHeader
2716
1.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2716
1.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INV-98-UHX.doc