File name: | Draft BL.doc |
Full analysis: | https://app.any.run/tasks/2aafea5c-9b94-4fa0-aca4-d0144d3a7ca2 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | May 15, 2019, 13:32:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | AC3A35769F141166C120DE2B8E95DB1C |
SHA1: | A6C2249E8808B65991370DD0E47D7BACE23D1549 |
SHA256: | A29A39D6D139A468FCB953587423C9B02D4D68B333922B7783E24FFAB5F69FB0 |
SSDEEP: | 24576:pd6qlMEjK5kyHty99BE7f8Gh+lN4z4Z19tWLAs1Uwq0/4oveckLKOidW0GdmChP:F |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3048 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Draft BL.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2352 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2828 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3088 | C:\Windows\system32\cmd.exe /K mt6nzqofd.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3592 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
776 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2728 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
860 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3408 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3824 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREB39.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR578.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\kulebiaka.ZiP | compressed | |
MD5:46820D7DA085420CC9F3956D5EA83332 | SHA256:98AC30F758FFEA67D95DA03EDB2FDFF84C7C0CB3CF3C6ADAD750DC00782E77C2 | |||
3048 | WINWORD.EXE | C:\Users\admin\Desktop\~$aft BL.doc.rtf | pgc | |
MD5:267C1C5C32405625BCE23AE1D1156535 | SHA256:706840F3CE3DEF3828471E063ECD091E8420ECA1A4703D066872DE70B1814EEE | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:816BEA007272E3D591722A84B2EBD2E8 | SHA256:0BD48B965DD591F21A77D8C83E4C24FE5627C543192A698F7B1E1842A0EEDB5A | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Draft BL.doc.rtf.LNK | lnk | |
MD5:7D5D946266B11771E86AA8DD55E63A40 | SHA256:5FFDBD5903C4FC6FBD03E4AF09EAF1C1CB6AE6A7F42254BF2CDC604BC6D48400 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mt6nzqofd.cmd | text | |
MD5:B5B6D0CC5AE87D9B02585E5B3246C1A2 | SHA256:15C6536DD7A47ADD995049F4E54D86F69F50BB20FE29B88B5AE809A888730A5E | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:FAA3439FEAEA422347AB654C4897E53D | SHA256:5D342EB16DBEBF2A770AE3D1678ECC646528650EE82F223D849ABAC846795E9A | |||
2388 | cscript.exe | C:\Users\admin\AppData\Local\Temp\gondi.doc | text | |
MD5:6291D5A22FCE652360616BD330E07082 | SHA256:80AE0226822B684927280C63CA9F4E683C121FA62715E02909DECC298C03B506 | |||
3088 | cmd.exe | C:\Users\admin\AppData\Local\Temp\_.vbs | text | |
MD5:BF9646FA68CAE0CE69FBF7FFF70D65B5 | SHA256:CC7DD8CF31F4634A109AC5A14931F8A4E55F528B36C40B0D109B9147B8E7C928 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2924 | saver.scr | GET | — | 104.16.155.36:80 | http://whatismyipaddress.com/ | US | — | — | shared |
— | — | GET | 200 | 2.21.242.197:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
2440 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2924 | saver.scr | 104.16.155.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
2440 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 2.21.242.197:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | NL | whitelisted |
3320 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
2924 | saver.scr | 82.221.130.149:587 | smtp.vivaldi.net | Thor Data Center ehf | IS | unknown |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
smtp.vivaldi.net |
| shared |
notepad-plus-plus.org |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2924 | saver.scr | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |
2924 | saver.scr | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|