File name:	30% Payment.doc
Full analysis:	https://app.any.run/tasks/beb29c3f-e7db-49be-a9c5-71e500bb12de
Verdict:	Malicious activity
Threats:	Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 11, 2019, 04:03:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	generated-doc trojan exploit cve-2017-11882 loader evasion hawkeye keylogger stealer
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, version 1, unknown character set
MD5:	68766F2B8CFA7D033A76C6DBCB726C92
SHA1:	733BBE6FE972F7D45AAB03169D43E99A3B4FBD9F
SHA256:	A3AF4D813774AA7860CB2C0AE1401A2D8FA3D63C4F13D42CF4492330A5771FF9
SSDEEP:	12288:cVEV6VFVFVgVgVgVgVgVgVgVhVEVEVdV/VZV9VVbV2V/VRVj:caE//OOOOOOODaa3h3l1E9bx

Upr:	{CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}}
Author:	Mr.Duoc
LastModifiedBy:	Windows User
CreateDate:	2018:12:14 09:22:00
ModifyDate:	2018:12:14 09:22:00
LastPrinted:	2018:12:12 16:35:00
RevisionNumber:	2
TotalEditTime:	-
Pages:	2
Words:	265
Characters:	1511
CharactersWithSpaces:	1773
InternalVersionNumber:	24689


(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	i;/
Value: 693B2F00C0090000010000000000000000000000
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1311440938
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1311441022
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1311441023
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: C00900006E42CBA162A9D40100000000
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	}?/
Value: 7D3F2F00C009000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	}?/
Value: 7D3F2F00C009000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2496) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
2496	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR7B69.tmp.cvr		—
		MD5:—	SHA256:—
2496	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A59FDEE3-7822-41DE-9327-D568FB51A6CA}.tmp		—
		MD5:—	SHA256:—
2496	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{80B4468D-9D32-40C3-8E93-07AFDA9068EF}.tmp		—
		MD5:—	SHA256:—
2496	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EF87A44B-5E0A-4693-8D51-255699DC0F49}.tmp		—
		MD5:—	SHA256:—
2496	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{289CB7B6-F0FA-45FF-897A-BB708F118294}.tmp		—
		MD5:—	SHA256:—
2952	vbc.exe	C:\Users\admin\AppData\Local\Temp\holdermail.txt		—
		MD5:—	SHA256:—
368	vbc.exe	C:\Users\admin\AppData\Local\Temp\bhv3B73.tmp		—
		MD5:—	SHA256:—
368	vbc.exe	C:\Users\admin\AppData\Local\Temp\holderwb.txt		—
		MD5:—	SHA256:—
1668	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRE82E.tmp.cvr		—
		MD5:—	SHA256:—
1668	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{91802F8F-A7A2-42C3-917A-EA1A6B967B88}.tmp		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2204	EQNEDT32.EXE	GET	301	67.199.248.10:80	http://bit.ly/2D1Ob77	US	html	109 b	shared
2204	EQNEDT32.EXE	GET	200	65.60.35.58:80	http://aoiap.org/q.png	US	executable	913 Kb	malicious
2832	1.exe	GET	403	104.16.17.96:80	http://whatismyipaddress.com/	US	text	100 b	shared

Domain	IP	Reputation
bit.ly	67.199.248.10 67.199.248.11	shared
aoiap.org	65.60.35.58	malicious
whatismyipaddress.com	104.16.17.96 104.16.19.96 104.16.20.96 104.16.18.96 104.16.16.96	shared
mail.aoiap.org	65.60.35.58	malicious

PID	Process	Class	Message
2204	EQNEDT32.EXE	A Network Trojan was detected	MALWARE [PTsecurity] PowerShell.Downloader httpHeader
2204	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2204	EQNEDT32.EXE	A Network Trojan was detected	ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2204	EQNEDT32.EXE	A Network Trojan was detected	SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
2204	EQNEDT32.EXE	Misc activity	SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2832	1.exe	A Network Trojan was detected	MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2832	1.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction

General Info

30% Payment.doc

68766F2B8CFA7D033A76C6DBCB726C92

733BBE6FE972F7D45AAB03169D43E99A3B4FBD9F

A3AF4D813774AA7860CB2C0AE1401A2D8FA3D63C4F13D42CF4492330A5771FF9

12288:cVEV6VFVFVgVgVgVgVgVgVgVhVEVEVdV/VZV9VVbV2V/VRVj:caE//OOOOOOODaa3h3l1E9bx

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Suspicious connection from the Equation Editor

Equation Editor starts application (CVE-2017-11882)

Application was dropped or rewritten from another process

Downloads executable files with a strange extension

Downloads executable files from the Internet

Detected Hawkeye Keylogger

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Application launched itself

Checks for external IP

Executes scripts

Connects to SMTP port

INFO

Reads the machine GUID from the registry

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

RTF

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings