analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

30% Payment.doc

Full analysis: https://app.any.run/tasks/beb29c3f-e7db-49be-a9c5-71e500bb12de
Verdict: Malicious activity
Threats:

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Malware Trends Tracker     >>>
Analysis date: January 11, 2019, 04:03:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
generated-doc
trojan
exploit
CVE-2017-11882
loader
evasion
hawkeye
keylogger
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

68766F2B8CFA7D033A76C6DBCB726C92

SHA1:

733BBE6FE972F7D45AAB03169D43E99A3B4FBD9F

SHA256:

A3AF4D813774AA7860CB2C0AE1401A2D8FA3D63C4F13D42CF4492330A5771FF9

SSDEEP:

12288:cVEV6VFVFVgVgVgVgVgVgVgVhVEVEVdV/VZV9VVbV2V/VRVj:caE//OOOOOOODaa3h3l1E9bx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1.exe (PID: 2424)
      • 1.exe (PID: 2832)

    • Downloads executable files with a strange extension

      • EQNEDT32.EXE (PID: 2204)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 2204)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2204)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2204)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2952)

    • Detected Hawkeye Keylogger

      • 1.exe (PID: 2832)

    • Changes the autorun value in the registry

      • 1.exe (PID: 2832)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2204)
      • 1.exe (PID: 2832)

    • Application launched itself

      • 1.exe (PID: 2424)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2204)
      • 1.exe (PID: 2832)

    • Checks for external IP

      • 1.exe (PID: 2832)

    • Connects to SMTP port

      • 1.exe (PID: 2832)

    • Executes scripts

      • 1.exe (PID: 2832)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2496)
      • WINWORD.EXE (PID: 1668)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2496)
      • WINWORD.EXE (PID: 1668)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2496)
      • WINWORD.EXE (PID: 1668)
      • OUTLOOK.EXE (PID: 2400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 24689
CharactersWithSpaces: 1773
Characters: 1511
Words: 265
Pages: 2
TotalEditTime: -
RevisionNumber: 2
LastPrinted: 2018:12:12 16:35:00
ModifyDate: 2018:12:14 09:22:00
CreateDate: 2018:12:14 09:22:00
LastModifiedBy: Windows User
Author: Mr.Duoc
Upr: {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}}
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe 1.exe no specs #HAWKEYE 1.exe vbc.exe vbc.exe no specs winword.exe no specs outlook.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2496"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\c23790d5-cab8-4513-99d9-ff2c258b812e.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
2204"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2424C:\Users\admin\AppData\Local\Temp\1.exeC:\Users\admin\AppData\Local\Temp\1.exeEQNEDT32.EXE
User:
admin
Company:
Hapu3
Integrity Level:
MEDIUM
Description:
scrutoire
Exit code:
0
Version:
5.01.0005
2832:\Users\admin\AppData\Local\Temp\1.exeC:\Users\admin\AppData\Local\Temp\1.exe
1.exe
User:
admin
Company:
Hapu3
Integrity Level:
MEDIUM
Description:
scrutoire
Version:
5.01.0005
2952C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
368C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483
1668"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\printdavid.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
2400"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /pst "C:\Users\admin\Documents\Outlook Files\[email protected]"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.4760.1000
Total events
2 384
Read events
1 912
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
8
Unknown types
6

Dropped files

PID
Process
Filename
Type
2496WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7B69.tmp.cvr
MD5:
SHA256:
2496WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A59FDEE3-7822-41DE-9327-D568FB51A6CA}.tmp
MD5:
SHA256:
2496WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{80B4468D-9D32-40C3-8E93-07AFDA9068EF}.tmp
MD5:
SHA256:
2496WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EF87A44B-5E0A-4693-8D51-255699DC0F49}.tmp
MD5:
SHA256:
2496WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{289CB7B6-F0FA-45FF-897A-BB708F118294}.tmp
MD5:
SHA256:
2952vbc.exeC:\Users\admin\AppData\Local\Temp\holdermail.txt
MD5:
SHA256:
368vbc.exeC:\Users\admin\AppData\Local\Temp\bhv3B73.tmp
MD5:
SHA256:
368vbc.exeC:\Users\admin\AppData\Local\Temp\holderwb.txt
MD5:
SHA256:
1668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE82E.tmp.cvr
MD5:
SHA256:
1668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{91802F8F-A7A2-42C3-917A-EA1A6B967B88}.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2204
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2D1Ob77
US
html
109 b
shared
2204
EQNEDT32.EXE
GET
200
65.60.35.58:80
http://aoiap.org/q.png
US
executable
913 Kb
malicious
2832
1.exe
GET
403
104.16.17.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2204
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2832
1.exe
104.16.17.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2832
1.exe
65.60.35.58:587
aoiap.org
SingleHop, Inc.
US
suspicious
2204
EQNEDT32.EXE
65.60.35.58:80
aoiap.org
SingleHop, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
aoiap.org
  • 65.60.35.58
malicious
whatismyipaddress.com
  • 104.16.17.96
  • 104.16.19.96
  • 104.16.20.96
  • 104.16.18.96
  • 104.16.16.96
shared
mail.aoiap.org
  • 65.60.35.58
malicious

Threats

PID
Process
Class
Message
2204
EQNEDT32.EXE
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Downloader httpHeader
2204
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2204
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2204
EQNEDT32.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
2204
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2832
1.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck)
2832
1.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
30% Payment.doc