analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL Tracking.doc

Full analysis: https://app.any.run/tasks/49646e0e-43d5-4f32-aabe-bd15924bc6fe
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Analysis date: November 15, 2018, 07:32:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
rat
netwire
trojan
Indicators:
MIME: application/octet-stream
File info: data
MD5:

7582C15657E2729858092C48FB92918C

SHA1:

09732D9E34100CF7D670D1E5EF89CF1665AB9961

SHA256:

BC4270938E74424C9292ED363311672E3B3BA5DAA36A9C43D99A721DE8222E04

SSDEEP:

24576:2g33IMSc/z/HUi22JkQzRHH05ZaUvnjQv:9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • hosts.exe (PID: 2660)
      • hosts.exe (PID: 3860)
      • hosts.exe (PID: 2584)
      • notepa.exe (PID: 3600)
      • hosts.exe (PID: 3788)
      • notepa.exe (PID: 3988)
      • hosts.exe (PID: 3348)
      • notepa.exe (PID: 500)
      • hosts.exe (PID: 3252)
      • hosts.exe (PID: 2556)
      • hosts.exe (PID: 120)
      • hosts.exe (PID: 2056)
      • hosts.exe (PID: 2220)
      • hosts.exe (PID: 2804)
      • hosts.exe (PID: 2812)
    • Writes to a start menu file

      • hosts.exe (PID: 3860)
      • EQNEDT32.EXE (PID: 2668)
      • notepa.exe (PID: 3600)
      • hosts.exe (PID: 3788)
      • hosts.exe (PID: 2556)
      • hosts.exe (PID: 2220)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2668)
    • Changes the autorun value in the registry

      • notepa.exe (PID: 3988)
    • NETWIRE was detected

      • notepa.exe (PID: 3988)
    • Connects to CnC server

      • notepa.exe (PID: 3988)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • hosts.exe (PID: 2584)
      • EQNEDT32.EXE (PID: 2668)
    • Creates files in the user directory

      • hosts.exe (PID: 2584)
      • EQNEDT32.EXE (PID: 2668)
      • hosts.exe (PID: 3860)
      • notepa.exe (PID: 3600)
      • hosts.exe (PID: 3788)
      • hosts.exe (PID: 2220)
      • hosts.exe (PID: 2556)
    • Application launched itself

      • hosts.exe (PID: 3860)
      • hosts.exe (PID: 2660)
      • notepa.exe (PID: 3600)
      • hosts.exe (PID: 3788)
      • hosts.exe (PID: 3348)
      • hosts.exe (PID: 2556)
      • hosts.exe (PID: 2220)
      • hosts.exe (PID: 2056)
    • Connects to unusual port

      • notepa.exe (PID: 3988)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3336)
    • Application was crashed

      • EQNEDT32.EXE (PID: 2668)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
18
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe hosts.exe hosts.exe hosts.exe no specs notepa.exe hosts.exe #NETWIRE notepa.exe notepa.exe no specs hosts.exe no specs hosts.exe no specs hosts.exe explorer.exe no specs hosts.exe no specs hosts.exe no specs hosts.exe hosts.exe no specs hosts.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3336"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DHL Tracking.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2668"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3860C:\Users\admin\AppData\Local\Temp\..\..\..\Documents\hosts.exeC:\Users\admin\Documents\hosts.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2584C:\Users\admin\AppData\Local\Temp\..\..\..\Documents\hosts.exeC:\Users\admin\Documents\hosts.exe
hosts.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2660"C:\Users\admin\Documents\hosts.exe" 2 2584 1509125C:\Users\admin\Documents\hosts.exehosts.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3600"C:\Users\admin\AppData\Roaming\Install\notepa.exe"C:\Users\admin\AppData\Roaming\Install\notepa.exe
hosts.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3788"C:\Users\admin\Documents\hosts.exe"C:\Users\admin\Documents\hosts.exe
hosts.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3988"C:\Users\admin\AppData\Roaming\Install\notepa.exe"C:\Users\admin\AppData\Roaming\Install\notepa.exe
notepa.exe
User:
admin
Integrity Level:
MEDIUM
500"C:\Users\admin\AppData\Roaming\Install\notepa.exe" 2 3988 1524390C:\Users\admin\AppData\Roaming\Install\notepa.exenotepa.exe
User:
admin
Integrity Level:
MEDIUM
3252"C:\Users\admin\Documents\hosts.exe"C:\Users\admin\Documents\hosts.exehosts.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 368
Read events
987
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
3336WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9C64.tmp.cvr
MD5:
SHA256:
3336WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C47352B4.wmf
MD5:
SHA256:
3336WINWORD.EXEC:\Users\admin\AppData\Local\Temp\zofkomznwl.qizbinary
MD5:F994CA8D293BE67A010DED7A91D7BE50
SHA256:DF3F484A68FE54C830E74ECD61909B9D954A7A675711CC47EFBDC6FD614B6E88
2668EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hosts.lnklnk
MD5:649766D5F911C93DF853CC4C350B4229
SHA256:16E8F4F41F3034721D5FAFF6688C45494FACC729B121AD92456966713CFA0C5D
3336WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7CC2BBF.wmfbinary
MD5:BDE0EC8BE92CF5FB64BDC9B8F8076EDE
SHA256:3D13941209F88F8FA0A43468AB9F35E388AF9EF1CE794DE8AB30B8E6438FCC33
3336WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:DE73CD16372B15BAEB295705CB5C0665
SHA256:F632D480D71035637003454848418369904B60666AF3749E2E13E876AD4467D0
2556hosts.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\orack.vbstext
MD5:8850322C3CB96BAB1154B5BDEB36F134
SHA256:D324B941B036A0BD85EDA13DD71FE8CFDD8CCCE8520E38C753EB9419D890FB93
2220hosts.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\orack.vbstext
MD5:8850322C3CB96BAB1154B5BDEB36F134
SHA256:D324B941B036A0BD85EDA13DD71FE8CFDD8CCCE8520E38C753EB9419D890FB93
3788hosts.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\orack.vbstext
MD5:8850322C3CB96BAB1154B5BDEB36F134
SHA256:D324B941B036A0BD85EDA13DD71FE8CFDD8CCCE8520E38C753EB9419D890FB93
3336WINWORD.EXEC:\Users\admin\AppData\Local\Temp\hosts.exebinary
MD5:D828BF9806F35F27D7441112F8E8926B
SHA256:078A98851060A31ABE43725C887F07CF126E54A04D409D221C2E569DE026DB0B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3988
notepa.exe
104.171.113.233:26116
trace.ddns.net
Centrilogic, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
trace.ddns.net
  • 104.171.113.233
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3988
notepa.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3988
notepa.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
3988
notepa.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3988
notepa.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3988
notepa.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3988
notepa.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3988
notepa.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
3988
notepa.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3988
notepa.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3988
notepa.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
2 ETPRO signatures available at the full report
No debug info