File name: | DHL7567XXX13th1118.doc |
Full analysis: | https://app.any.run/tasks/ab3d1cb2-1936-4f06-a4ec-ffcfb071f400 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | November 15, 2018, 04:35:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 7582C15657E2729858092C48FB92918C |
SHA1: | 09732D9E34100CF7D670D1E5EF89CF1665AB9961 |
SHA256: | BC4270938E74424C9292ED363311672E3B3BA5DAA36A9C43D99A721DE8222E04 |
SSDEEP: | 24576:2g33IMSc/z/HUi22JkQzRHH05ZaUvnjQv:9 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3064 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\DHL7567XXX13th1118.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 | ||||
2628 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2984 | C:\Users\admin\AppData\Local\Temp\..\..\..\Documents\hosts.exe | C:\Users\admin\Documents\hosts.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2696 | C:\Users\admin\AppData\Local\Temp\..\..\..\Documents\hosts.exe | C:\Users\admin\Documents\hosts.exe | hosts.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2812 | "C:\Users\admin\Documents\hosts.exe" 2 2696 1183765 | C:\Users\admin\Documents\hosts.exe | — | hosts.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2024 | "C:\Users\admin\AppData\Roaming\Install\notepa.exe" | C:\Users\admin\AppData\Roaming\Install\notepa.exe | hosts.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
932 | "C:\Users\admin\AppData\Roaming\Install\notepa.exe" | C:\Users\admin\AppData\Roaming\Install\notepa.exe | notepa.exe | |
User: admin Integrity Level: MEDIUM | ||||
2948 | "C:\Users\admin\AppData\Roaming\Install\notepa.exe" 2 932 1198484 | C:\Users\admin\AppData\Roaming\Install\notepa.exe | — | notepa.exe |
User: admin Integrity Level: MEDIUM | ||||
1708 | "C:\Users\admin\Documents\hosts.exe" | C:\Users\admin\Documents\hosts.exe | — | hosts.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3834.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86CB9F62.wmf | — | |
MD5:— | SHA256:— | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\DHL7567XXX13th1118.LNK | lnk | |
MD5:0C27E3D7C9B8500CED4FEAA607FB2DA1 | SHA256:C5CBEAE699D8D2527E5C909475AB2817E29781C8082E9DF73BC96DEEAEF54747 | |||
2628 | EQNEDT32.EXE | C:\Users\admin\Documents\hosts.exe | executable | |
MD5:F62A6DFD331EEB2A18F8EDA33CAC75FD | SHA256:D8A5B0F24EABD938F2D53FEDD3FCC0CC9E53358B3755B6CCA48632D538C4BF53 | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C5AFDA5.wmf | binary | |
MD5:BDE0EC8BE92CF5FB64BDC9B8F8076EDE | SHA256:3D13941209F88F8FA0A43468AB9F35E388AF9EF1CE794DE8AB30B8E6438FCC33 | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\hosts.exe | binary | |
MD5:D828BF9806F35F27D7441112F8E8926B | SHA256:078A98851060A31ABE43725C887F07CF126E54A04D409D221C2E569DE026DB0B | |||
2628 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hosts.lnk | lnk | |
MD5:2B1437D7DE23B3D5904832E55D113139 | SHA256:AF02211520A9855124F6296A3CBBFF4580375E5B6404C21811AEAB86DF367E51 | |||
3064 | WINWORD.EXE | C:\Users\admin\Desktop\~$L7567XXX13th1118.doc | pgc | |
MD5:DD389A6F749DACD91EF16DE60753C6B2 | SHA256:FC3678F0CD97FCFFDE8C05F472A6EB272DFF893934D791A165580E1F2708194A | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\zofkomznwl.qiz | binary | |
MD5:F994CA8D293BE67A010DED7A91D7BE50 | SHA256:DF3F484A68FE54C830E74ECD61909B9D954A7A675711CC47EFBDC6FD614B6E88 | |||
2696 | hosts.exe | C:\Users\admin\AppData\Roaming\Install\notepa.exe | executable | |
MD5:F62A6DFD331EEB2A18F8EDA33CAC75FD | SHA256:D8A5B0F24EABD938F2D53FEDD3FCC0CC9E53358B3755B6CCA48632D538C4BF53 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
932 | notepa.exe | 104.171.113.233:26116 | trace.ddns.net | Centrilogic, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
teredo.ipv6.microsoft.com |
| whitelisted |
trace.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
932 | notepa.exe | A Network Trojan was detected | SC SPYWARE Spyware Weecnaw Win32 |
932 | notepa.exe | A Network Trojan was detected | MALWARE [PTsecurity] Netwire.RAT |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |
932 | notepa.exe | A Network Trojan was detected | ET TROJAN Possible Netwire RAT Client HeartBeat C2 |