Malware analysis DHL7567XXX13th1118.doc Malicious activity | ANY.RUN - Malware Sandbox Online

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Sign up, it’s free

Add for printing

File name:	DHL7567XXX13th1118.doc
Full analysis:	https://app.any.run/tasks/ab3d1cb2-1936-4f06-a4ec-ffcfb071f400
Verdict:	Malicious activity
Threats:	Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	November 15, 2018, 04:35:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	exploit CVE-2017-11882 rat netwire trojan
Indicators:
MIME:	application/octet-stream
File info:	data
MD5:	7582C15657E2729858092C48FB92918C
SHA1:	09732D9E34100CF7D670D1E5EF89CF1665AB9961
SHA256:	BC4270938E74424C9292ED363311672E3B3BA5DAA36A9C43D99A721DE8222E04
SSDEEP:	24576:2g33IMSc/z/HUi22JkQzRHH05ZaUvnjQv:9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 660 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
7-Zip 18.01 (x64) (18.01)
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (61.0.3163.91)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (14.12.25810.0)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 56.0 (x64 en-US) (56.0)
Mozilla Maintenance Service (55.0.3)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
VLC media player (2.2.6)

Hotfixes

Add for printing

MALICIOUS
- Equation Editor starts application (CVE-2017-11882)
  - EQNEDT32.EXE (PID: 2628)
- Writes to a start menu file
  - EQNEDT32.EXE (PID: 2628)
  - hosts.exe (PID: 2984)
  - notepa.exe (PID: 2024)
- Application was dropped or rewritten from another process
  - hosts.exe (PID: 2696)
  - hosts.exe (PID: 2984)
  - hosts.exe (PID: 2812)
  - notepa.exe (PID: 932)
  - notepa.exe (PID: 2024)
  - notepa.exe (PID: 2948)
  - hosts.exe (PID: 1708)
- Changes the autorun value in the registry
  - notepa.exe (PID: 932)
- NETWIRE was detected
  - notepa.exe (PID: 932)
- Actions looks like stealing of personal data
  - notepa.exe (PID: 932)
- Connects to CnC server
  - notepa.exe (PID: 932)
SUSPICIOUS
- Creates files in the user directory
  - EQNEDT32.EXE (PID: 2628)
  - hosts.exe (PID: 2984)
  - hosts.exe (PID: 2696)
  - notepa.exe (PID: 2024)
- Executable content was dropped or overwritten
  - EQNEDT32.EXE (PID: 2628)
  - hosts.exe (PID: 2696)
- Application launched itself
  - hosts.exe (PID: 2984)
  - notepa.exe (PID: 2024)
  - hosts.exe (PID: 2812)
- Connects to unusual port
  - notepa.exe (PID: 932)
INFO
- Reads the machine GUID from the registry
  - WINWORD.EXE (PID: 3064)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3064)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3064)
- Application was crashed
  - EQNEDT32.EXE (PID: 2628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

All screenshots are available in the full report

Add for printing

Total processes

45

Monitored processes

9

Malicious processes

5

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3064	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\DHL7567XXX13th1118.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000
2628	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900
2984	C:\Users\admin\AppData\Local\Temp\..\..\..\Documents\hosts.exe	C:\Users\admin\Documents\hosts.exe		EQNEDT32.EXE
User: admin Integrity Level: MEDIUM Exit code: 0
2696	C:\Users\admin\AppData\Local\Temp\..\..\..\Documents\hosts.exe	C:\Users\admin\Documents\hosts.exe		hosts.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2812	"C:\Users\admin\Documents\hosts.exe" 2 2696 1183765	C:\Users\admin\Documents\hosts.exe	—	hosts.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2024	"C:\Users\admin\AppData\Roaming\Install\notepa.exe"	C:\Users\admin\AppData\Roaming\Install\notepa.exe		hosts.exe
User: admin Integrity Level: MEDIUM Exit code: 0
932	"C:\Users\admin\AppData\Roaming\Install\notepa.exe"	C:\Users\admin\AppData\Roaming\Install\notepa.exe		notepa.exe
User: admin Integrity Level: MEDIUM
2948	"C:\Users\admin\AppData\Roaming\Install\notepa.exe" 2 932 1198484	C:\Users\admin\AppData\Roaming\Install\notepa.exe	—	notepa.exe
User: admin Integrity Level: MEDIUM
1708	"C:\Users\admin\Documents\hosts.exe"	C:\Users\admin\Documents\hosts.exe	—	hosts.exe
User: admin Integrity Level: MEDIUM

Add for printing

Total events

1 098

Read events

702

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

2

Suspicious files

3

Text files

6

Unknown types

4

Dropped files

PID	Process	Filename		Type
3064	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR3834.tmp.cvr		—
		MD5:—	SHA256:—
3064	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86CB9F62.wmf		—
		MD5:—	SHA256:—
3064	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\DHL7567XXX13th1118.LNK		lnk
		MD5:0C27E3D7C9B8500CED4FEAA607FB2DA1	SHA256:C5CBEAE699D8D2527E5C909475AB2817E29781C8082E9DF73BC96DEEAEF54747
2628	EQNEDT32.EXE	C:\Users\admin\Documents\hosts.exe		executable
		MD5:F62A6DFD331EEB2A18F8EDA33CAC75FD	SHA256:D8A5B0F24EABD938F2D53FEDD3FCC0CC9E53358B3755B6CCA48632D538C4BF53
3064	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C5AFDA5.wmf		binary
		MD5:BDE0EC8BE92CF5FB64BDC9B8F8076EDE	SHA256:3D13941209F88F8FA0A43468AB9F35E388AF9EF1CE794DE8AB30B8E6438FCC33
3064	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\hosts.exe		binary
		MD5:D828BF9806F35F27D7441112F8E8926B	SHA256:078A98851060A31ABE43725C887F07CF126E54A04D409D221C2E569DE026DB0B
2628	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hosts.lnk		lnk
		MD5:2B1437D7DE23B3D5904832E55D113139	SHA256:AF02211520A9855124F6296A3CBBFF4580375E5B6404C21811AEAB86DF367E51
3064	WINWORD.EXE	C:\Users\admin\Desktop\~$L7567XXX13th1118.doc		pgc
		MD5:DD389A6F749DACD91EF16DE60753C6B2	SHA256:FC3678F0CD97FCFFDE8C05F472A6EB272DFF893934D791A165580E1F2708194A
3064	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\zofkomznwl.qiz		binary
		MD5:F994CA8D293BE67A010DED7A91D7BE50	SHA256:DF3F484A68FE54C830E74ECD61909B9D954A7A675711CC47EFBDC6FD614B6E88
2696	hosts.exe	C:\Users\admin\AppData\Roaming\Install\notepa.exe		executable
		MD5:F62A6DFD331EEB2A18F8EDA33CAC75FD	SHA256:D8A5B0F24EABD938F2D53FEDD3FCC0CC9E53358B3755B6CCA48632D538C4BF53

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

1

DNS requests

2

Threats

0

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
932	notepa.exe	104.171.113.233:26116	trace.ddns.net	Centrilogic, Inc.	US	malicious

DNS requests

Domain	IP	Reputation
teredo.ipv6.microsoft.com	—	whitelisted
trace.ddns.net	104.171.113.233	malicious

Threats

PID	Process	Class	Message
932	notepa.exe	A Network Trojan was detected	SC SPYWARE Spyware Weecnaw Win32
932	notepa.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2
932	notepa.exe	A Network Trojan was detected	ET TROJAN Possible Netwire RAT Client HeartBeat C2

5 ETPRO signatures available at the full report

Add for printing

No debug info