analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Afras USA PO 3546.doc

Full analysis: https://app.any.run/tasks/bee43bfd-2b1e-4921-9508-bd962dc926f8
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Analysis date: January 23, 2019, 10:51:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
rat
netwire
trojan
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

112BB054B7BD80238EC5AE7E01D37CEB

SHA1:

538F41BA7210B1966DB66DC645ADF5DCF13C3A65

SHA256:

C9C61C6065A6F545557FBEF5DBFC7223022259C5F8419A74CBFAF742BFCE6FFD

SSDEEP:

12288:zPPZ5ha1mi0UNOtrH9uA8hE47nJF/xNXqKIopHE79LS+4a1PpF84Ji6mE1S+0luT:zPLha1mi0U6rH9T8B7PEUk79LS+4OPpf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2976)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2976)
    • Runs app for hidden code execution

      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2612)
    • Application was dropped or rewritten from another process

      • saver.scr (PID: 3116)
      • Saver.SCR (PID: 2844)
      • Host.exe (PID: 3592)
      • Host.exe (PID: 3772)
    • NETWIRE was detected

      • Host.exe (PID: 3772)
    • Connects to CnC server

      • Host.exe (PID: 3772)
    • Actions looks like stealing of personal data

      • Host.exe (PID: 3772)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2380)
      • cmd.exe (PID: 2612)
      • cmd.exe (PID: 2660)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 2660)
    • Executable content was dropped or overwritten

      • cscript.exe (PID: 2228)
      • Saver.SCR (PID: 2844)
    • Executes scripts

      • cmd.exe (PID: 2660)
    • Application launched itself

      • cmd.exe (PID: 2660)
      • saver.scr (PID: 3116)
      • Host.exe (PID: 3592)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2660)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 1520)
      • cmd.exe (PID: 4072)
      • cmd.exe (PID: 480)
      • cmd.exe (PID: 3128)
      • cmd.exe (PID: 3104)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2660)
      • saver.scr (PID: 3116)
    • Creates files in the user directory

      • Saver.SCR (PID: 2844)
    • Connects to unusual port

      • Host.exe (PID: 3772)
    • Loads DLL from Mozilla Firefox

      • Host.exe (PID: 3772)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2976)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
40
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cscript.exe taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs saver.scr no specs cscript.exe no specs saver.scr host.exe no specs #NETWIRE host.exe

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Afras USA PO 3546.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3948"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2380CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2660C:\Windows\system32\cmd.exe /K itnqknf5.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3160TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3640TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2140TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2612"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2704TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3204TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 492
Read events
1 459
Write events
30
Delete events
3

Modification events

(PID) Process:(2976) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:s00
Value:
73303000A00B0000010000000000000000000000
(PID) Process:(2976) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2976) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2976) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1312227349
(PID) Process:(2976) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227468
(PID) Process:(2976) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227469
(PID) Process:(2976) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
A00B0000964D2B9A09B3D40100000000
(PID) Process:(2976) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:,20
Value:
2C323000A00B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2976) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:,20
Value:
2C323000A00B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2976) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
4
Text files
13
Unknown types
3

Dropped files

PID
Process
Filename
Type
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6CE3.tmp.cvr
MD5:
SHA256:
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\a.ScTxml
MD5:B079D52F89759AB61A9B7EFA9367CA17
SHA256:A9EEF1BEA82EBAF0F71E356D77EC980FA087F56F6C665C58011BCB6FA98E4501
2228cscript.exeC:\Users\admin\AppData\Local\Temp\gondi.docdocument
MD5:A708A92F9C95AED4BDFF6D976F889763
SHA256:059E7B288D7B7F169200C3E0EE6ACC77E6B6B6753E4CD58058EAFBEB1351340D
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\itnqknf5.cmdtext
MD5:0C9003B594F4B692933844ABCF070BDD
SHA256:927BD846EC7AF587B5A06579545F83161AE570A4F046D6386E6AE73A00B9ADF7
2976WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68B7E200-A713-42EE-A863-5DD753130F91}.tmpbinary
MD5:E664589D58EF9BB3BE96ACFC4CA4C9C6
SHA256:81BBC94F294895C9A9716390F3F7D7719D7529CD81EE9F26EB9084015D4477E2
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ras USA PO 3546.docpgc
MD5:9CE8B3F852EDAD4861299882939CE113
SHA256:E32458A6415A50E9209B76E605E3334A8D879D06A508B8941DC0565958EA06DE
2228cscript.exeC:\Users\admin\AppData\Local\Temp\saver.screxecutable
MD5:D211FDDED84B1A605532FE4539BEADB4
SHA256:3E5AD2242206BA3F7F84096588A9738A553295CF0A7A6E7BFABC1FC042509360
2976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\itn.zipcompressed
MD5:84E0B509898B8D3FE47BFABF026A5309
SHA256:56DAF82B0C5A7AB5B601725AD02AB056543CB30984ACCACF6F0356A4BD0063D9
2976WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2C506785-42A5-4BB6-A2FE-A57F70188061}.tmpbinary
MD5:E9FA09CECA1AF2ECA7C192E1F9E3481A
SHA256:2EC5F21D58DC0EEF40544B1ED01EB695AA1BF7109362037D226D0155C75661BC
2976WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B97F61AEBD55F1B122E0B7AD7F1DC531
SHA256:97802CDD7EBA2E6FB1825B569C99703A2994790E20BBBBD1551D5064535F9670
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3772
Host.exe
194.5.98.181:17475
goinghomemoney.duckdns.org
FR
suspicious

DNS requests

Domain
IP
Reputation
goinghomemoney.duckdns.org
  • 194.5.98.181
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3772
Host.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3772
Host.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
3772
Host.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3772
Host.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3772
Host.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3772
Host.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3772
Host.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
3772
Host.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
3772
Host.exe
A Network Trojan was detected
ET TROJAN Possible Netwire RAT Client HeartBeat C2
1 ETPRO signatures available at the full report
No debug info