File name: | Details.doc |
Full analysis: | https://app.any.run/tasks/eb71db68-38bf-4f8e-bc65-03df7979bb2b |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | November 08, 2018, 14:22:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators, with escape sequences |
MD5: | EBC8A2B7E36EA94EFFE04858A258FBDA |
SHA1: | 0340A6EA425DAAAFD26261A4012A5E08D693A20D |
SHA256: | DEC04C4CC409304CB97D2F23FD73C3B4123C5E72BA3ABD392B34749C229C07E7 |
SSDEEP: | 768:Yc6RRggggggg1cccRukcNRISzrmyCKyrWwof:Yc6RRggggggg1cccRdcAWnf |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1480 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Details.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2296 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3112 | C:\Users\admin\AppData\Local\Temp\1.com | C:\Users\admin\AppData\Local\Temp\1.com | — | EQNEDT32.EXE |
User: admin Company: lahmi Integrity Level: MEDIUM Description: STRESEMANN4 Exit code: 0 Version: 2.05.0003 | ||||
2532 | :\Users\admin\AppData\Local\Temp\1.com | C:\Users\admin\AppData\Local\Temp\1.com | 1.com | |
User: admin Company: lahmi Integrity Level: MEDIUM Description: STRESEMANN4 Version: 2.05.0003 | ||||
1692 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holdermail.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | 1.com | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3728 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\admin\AppData\Local\Temp\holderwb.txt" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | 1.com |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | hzg |
Value: 687A6700C8050000010000000000000000000000 | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1298661391 | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1298661504 | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1298661505 | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: C80500002A49C1876E77D40100000000 | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | !{g |
Value: 217B6700C805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | !{g |
Value: 217B6700C805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (1480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9248.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1692 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holdermail.txt | — | |
MD5:— | SHA256:— | |||
3728 | vbc.exe | C:\Users\admin\AppData\Local\Temp\holderwb.txt | — | |
MD5:— | SHA256:— | |||
1480 | WINWORD.EXE | C:\Users\admin\~$etails.doc | pgc | |
MD5:E014D7C11498E78FA42765DDB960A548 | SHA256:E1967747B8CF1F206074F0CF160EE5D5F2AEA1FB93681667F62E4A53745E9404 | |||
2296 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:3D117C1C210ACE3D68AD14944103D161 | SHA256:45289424AE35327BCB5D38B121E2EDB118DF4F88805F0AC23E55B297526A82D3 | |||
1480 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D01CA1EBAE094E9B94B62FE2E8E6B18C | SHA256:64C23A325019296C94D75B4C8C29C932798431B8B257A13D0E63636B3DE68C04 | |||
1480 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Details.doc.LNK | lnk | |
MD5:46647892237EB1B36468809FC78B42FE | SHA256:83F2ED9F0F25C63E13003D0F688614227193859E7C3E2526AF25BE026BDD018B | |||
2296 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\6xufBd[1].png | executable | |
MD5:5A541B4B5238A538C4C8BB76D8F66063 | SHA256:8CD0752F81023A1B3DAA6BC81DBA44C0C03144CD68B4D4F3EE50BF73FFBA8B12 | |||
2296 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70 | binary | |
MD5:DA6C793FB0533AF0139A6D76C9956547 | SHA256:BCEC4BFFD8EE03E0FDF1C1577EF4635AC08DB1F94CF07B0C406A6B3A171E9E1D | |||
2296 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\1.com | executable | |
MD5:5A541B4B5238A538C4C8BB76D8F66063 | SHA256:8CD0752F81023A1B3DAA6BC81DBA44C0C03144CD68B4D4F3EE50BF73FFBA8B12 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2296 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2JKUXQo | US | html | 115 b | shared |
2532 | 1.com | GET | 403 | 104.16.17.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2296 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2532 | 1.com | 104.16.17.96:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
2532 | 1.com | 207.174.213.181:587 | mail.perfettoqatar.com | PDR | US | malicious |
2296 | EQNEDT32.EXE | 163.172.215.76:443 | e.coka.la | Online S.a.s. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
e.coka.la |
| malicious |
whatismyipaddress.com |
| shared |
mail.perfettoqatar.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2532 | 1.com | A Network Trojan was detected | MALWARE [PTsecurity] Spyware.HawkEyeKeyLogger (IP Chck) |
2532 | 1.com | A Network Trojan was detected | ET TROJAN HawkEye Keylogger Report SMTP |