File name:	Load P327-TT-HPM-926-17 Revised.rtf
Full analysis:	https://app.any.run/tasks/e6915f98-2cb7-40b1-96de-4e73782fbc7c
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	June 19, 2019, 04:22:17
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	loader exploit CVE-2017-11882 rat remcos trojan keylogger
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, unknown version
MD5:	317D27F4EEF493B815713523EAA3A1C7
SHA1:	B4A3FD50F42FF7A57593E29CF8707FEF5FF59EF2
SHA256:	F51A8493573D4782661A6A1F7BF540C6878A2A23974C4E81A9BBAE9836BDAC34
SSDEEP:	48:cjmbvYECNMScvWz0AM74UwEJ5/vhV8Z7rpjuUJRR985PKxGFyo3g4GDKQXDyW3hj:cCB1vCs4UD5HhmdsUZedKiDb2Yhry

PID	CMD	Path	Indicators	Parent process
1460	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Load P327-TT-HPM-926-17 Revised.rtf"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000
2664	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900
2320	"C:\Users\admin\AppData\Roaming\naonsultane.exe"	C:\Users\admin\AppData\Roaming\naonsultane.exe	—	EQNEDT32.EXE
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Exit code: 0 Version: 1.07.0009
244	C:\Users\admin\AppData\Roaming\naonsultane.exe"	C:\Users\admin\AppData\Roaming\naonsultane.exe		naonsultane.exe
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Exit code: 0 Version: 1.07.0009
2856	"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs"	C:\Windows\SysWOW64\WScript.exe	—	naonsultane.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
2580	"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe"	C:\Windows\SysWOW64\cmd.exe	—	WScript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3036	C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe	C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe	—	cmd.exe
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Exit code: 0 Version: 1.07.0009
1128	:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe	C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe		hpsupport.exe
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Version: 1.07.0009

PID	Process	Filename		Type
1460	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR4EA9.tmp.cvr		—
		MD5:—	SHA256:—
1460	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7A7A3C4-97B4-4776-B4D7-DD7E49EB823F}.tmp		—
		MD5:—	SHA256:—
1460	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1ADCED19-4848-43C6-B5C9-961F093538ED}.tmp		—
		MD5:—	SHA256:—
1460	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D8BE822-95B4-42F4-B4B5-CD63AB21AA00}.tmp		—
		MD5:—	SHA256:—
1460	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Load P327-TT-HPM-926-17 Revised.LNK		lnk
		MD5:877E2E8AF2F9CDAA3F75A5616DCF7066	SHA256:5A83FDC967BB3D0142085F05644B7A93AD664F3D00C2B2CD1467788069BD7E74
2664	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\a[1].exe		executable
		MD5:2E860E4197F93BE2A6F3C60646E7AE5A	SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515
244	naonsultane.exe	C:\Users\admin\AppData\Local\Temp\install.vbs		binary
		MD5:434190D000F2EC393356970E7484398B	SHA256:F5996208C564CEE47D619A0F02E323D7C324B6B7ADC1518496D4DA65C052AC73
244	naonsultane.exe	C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe		executable
		MD5:2E860E4197F93BE2A6F3C60646E7AE5A	SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515
1128	hpsupport.exe	C:\Users\admin\AppData\Roaming\hpsupport\logs.dat		text
		MD5:80249AC00E6DCCA4534FD46BD783D764	SHA256:E4D64A7B334A4CD65D0FDC5799051373EA7FF833F6BB97DE8070FCF10A4983F2
1460	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:1EB4D53A9341E9CB30AD6DB62CAB3FD4	SHA256:F0111E5297AE04CC49C65E47E08E1FF3860C22651686D073BACB049F96BDC4C6

PID	Process	IP	Domain	ASN	CN	Reputation
1128	hpsupport.exe	185.247.228.250:5001	cemileorucs.ddns.net	—	—	malicious
2664	EQNEDT32.EXE	136.243.69.18:443	www.arshadconsultancy.com	Hetzner Online GmbH	DE	unknown

Domain	IP	Reputation
www.arshadconsultancy.com	136.243.69.18	unknown
cemileorucs.ddns.net	185.247.228.250	malicious

PID	Process	Class	Message
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Remcos RAT Checkin
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Remcos RAT
1128	hpsupport.exe	A Network Trojan was detected	ET TROJAN Remcos RAT Checkin 23
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Remcos RAT Checkin
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Remcos RAT
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Remcos RAT Checkin
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Remcos RAT
1128	hpsupport.exe	A Network Trojan was detected	ET TROJAN Remcos RAT Checkin 23
1128	hpsupport.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Remcos RAT Checkin

General Info

Load P327-TT-HPM-926-17 Revised.rtf

317D27F4EEF493B815713523EAA3A1C7

B4A3FD50F42FF7A57593E29CF8707FEF5FF59EF2

F51A8493573D4782661A6A1F7BF540C6878A2A23974C4E81A9BBAE9836BDAC34

48:cjmbvYECNMScvWz0AM74UwEJ5/vhV8Z7rpjuUJRR985PKxGFyo3g4GDKQXDyW3hj:cCB1vCs4UD5HhmdsUZedKiDb2Yhry

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Equation Editor starts application (CVE-2017-11882)

Downloads executable files from the Internet

Changes the autorun value in the registry

Connects to CnC server

REMCOS was detected

Detected logs from REMCOS RAT

SUSPICIOUS

Executed via COM

Creates files in the user directory

Executable content was dropped or overwritten

Application launched itself

Starts CMD.EXE for commands execution

Executes scripts

Writes files like Keylogger logs

INFO

Creates files in the user directory

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings