Loading... Additional Content is being loaded
Windows Analysis Report New Updated 20210810.doc
Overview
General Information
| Sample Name: | New Updated 20210810.doc |
| Analysis ID: | 462616 |
| MD5: | e7228f0fdb6675e599fce2e7697e237f |
| SHA1: | 4ee29bd4a9e6756326728a6d3a2bcdb504d01e6a |
| SHA256: | 03e73adb2a943786db217feedb75a14e7ce7ce39b8fb9f91a0fec989d1ce9188 |
| Tags: | doc |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
HawkEye MailPassView
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match
Classification
AV Detection: |
  |
|---|
| Antivirus / Scanner detection for submitted sample |
| Source: |
Avira: |
||
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Multi AV Scanner detection for domain / URL |
| Source: |
Virustotal: |
Perma Link | ||
| Multi AV Scanner detection for dropped file |
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Multi AV Scanner detection for submitted file |
| Source: |
ReversingLabs: |
||
| Machine Learning detection for dropped file |
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
Exploits: |
|
|---|
| Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) |
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Office Equation Editor has been started |
| Source: |
Process created: |
||
Compliance: |
|
|---|
| Uses insecure TLS / SSL version for HTTPS connection |
| Source: |
HTTPS traffic detected: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
Spreading: |
|
|---|
| May infect USB drives |
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Code function: |
6_2_00406EC3 | |
| Source: |
Code function: |
7_2_00408441 | |
| Source: |
Code function: |
7_2_00407E0E | |
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
Software Vulnerabilities: |
|
|---|
| Found inlined nop instructions (likely shell or obfuscated code) |
| Source: |
Code function: |
5_2_0036CC7D | |
| Source: |
Code function: |
5_2_0036185D | |
| Source: |
Code function: |
5_2_0036C8CE | |
| Source: |
Code function: |
5_2_0036C8CE | |
| Source: |
Code function: |
5_2_0036C171 | |
| Source: |
Code function: |
5_2_0036C171 | |
| Source: |
Code function: |
5_2_0036C9B8 | |
| Source: |
Code function: |
5_2_0036C9B8 | |
| Source: |
Code function: |
5_2_0036E199 | |
| Source: |
Code function: |
5_2_00362180 | |
| Source: |
Code function: |
5_2_0036A9DB | |
| Source: |
Code function: |
5_2_0036D67E | |
| Source: |
Code function: |
5_2_00360A55 | |
| Source: |
Code function: |
5_2_0036E32E | |
| Source: |
Code function: |
5_2_0036D768 | |
| Source: |
Code function: |
5_2_00361BA5 | |
| Source: |
Code function: |
5_2_00369FA5 | |
| Source: |
Code function: |
5_2_0036CFA1 | |
| Potential document exploit detected (performs DNS queries) |
| Source: |
DNS query: |
||
| Potential document exploit detected (performs HTTP gets) |
| Source: |
TCP traffic: |
||
| Potential document exploit detected (unknown TCP traffic) |
| Source: |
TCP traffic: |
||
Networking: |
|
|---|
| Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) |
| Source: |
Snort IDS: |
||
| Detected TCP or UDP traffic on non-standard ports |
| Source: |
TCP traffic: |
||
| Downloads executable code via HTTP |
| Source: |
HTTP traffic detected: | ||