Loading ...

Play interactive tourEdit tour

Windows Analysis Report New Updated 20210810.doc

Overview

General Information

Sample Name:New Updated 20210810.doc
Analysis ID:462616
MD5:e7228f0fdb6675e599fce2e7697e237f
SHA1:4ee29bd4a9e6756326728a6d3a2bcdb504d01e6a
SHA256:03e73adb2a943786db217feedb75a14e7ce7ce39b8fb9f91a0fec989d1ce9188
Tags:doc
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2824 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2232 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • name.exe (PID: 1708 cmdline: 'C:\Users\user\AppData\Roaming\name.exe' MD5: 83F58ECF0778E3B0ACCA8497DF23EF23)
      • InstallUtil.exe (PID: 752 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: BB85AA6D90A4157ED799257072B265FF)
        • vbc.exe (PID: 2004 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
        • vbc.exe (PID: 1756 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2378132295.0000000000760000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7c292:$key: HawkEyeKeylogger
  • 0xfe550:$key: HawkEyeKeylogger
  • 0x7e490:$salt: 099u787978786
  • 0x10074e:$salt: 099u787978786
  • 0x7c8ab:$string1: HawkEye_Keylogger
  • 0x7d6fe:$string1: HawkEye_Keylogger
  • 0x7e3f0:$string1: HawkEye_Keylogger
  • 0xfeb69:$string1: HawkEye_Keylogger
  • 0xff9bc:$string1: HawkEye_Keylogger
  • 0x1006ae:$string1: HawkEye_Keylogger
  • 0x7cc94:$string2: holdermail.txt
  • 0x7ccb4:$string2: holdermail.txt
  • 0xfef52:$string2: holdermail.txt
  • 0xfef72:$string2: holdermail.txt
  • 0x7cbd6:$string3: wallet.dat
  • 0x7cbee:$string3: wallet.dat
  • 0x7cc04:$string3: wallet.dat
  • 0xfee94:$string3: wallet.dat
  • 0xfeeac:$string3: wallet.dat
  • 0xfeec2:$string3: wallet.dat
  • 0x7dfd2:$string4: Keylog Records
00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 32 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.InstallUtil.exe.760000.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        5.2.InstallUtil.exe.520000.4.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        5.2.InstallUtil.exe.45fa72.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          4.2.name.exe.3bf5fa2.10.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            4.2.name.exe.3d33caf.12.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security