File name:	1fd18df9a18cd0f62b1cfc61f7fa61a6904b402bfe24bc2cafaee539f68f4ddf.doc
Full analysis:	https://app.any.run/tasks/68d9dad7-6ad4-4e82-8998-6d60398840ff
Verdict:	Malicious activity
Threats:	WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 02, 2019, 07:38:56
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-close trojan stealer rat avemaria
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Xyz, Template: Normal.dotm, Last Saved By: Xyz, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Aug 26 18:57:00 2019, Last Saved Time/Date: Mon Aug 26 18:58:00 2019, Number of Pages: 1, Number of Words: 38, Number of Characters: 223, Security: 0
MD5:	DA9876099D168B9A8028D0D2DB854D28
SHA1:	D8AB80E07E0A433A57A4145568DF05AA29F5811D
SHA256:	1FD18DF9A18CD0F62B1CFC61F7FA61A6904B402BFE24BC2CAFAEE539F68F4DDF
SSDEEP:	12288:fhOrf+uHxdWPqTF7Y+YTlunGaNj2CE1DhhtvLTFnTyY:5OrRHxdWPqTF7Y+YTlunGaNj29DhgY

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	14
CharCountWithSpaces:	260
Paragraphs:	1
Lines:	1
Company:	-
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	223
Words:	38
Pages:	1
ModifyDate:	2019:08:26 17:58:00
CreateDate:	2019:08:26 17:57:00
TotalEditTime:	1.0 minutes
Software:	Microsoft Office Word
RevisionNumber:	2
LastModifiedBy:	Xyz
Template:	Normal.dotm
Comments:	-
Keywords:	-
Author:	Xyz
Subject:	-
Title:	-

PID	CMD	Path	Indicators	Parent process
3368	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1fd18df9a18cd0f62b1cfc61f7fa61a6904b402bfe24bc2cafaee539f68f4ddf.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000
3780	C:\Users\admin\AppData\Roaming\pyfwygm.exe	C:\Users\admin\AppData\Roaming\pyfwygm.exe		WINWORD.EXE
User: admin Company: Sublime HQ Pty Ltd Integrity Level: MEDIUM Description: Sublime Text Exit code: 0 Version: 3188
2340	"C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe"	C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe		pyfwygm.exe
User: admin Company: Iobit Assemblies Integrity Level: MEDIUM Description: ComputerCleaner Exit code: 0 Version: 2.9.9.2
2400	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SEOQwqLS" /XML "C:\Users\admin\AppData\Local\Temp\tmp8C32.tmp"	C:\Windows\System32\schtasks.exe	—	tmpAF8E.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1456	"C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe"	C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe		tmpAF8E.exe
User: admin Company: Iobit Assemblies Integrity Level: MEDIUM Description: ComputerCleaner Exit code: 0 Version: 2.9.9.2
276	C:\Windows\Explorer.EXE	C:\Windows\explorer.exe		—
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2260	"C:\Windows\System32\cmd.exe"	C:\Windows\System32\cmd.exe		tmpAF8E.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2132	C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}	C:\Windows\system32\DllHost.exe		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2932	"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml	C:\Windows\system32\pkgmgr.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Package Manager Exit code: 3221226540 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3852	"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml	C:\Windows\system32\pkgmgr.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Package Manager Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

PID	Process	Filename		Type
3368	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR988B.tmp.cvr		—
		MD5:—	SHA256:—
3368	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF91B8216DB9E89A3D.TMP		—
		MD5:—	SHA256:—
3368	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FEAFD573-A489-4DC6-8AAD-62001ED858F0}.tmp		—
		MD5:—	SHA256:—
3368	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{06AA1C27-F1B7-4649-9231-140DFF7868CF}.tmp		—
		MD5:—	SHA256:—
2340	tmpAF8E.exe	C:\Users\admin\AppData\Local\Temp\tmp8C32.tmp		—
		MD5:—	SHA256:—
3368	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$d18df9a18cd0f62b1cfc61f7fa61a6904b402bfe24bc2cafaee539f68f4ddf.doc		pgc
		MD5:EE3D9D0A77EF1CBB9DCC504A9C4ED973	SHA256:72AFA137A37CDF443DB9A0C8B260758DA2CDA867B4B10C27A9B03B39D2EDED4E
2340	tmpAF8E.exe	C:\Users\admin\AppData\Roaming\SEOQwqLS.exe		executable
		MD5:3A90134EB6D72701FBB391CDEDD45DF1	SHA256:EE13C5B8A9335EA12D8498DEF4CCE5B1E459E44582C3E1DA67F48FAFF0A31C1C
3852	pkgmgr.exe	C:\Windows\Logs\CBS\CBS.log		text
		MD5:B7AD3F707B9A61BF140A3648C15B282C	SHA256:FFD422402E5F3D957A5E84F0F99C4D826666D95A65709E82AFC50D7686817886
3368	WINWORD.EXE	C:\Users\admin\AppData\Roaming\pyfwygm.exe		executable
		MD5:88E6D0EA02237998ED467814662492A7	SHA256:D13C600C215DB6A1AB74D73F497DAFCC6532BD0844BFF2E442C59F6ACD52A929
3780	pyfwygm.exe	C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe		executable
		MD5:3A90134EB6D72701FBB391CDEDD45DF1	SHA256:EE13C5B8A9335EA12D8498DEF4CCE5B1E459E44582C3E1DA67F48FAFF0A31C1C

PID	Process	IP	Domain	ASN	CN	Reputation
3780	pyfwygm.exe	173.212.193.7:443	www.bpgc-golf.com	Contabo GmbH	DE	unknown
1456	tmpAF8E.exe	64.188.25.152:4965	—	QuadraNet, Inc	US	malicious

PID	Process	Class	Message
1456	tmpAF8E.exe	A Network Trojan was detected	AV TROJAN Ave Maria RAT CnC Response
1456	tmpAF8E.exe	A Network Trojan was detected	MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin

General Info

1fd18df9a18cd0f62b1cfc61f7fa61a6904b402bfe24bc2cafaee539f68f4ddf.doc

DA9876099D168B9A8028D0D2DB854D28

D8AB80E07E0A433A57A4145568DF05AA29F5811D

1FD18DF9A18CD0F62B1CFC61F7FA61A6904B402BFE24BC2CAFAEE539F68F4DDF

12288:fhOrf+uHxdWPqTF7Y+YTlunGaNj2CE1DhhtvLTFnTyY:5OrRHxdWPqTF7Y+YTlunGaNj29DhgY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Unusual execution from Microsoft Office

Executable content was dropped or overwritten

Uses Task Scheduler to run other applications

Loads the Task Scheduler COM API

Application was injected by another process

Runs app for hidden code execution

AVEMARIA was detected

Runs injected code in another process

Changes the autorun value in the registry

Connects to CnC server

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Application launched itself

Creates files in the user directory

Starts CMD.EXE for commands execution

Reads the machine GUID from the registry

Executed via COM

INFO

Starts Microsoft Office Application

Reads Microsoft Office registry keys

Creates files in the user directory

Application was crashed

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings