File name: | 1fd18df9a18cd0f62b1cfc61f7fa61a6904b402bfe24bc2cafaee539f68f4ddf.doc |
Full analysis: | https://app.any.run/tasks/68d9dad7-6ad4-4e82-8998-6d60398840ff |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | September 02, 2019, 07:38:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Xyz, Template: Normal.dotm, Last Saved By: Xyz, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Aug 26 18:57:00 2019, Last Saved Time/Date: Mon Aug 26 18:58:00 2019, Number of Pages: 1, Number of Words: 38, Number of Characters: 223, Security: 0 |
MD5: | DA9876099D168B9A8028D0D2DB854D28 |
SHA1: | D8AB80E07E0A433A57A4145568DF05AA29F5811D |
SHA256: | 1FD18DF9A18CD0F62B1CFC61F7FA61A6904B402BFE24BC2CAFAEE539F68F4DDF |
SSDEEP: | 12288:fhOrf+uHxdWPqTF7Y+YTlunGaNj2CE1DhhtvLTFnTyY:5OrRHxdWPqTF7Y+YTlunGaNj29DhgY |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 260 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 223 |
Words: | 38 |
Pages: | 1 |
ModifyDate: | 2019:08:26 17:58:00 |
CreateDate: | 2019:08:26 17:57:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | Xyz |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Xyz |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3368 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1fd18df9a18cd0f62b1cfc61f7fa61a6904b402bfe24bc2cafaee539f68f4ddf.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3780 | C:\Users\admin\AppData\Roaming\pyfwygm.exe | C:\Users\admin\AppData\Roaming\pyfwygm.exe | WINWORD.EXE | |
User: admin Company: Sublime HQ Pty Ltd Integrity Level: MEDIUM Description: Sublime Text Exit code: 0 Version: 3188 | ||||
2340 | "C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe" | C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe | pyfwygm.exe | |
User: admin Company: Iobit Assemblies Integrity Level: MEDIUM Description: ComputerCleaner Exit code: 0 Version: 2.9.9.2 | ||||
2400 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SEOQwqLS" /XML "C:\Users\admin\AppData\Local\Temp\tmp8C32.tmp" | C:\Windows\System32\schtasks.exe | — | tmpAF8E.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1456 | "C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe" | C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe | tmpAF8E.exe | |
User: admin Company: Iobit Assemblies Integrity Level: MEDIUM Description: ComputerCleaner Exit code: 0 Version: 2.9.9.2 | ||||
276 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2260 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | tmpAF8E.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2132 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2932 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Package Manager Exit code: 3221226540 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3852 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Package Manager Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR988B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF91B8216DB9E89A3D.TMP | — | |
MD5:— | SHA256:— | |||
3368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FEAFD573-A489-4DC6-8AAD-62001ED858F0}.tmp | — | |
MD5:— | SHA256:— | |||
3368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{06AA1C27-F1B7-4649-9231-140DFF7868CF}.tmp | — | |
MD5:— | SHA256:— | |||
2340 | tmpAF8E.exe | C:\Users\admin\AppData\Local\Temp\tmp8C32.tmp | — | |
MD5:— | SHA256:— | |||
3368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$d18df9a18cd0f62b1cfc61f7fa61a6904b402bfe24bc2cafaee539f68f4ddf.doc | pgc | |
MD5:EE3D9D0A77EF1CBB9DCC504A9C4ED973 | SHA256:72AFA137A37CDF443DB9A0C8B260758DA2CDA867B4B10C27A9B03B39D2EDED4E | |||
2340 | tmpAF8E.exe | C:\Users\admin\AppData\Roaming\SEOQwqLS.exe | executable | |
MD5:3A90134EB6D72701FBB391CDEDD45DF1 | SHA256:EE13C5B8A9335EA12D8498DEF4CCE5B1E459E44582C3E1DA67F48FAFF0A31C1C | |||
3852 | pkgmgr.exe | C:\Windows\Logs\CBS\CBS.log | text | |
MD5:B7AD3F707B9A61BF140A3648C15B282C | SHA256:FFD422402E5F3D957A5E84F0F99C4D826666D95A65709E82AFC50D7686817886 | |||
3368 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\pyfwygm.exe | executable | |
MD5:88E6D0EA02237998ED467814662492A7 | SHA256:D13C600C215DB6A1AB74D73F497DAFCC6532BD0844BFF2E442C59F6ACD52A929 | |||
3780 | pyfwygm.exe | C:\Users\admin\AppData\Local\Temp\tmpAF8E.exe | executable | |
MD5:3A90134EB6D72701FBB391CDEDD45DF1 | SHA256:EE13C5B8A9335EA12D8498DEF4CCE5B1E459E44582C3E1DA67F48FAFF0A31C1C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3780 | pyfwygm.exe | 173.212.193.7:443 | www.bpgc-golf.com | Contabo GmbH | DE | unknown |
1456 | tmpAF8E.exe | 64.188.25.152:4965 | — | QuadraNet, Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bpgc-golf.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1456 | tmpAF8E.exe | A Network Trojan was detected | AV TROJAN Ave Maria RAT CnC Response |
1456 | tmpAF8E.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |