File name: | 2205117369.xlsx |
Full analysis: | https://app.any.run/tasks/d866d672-8f96-49c9-bfbf-e72b4288dab2 |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | May 20, 2022, 20:49:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 071D4E7A0B843084C1C3951646DBA767 |
SHA1: | 8B0A8BD1B70B69F0F88ECD1818E707261559285E |
SHA256: | 5D74A870ADC170F3FA30C534FAD42B9AD4ACDA3B8E02BBD8F335658CCC03C4AB |
SSDEEP: | 6144:XUqjVkdMJTexaM/XtlIdQ4/aB1Fa22PZr8mFTZUJhGgK:PVLJ0/tlu/aB1Mvx9yY |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2468 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3672 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2788 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Description: TFlow Exit code: 0 Version: 2.3.0.0 | ||||
2912 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | vbc.exe | |
User: admin Integrity Level: MEDIUM Description: TFlow Version: 2.3.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2468 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4316.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3672 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\.winlogon[1].exe | executable | |
MD5:5F19892C01E0A41AE882B29A17F3EC59 | SHA256:B5E73C2B8B50B1C740BE595901470CD8EA7DC3354DB310187ABEF4974373CF52 | |||
3672 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:5F19892C01E0A41AE882B29A17F3EC59 | SHA256:B5E73C2B8B50B1C740BE595901470CD8EA7DC3354DB310187ABEF4974373CF52 | |||
2468 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B340EA65.emf | emf | |
MD5:894A796F9211E1080192AC72B6D54A9D | SHA256:8232CC0DF629D8D89A7155A1793B35D611073D60F2BEEC4BABBF78179978B71A | |||
2468 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9106BEF4.emf | emf | |
MD5:8E3A74F7AA420B02D34C69E625969C0A | SHA256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9 | |||
2912 | vbc.exe | C:\Users\admin\AppData\Roaming\taduntn.tmp | text | |
MD5:736F7579F0521DAF5695CD8A3B3CDA6A | SHA256:10A24B1012BEF30456C31ABB66DF14CE66BAAA78C450A87E3E647A9E44E31E8E | |||
2912 | vbc.exe | C:\Users\admin\AppData\Roaming\JpCexvy.tmp | text | |
MD5:E7CE898AADD69F4E4280010B7808116E | SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02 | |||
2912 | vbc.exe | C:\Users\admin\AppData\Roaming\GulAwjn.tmp | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3672 | EQNEDT32.EXE | GET | 200 | 103.139.45.3:80 | http://103.139.45.3/fdcloudprotector/.winlogon.exe | unknown | executable | 744 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2912 | vbc.exe | 103.176.113.85:5200 | — | — | — | malicious |
3672 | EQNEDT32.EXE | 103.139.45.3:80 | — | — | — | suspicious |
PID | Process | Class | Message |
---|---|---|---|
3672 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3672 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3672 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3672 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3672 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2912 | vbc.exe | A Network Trojan was detected | AV TROJAN Ave Maria RAT CnC Response |