analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CARGO MANIFEST.doc

Full analysis: https://app.any.run/tasks/125512a6-b3db-4c98-8515-1074e61068c4
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 11:40:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
ole-embedded
loader
keylogger
rat
remcos
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

97CDAF2B3495DC6FA29C83D2DBF14795

SHA1:

B14ADA1401E4B405559250670FA5E188FF0E4F06

SHA256:

CA8EBCCB3B453C8DCEF9BB762E63F2B7E3840BFFA7056B55941FE5B23F846D1C

SSDEEP:

6144:C3pWug+QK5wx/ug+QK5wx/ug+QK5wx/b57:Se+wxme+wxme+wxz57

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1448)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1448)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 1448)

    • Application was dropped or rewritten from another process

      • edutest.exe (PID: 2496)
      • edutest.exe (PID: 2304)
      • edutest.exe (PID: 364)
      • edutest.exe (PID: 1612)
      • edutest.exe (PID: 2544)
      • edutest.exe (PID: 3016)
      • edutest.exe (PID: 3036)
      • edutest.exe (PID: 2896)
      • edutest.exe (PID: 2848)
      • edutest.exe (PID: 1576)
      • edutest.exe (PID: 912)
      • edutest.exe (PID: 1876)
      • edutest.exe (PID: 2204)
      • edutest.exe (PID: 1492)
      • edutest.exe (PID: 2432)
      • edutest.exe (PID: 2548)
      • edutest.exe (PID: 1960)
      • edutest.exe (PID: 2004)
      • edutest.exe (PID: 2820)
      • edutest.exe (PID: 2172)
      • edutest.exe (PID: 2688)
      • edutest.exe (PID: 2336)
      • edutest.exe (PID: 2804)
      • edutest.exe (PID: 3044)
      • edutest.exe (PID: 1376)
      • edutest.exe (PID: 2576)
      • edutest.exe (PID: 304)
      • edutest.exe (PID: 1072)
      • edutest.exe (PID: 2420)
      • edutest.exe (PID: 2340)
      • edutest.exe (PID: 1440)
      • edutest.exe (PID: 2124)
      • edutest.exe (PID: 2448)
      • edutest.exe (PID: 2760)
      • edutest.exe (PID: 2844)
      • edutest.exe (PID: 1624)
      • edutest.exe (PID: 2380)
      • edutest.exe (PID: 2636)
      • edutest.exe (PID: 712)
      • edutest.exe (PID: 1920)
      • edutest.exe (PID: 1348)
      • edutest.exe (PID: 1684)
      • edutest.exe (PID: 2632)
      • edutest.exe (PID: 2508)
      • edutest.exe (PID: 1264)
      • edutest.exe (PID: 2648)
      • edutest.exe (PID: 2224)
      • edutest.exe (PID: 128)
      • edutest.exe (PID: 2524)
      • edutest.exe (PID: 2816)
      • edutest.exe (PID: 2416)
      • edutest.exe (PID: 1812)
      • edutest.exe (PID: 3052)
      • edutest.exe (PID: 2260)
      • edutest.exe (PID: 2836)
      • edutest.exe (PID: 1148)
      • edutest.exe (PID: 2280)
      • edutest.exe (PID: 2944)
      • edutest.exe (PID: 676)
      • edutest.exe (PID: 2452)
      • edutest.exe (PID: 1680)
      • edutest.exe (PID: 2208)
      • edutest.exe (PID: 1416)
      • edutest.exe (PID: 2476)
      • edutest.exe (PID: 2796)
      • edutest.exe (PID: 2436)
      • edutest.exe (PID: 2484)
      • edutest.exe (PID: 2312)
      • edutest.exe (PID: 2068)
      • edutest.exe (PID: 2680)
      • edutest.exe (PID: 2492)
      • edutest.exe (PID: 1396)
      • edutest.exe (PID: 780)
      • edutest.exe (PID: 1324)
      • edutest.exe (PID: 2824)
      • edutest.exe (PID: 2460)
      • edutest.exe (PID: 2728)
      • edutest.exe (PID: 2272)
      • edutest.exe (PID: 2468)
      • edutest.exe (PID: 1040)
      • edutest.exe (PID: 2092)
      • edutest.exe (PID: 2552)
      • edutest.exe (PID: 3024)
      • edutest.exe (PID: 1992)
      • edutest.exe (PID: 2868)
      • edutest.exe (PID: 2612)
      • edutest.exe (PID: 1044)
      • edutest.exe (PID: 1636)

    • Downloads executable files from IP

      • WINWORD.EXE (PID: 1448)

    • Changes the autorun value in the registry

      • edutest.exe (PID: 2496)

    • Detected logs from REMCOS RAT

      • edutest.exe (PID: 1636)

    • REMCOS RAT was detected

      • edutest.exe (PID: 1636)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 1448)

    • Executable content was dropped or overwritten

      • edutest.exe (PID: 2496)

    • Creates files in the user directory

      • edutest.exe (PID: 2496)
      • edutest.exe (PID: 1636)

    • Application launched itself

      • edutest.exe (PID: 2496)

    • Writes files like Keylogger logs

      • edutest.exe (PID: 1636)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 1448)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1448)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
89
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe edutest.exe edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs #REMCOS edutest.exe

Process information

PID
CMD
Path
Indicators
Parent process
1448"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\CARGO MANIFEST.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
2496"C:\Users\admin\AppData\Roaming\edutest.exe" C:\Users\admin\AppData\Roaming\edutest.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
2304"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1612"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
364"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3036"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2544"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2896"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
912"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3016"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 307
Read events
1 217
Write events
73
Delete events
17

Modification events

(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:dd}
Value:
64647D00A8050000010000000000000000000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(1448) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1320091690
(PID) Process:(1448) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091782
(PID) Process:(1448) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091783
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
A80500009CB86811130BD50100000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:'i}
Value:
27697D00A805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:'i}
Value:
27697D00A805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
1
Text files
7
Unknown types
3

Dropped files

PID
Process
Filename
Type
1448WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDCE4.tmp.cvr
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68289466.png
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\Desktop\~WRD0000.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EC3CF8F0-0196-42A9-84C8-E53E7C3CEBE3}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AA2A4C70-D225-4E29-BCFF-D832063A298A}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE92DB04-DF54-4B33-BE70-E86199C04619}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{36090C34-38CC-4C96-8F3F-E92E6D256A38}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\Desktop\~$RGO MANIFEST.doc.rtfpgc
MD5:E5A551CBFD97F61D8DE42E739360A4AD
SHA256:453912D00AD9084ADD88B97A3762E40D475BF077CA6A31857972060319B8CDD3
1448WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\CARGO MANIFEST.doc.LNKlnk
MD5:EA8A7FBED483CA4F63F11ECD6EF45FD4
SHA256:3C2AAE25BFB4E4BF71E6AA65BC2BE079883373C994C818E7356723A681073218
1448WINWORD.EXEC:\Users\admin\AppData\Roaming\edutest.exeexecutable
MD5:B3B8215152CE77D6E5A800732941871B
SHA256:37CC219CEF364820E99331FFE0B0E4F2C4D9A9A4A8D3363C935B9A82D66CF44F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
58
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1448
WINWORD.EXE
GET
200
46.183.218.205:80
http://46.183.218.205/test1chima.exe
LV
executable
431 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1448
WINWORD.EXE
46.183.218.205:80
DataClub S.A.
LV
suspicious
1636
edutest.exe
185.101.94.172:3981
oscarule.xyz
Mike Kaldig
DE
malicious

DNS requests

Domain
IP
Reputation
oscarule.xyz
  • 185.101.94.172
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1448
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1448
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
1448
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1448
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CARGO MANIFEST.doc