File name:

CARGO MANIFEST.doc

Full analysis: https://app.any.run/tasks/125512a6-b3db-4c98-8515-1074e61068c4
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 11:40:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
ole-embedded
loader
keylogger
rat
remcos
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

97CDAF2B3495DC6FA29C83D2DBF14795

SHA1:

B14ADA1401E4B405559250670FA5E188FF0E4F06

SHA256:

CA8EBCCB3B453C8DCEF9BB762E63F2B7E3840BFFA7056B55941FE5B23F846D1C

SSDEEP:

6144:C3pWug+QK5wx/ug+QK5wx/ug+QK5wx/b57:Se+wxme+wxme+wxz57

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 1448)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1448)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1448)

    • Downloads executable files from IP

      • WINWORD.EXE (PID: 1448)

    • Application was dropped or rewritten from another process

      • edutest.exe (PID: 2496)
      • edutest.exe (PID: 1576)
      • edutest.exe (PID: 1876)
      • edutest.exe (PID: 1960)
      • edutest.exe (PID: 2548)
      • edutest.exe (PID: 2432)
      • edutest.exe (PID: 2304)
      • edutest.exe (PID: 1612)
      • edutest.exe (PID: 364)
      • edutest.exe (PID: 3036)
      • edutest.exe (PID: 2544)
      • edutest.exe (PID: 2896)
      • edutest.exe (PID: 912)
      • edutest.exe (PID: 3016)
      • edutest.exe (PID: 2848)
      • edutest.exe (PID: 1376)
      • edutest.exe (PID: 1492)
      • edutest.exe (PID: 2204)
      • edutest.exe (PID: 2688)
      • edutest.exe (PID: 2172)
      • edutest.exe (PID: 1440)
      • edutest.exe (PID: 2336)
      • edutest.exe (PID: 2124)
      • edutest.exe (PID: 2448)
      • edutest.exe (PID: 2804)
      • edutest.exe (PID: 3044)
      • edutest.exe (PID: 2420)
      • edutest.exe (PID: 1072)
      • edutest.exe (PID: 2576)
      • edutest.exe (PID: 304)
      • edutest.exe (PID: 2340)
      • edutest.exe (PID: 2820)
      • edutest.exe (PID: 2004)
      • edutest.exe (PID: 2844)
      • edutest.exe (PID: 2944)
      • edutest.exe (PID: 1624)
      • edutest.exe (PID: 1920)
      • edutest.exe (PID: 2380)
      • edutest.exe (PID: 1684)
      • edutest.exe (PID: 1264)
      • edutest.exe (PID: 2632)
      • edutest.exe (PID: 3052)
      • edutest.exe (PID: 2416)
      • edutest.exe (PID: 1812)
      • edutest.exe (PID: 2280)
      • edutest.exe (PID: 2224)
      • edutest.exe (PID: 2760)
      • edutest.exe (PID: 2636)
      • edutest.exe (PID: 712)
      • edutest.exe (PID: 1348)
      • edutest.exe (PID: 2508)
      • edutest.exe (PID: 2648)
      • edutest.exe (PID: 2524)
      • edutest.exe (PID: 2816)
      • edutest.exe (PID: 2260)
      • edutest.exe (PID: 2796)
      • edutest.exe (PID: 676)
      • edutest.exe (PID: 2068)
      • edutest.exe (PID: 2680)
      • edutest.exe (PID: 1416)
      • edutest.exe (PID: 2484)
      • edutest.exe (PID: 2476)
      • edutest.exe (PID: 2492)
      • edutest.exe (PID: 1148)
      • edutest.exe (PID: 2836)
      • edutest.exe (PID: 128)
      • edutest.exe (PID: 2824)
      • edutest.exe (PID: 2868)
      • edutest.exe (PID: 2468)
      • edutest.exe (PID: 780)
      • edutest.exe (PID: 2092)
      • edutest.exe (PID: 2460)
      • edutest.exe (PID: 2552)
      • edutest.exe (PID: 2272)
      • edutest.exe (PID: 2728)
      • edutest.exe (PID: 2612)
      • edutest.exe (PID: 2436)
      • edutest.exe (PID: 1680)
      • edutest.exe (PID: 2452)
      • edutest.exe (PID: 2312)
      • edutest.exe (PID: 1396)
      • edutest.exe (PID: 2208)
      • edutest.exe (PID: 1324)
      • edutest.exe (PID: 1636)
      • edutest.exe (PID: 1040)
      • edutest.exe (PID: 1044)
      • edutest.exe (PID: 1992)
      • edutest.exe (PID: 3024)

    • Changes the autorun value in the registry

      • edutest.exe (PID: 2496)

    • REMCOS RAT was detected

      • edutest.exe (PID: 1636)

    • Detected logs from REMCOS RAT

      • edutest.exe (PID: 1636)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 1448)

    • Application launched itself

      • edutest.exe (PID: 2496)

    • Executable content was dropped or overwritten

      • edutest.exe (PID: 2496)

    • Creates files in the user directory

      • edutest.exe (PID: 2496)
      • edutest.exe (PID: 1636)

    • Writes files like Keylogger logs

      • edutest.exe (PID: 1636)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1448)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 1448)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
89
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe edutest.exe edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs edutest.exe no specs #REMCOS edutest.exe

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
304"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
364"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
676"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
712"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
780"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
912"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
1040"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
1044"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
1072"C:\Users\admin\AppData\Roaming\edutest.exe"C:\Users\admin\AppData\Roaming\edutest.exeedutest.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\edutest.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
Total events
1 307
Read events
1 217
Write events
73
Delete events
17

Modification events

(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:dd}
Value:
64647D00A8050000010000000000000000000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(1448) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1320091690
(PID) Process:(1448) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091782
(PID) Process:(1448) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091783
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
A80500009CB86811130BD50100000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:'i}
Value:
27697D00A805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:'i}
Value:
27697D00A805000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1448) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
1
Text files
7
Unknown types
3

Dropped files

PID
Process
Filename
Type
1448WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDCE4.tmp.cvr
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68289466.png
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\Desktop\~WRD0000.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EC3CF8F0-0196-42A9-84C8-E53E7C3CEBE3}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AA2A4C70-D225-4E29-BCFF-D832063A298A}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE92DB04-DF54-4B33-BE70-E86199C04619}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{36090C34-38CC-4C96-8F3F-E92E6D256A38}.tmp
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sctbinary
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\test1chima[1].exeexecutable
MD5:
SHA256:
1448WINWORD.EXEC:\Users\admin\Desktop\CARGO MANIFEST.doc.rtftext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
58
DNS requests
2
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1448
WINWORD.EXE
GET
200
46.183.218.205:80
http://46.183.218.205/test1chima.exe
LV
executable
431 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1448
WINWORD.EXE
46.183.218.205:80
DataClub S.A.
LV
suspicious
1636
edutest.exe
185.101.94.172:3981
oscarule.xyz
Mike Kaldig
DE
malicious

DNS requests

Domain
IP
Reputation
oscarule.xyz
  • 185.101.94.172
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1448
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1448
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
1448
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1448
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CARGO MANIFEST.doc