File name: | infected.zip |
Full analysis: | https://app.any.run/tasks/6f0cf26c-7fe9-41a3-8dca-aca2dbab4c0b |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | May 24, 2019, 08:46:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A155281886151663B451A2DFE470DACD |
SHA1: | C9F86A29B5599EB6730D30BBB061087E5038FE09 |
SHA256: | 2A1027BD978039615A122DD05D62FA60FAD6A6C9EA33361326225AC38A75DCE5 |
SSDEEP: | 3072:hDk4DjcplonZEs3GkxFmnJk0yxduAqlkvBCbjBLoKJE2rHtxFyU5oWhtVcv5I+:HjcplwLXqJNEdjYcCb02hCeFVcvu+ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | sansmdp.docm |
---|---|
ZipUncompressedSize: | 191779 |
ZipCompressedSize: | 190849 |
ZipCRC: | 0x5ac87645 |
ZipModifyDate: | 2019:05:24 10:40:05 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\infected.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3300 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\sansmdp.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3700 | C:\Users\admin\AppData\Local\Temp\tryu234234.jmp | C:\Users\admin\AppData\Local\Temp\tryu234234.jmp | WINWORD.EXE | |
User: admin Integrity Level: MEDIUM | ||||
6084 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | tryu234234.jmp | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
5632 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
5684 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
5536 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\KSUOVHJIC-MANUAL.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
6112 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\securegermany.jpg.ksuovhjic | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
5816 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
5804 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\KSUOVHJIC-MANUAL.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\infected.zip | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (3376) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3A04.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A48F1C8.jpeg | — | |
MD5:— | SHA256:— | |||
3300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\vchdnw9[1].tmp | executable | |
MD5:BD6E02A6B8FC9F98D648E0B6FBC7A1F8 | SHA256:5963668B830375339E9DFF26DB51B7F6580C8999610EEB2F8277B28DB807912C | |||
3376 | WinRAR.exe | C:\Users\admin\Desktop\sansmdp.docm | document | |
MD5:6B10BF3597443D95A7CB8134631197BA | SHA256:7C6BE26395FB73A7CCF786CE18ACF8CB28F56CEE3CD0FBFAE5CACB267ECEC3EB | |||
3300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D3BA0C76-972D-481E-9FEF-D8B2263F58A1}.tmp | binary | |
MD5:043A2206475D5A769807C0CB0A6831B3 | SHA256:D99146B495E5C8BDDA9518AC9BE5613848BDEC3C8EB0CFC1E1EEE2947605F29D | |||
3300 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:62CF7FBEFA0C8F1DEDFD70118A9CDB04 | SHA256:84F04B594E783BB2CF0139E8DF8A6E7F7B7CD8885883E2175C716B0729208972 | |||
3700 | tryu234234.jmp | C:\KSUOVHJIC-MANUAL.txt | text | |
MD5:4615AC9FD70CA6ACAE80138A6EEB0A91 | SHA256:C83A7D2D49CFAF2B52011E94748EFAE1016CB755A6FB921E78E5A52146F13179 | |||
3300 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\sansmdp.docm.LNK | lnk | |
MD5:9D620CBF96B8A8B0A6F039AA3C937991 | SHA256:72B9666E6A314075FC1648CC47DC8B36A27199AF7AFDF5B283CF028718060A59 | |||
3700 | tryu234234.jmp | C:\Users\KSUOVHJIC-MANUAL.txt | text | |
MD5:4615AC9FD70CA6ACAE80138A6EEB0A91 | SHA256:C83A7D2D49CFAF2B52011E94748EFAE1016CB755A6FB921E78E5A52146F13179 | |||
3300 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:94FF9BF9DB5E2B68547C95DB225D93D8 | SHA256:AE56BCB5450D034DF3A4C3E368705DA4FECA35D3427B01ED90E7C0B9EF573964 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3700 | tryu234234.jmp | GET | 301 | 185.52.2.154:80 | http://www.kakaocorp.link/ | NL | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3700 | tryu234234.jmp | 185.52.2.154:80 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
3300 | WINWORD.EXE | 87.98.179.183:443 | coelabetoregranteke.info | OVH SAS | FR | suspicious |
3700 | tryu234234.jmp | 185.52.2.154:443 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
coelabetoregranteke.info |
| suspicious |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3700 | tryu234234.jmp | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3700 | tryu234234.jmp | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |