analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

606873793.doc

Full analysis: https://app.any.run/tasks/d349d73d-3ea5-4d05-b163-ef2b06b50475
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: May 24, 2019, 06:37:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
ransomware
gandcrab
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

7FDDFB90A778B94E5AAC83A2831155A0

SHA1:

637CC055E6EC42008CD19EFA066AE525C9C88A13

SHA256:

57EABA7B10BD6EF3B65FE3C1380BB4404306F6E3C92E77869FD6238F704258DB

SSDEEP:

6144:1VqirB+WcY7yWkk1L3dG9JMUM7JuDgIqd9IqXRy3WiDb65EMjzRoTxaIzE:1VqiwWc8kk1L3dGAUsJUgL9pRy3Wia51

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • bbbb1.ccc (PID: 3516)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3296)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3296)
    • Writes file to Word startup folder

      • bbbb1.ccc (PID: 3516)
    • Actions looks like stealing of personal data

      • bbbb1.ccc (PID: 3516)
    • Renames files like Ransomware

      • bbbb1.ccc (PID: 3516)
    • Dropped file may contain instructions of ransomware

      • bbbb1.ccc (PID: 3516)
    • Deletes shadow copies

      • cmd.exe (PID: 3816)
    • GANDCRAB detected

      • bbbb1.ccc (PID: 3516)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 3296)
    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 3296)
    • Reads the cookies of Mozilla Firefox

      • bbbb1.ccc (PID: 3516)
    • Creates files in the program directory

      • bbbb1.ccc (PID: 3516)
    • Starts CMD.EXE for commands execution

      • bbbb1.ccc (PID: 3516)
    • Executed as Windows Service

      • vssvc.exe (PID: 1492)
    • Creates files in the user directory

      • bbbb1.ccc (PID: 3516)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3296)
    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 3296)
      • bbbb1.ccc (PID: 3516)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3296)
    • Application was crashed

      • bbbb1.ccc (PID: 3516)
    • Dropped object may contain TOR URL's

      • bbbb1.ccc (PID: 3516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe #GANDCRAB bbbb1.ccc cmd.exe vssadmin.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3296"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\606873793.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3516C:\Windows\Temp\bbbb1.cccC:\Windows\Temp\bbbb1.ccc
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
255
3816"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quietC:\Windows\system32\cmd.exe
bbbb1.ccc
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2440vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1492C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
690
Read events
652
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
440
Text files
316
Unknown types
8

Dropped files

PID
Process
Filename
Type
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFA1C.tmp.cvr
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF20954B4CF5E3F79E.TMP
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFD2C568D4B1DB9B6D.TMP
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF29684CA6A2782719.TMP
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF185BDE44F0AFF312.TMP
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF82016DFBA4FC7FFC.TMP
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF28F3B16A0F14B6A5.TMP
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6ED29FAE.jpg
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFF064C82BE2C484E9.TMP
MD5:
SHA256:
3516bbbb1.cccC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3296
WINWORD.EXE
51.77.146.231:443
cachermanetecmatione.info
GB
suspicious

DNS requests

Domain
IP
Reputation
cachermanetecmatione.info
  • 51.77.146.231
suspicious

Threats

No threats detected
No debug info