File name: | c2ba86f7b92e6de14417636e689c186d3f535f4312de75f006ad6280771caf2c.doc |
Full analysis: | https://app.any.run/tasks/601d803e-90b6-4382-aee2-80760f6fcf48 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | April 24, 2019, 02:36:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 2A3C48BC3FCF22D40F5F04A837346A2F |
SHA1: | D405CAE30A4CADC06B2C3CD2AF1E7886B0A52036 |
SHA256: | C2BA86F7B92E6DE14417636E689C186D3F535F4312DE75F006AD6280771CAF2C |
SSDEEP: | 3072:jvf2ygRc4ftqpoJ2O/fmjOc5ZkDVrYdeshjW:j+y74M6J2KfNOkD1Yde8jW |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | Admin |
---|
ModifyDate: | 2019:04:17 15:04:00Z |
---|---|
CreateDate: | 2019:04:09 10:02:00Z |
RevisionNumber: | 267 |
LastModifiedBy: | Admin |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 4881 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 9 |
Lines: | 34 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 4161 |
Words: | 729 |
Pages: | 1 |
TotalEditTime: | 1.3 hours |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1505 |
ZipCompressedSize: | 424 |
ZipCRC: | 0xb743dea4 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3796 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\c2ba86f7b92e6de14417636e689c186d3f535f4312de75f006ad6280771caf2c.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2956 | C:\Users\admin\AppData\Local\Temp\huuy6ty.tmp | C:\Users\admin\AppData\Local\Temp\huuy6ty.tmp | WINWORD.EXE | |
User: admin Integrity Level: MEDIUM | ||||
5288 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | huuy6ty.tmp | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
5680 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
5704 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2D95.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C76D2CA5.jpeg | — | |
MD5:— | SHA256:— | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC720262.jpeg | — | |
MD5:— | SHA256:— | |||
2956 | huuy6ty.tmp | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2956 | huuy6ty.tmp | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.mzsujacgby | — | |
MD5:— | SHA256:— | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9AA328F831C50DD9BBEFE2D9BC2194AD | SHA256:965B6A8A909D7CFA9EB1790958BDCACB88B5258F8EB535D32891D882224E44E2 | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{14B77740-6E82-45B9-82AE-9CE5AB8364DA}.tmp | binary | |
MD5:CC363CB92C60AF06BEC98FBD9F1E5CE6 | SHA256:C61DBC7E96DF063F6EA3E40162F60BB3FF6D591F343DC456281A4870A680EAEB | |||
2956 | huuy6ty.tmp | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
2956 | huuy6ty.tmp | C:\Users\MZSUJACGBY-MANUAL.txt | text | |
MD5:DC1AEFA4FC45EFC194B6BC4CFB86115F | SHA256:34B192A99F7F226A46EE233E41E5D666FE85037B751DC7ADDB954EFC3E9B770E | |||
2956 | huuy6ty.tmp | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\MZSUJACGBY-MANUAL.txt | text | |
MD5:DC1AEFA4FC45EFC194B6BC4CFB86115F | SHA256:34B192A99F7F226A46EE233E41E5D666FE85037B751DC7ADDB954EFC3E9B770E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3796 | WINWORD.EXE | GET | 200 | 87.98.158.248:80 | http://coelotekvingfeldh.pro/word44.tmp | FR | executable | 273 Kb | suspicious |
2956 | huuy6ty.tmp | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3796 | WINWORD.EXE | 87.98.158.248:80 | coelotekvingfeldh.pro | OVH SAS | FR | suspicious |
2956 | huuy6ty.tmp | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
2956 | huuy6ty.tmp | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
coelotekvingfeldh.pro |
| suspicious |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3796 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3796 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2956 | huuy6ty.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2956 | huuy6ty.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2956 | huuy6ty.tmp | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab v.5 SSL Connection |