File name: | bbbb1.ccc.zip |
Full analysis: | https://app.any.run/tasks/1cb0df26-368e-4bd0-9957-22b1b4c90255 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | May 15, 2019, 15:48:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 0894C9F15A300E8CECDF231001346F0D |
SHA1: | 6A6D2989B8BEB8F2BA519363393C8B6A844DC5C9 |
SHA256: | C71314770E13063DBEA2F036B21A2B01A0487B8B3861F43B9B6314C0383CCC58 |
SSDEEP: | 12288:4Gnv8SvKx8EIyOiTTBM1wvuMZKwnDR0HKwy:44v80KZTTO13nw10qwy |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | word2[1].tmp |
---|---|
ZipUncompressedSize: | 619520 |
ZipCompressedSize: | 430284 |
ZipCRC: | 0x17cc8b12 |
ZipModifyDate: | 2019:05:14 07:53:02 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
456 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\bbbb1.ccc.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2684 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb456.35527\word2[1].exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb456.35527\word2[1].exe | WinRAR.exe | |
User: admin Company: Hootsuite Integrity Level: MEDIUM Description: Tunnels Mix Attracted Slightly Pen | ||||
1076 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | word2[1].exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3256 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2480 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\__rzi_456.35377 | — | |
MD5:— | SHA256:— | |||
2684 | word2[1].exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2684 | word2[1].exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.eslgiw | — | |
MD5:— | SHA256:— | |||
2684 | word2[1].exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
2684 | word2[1].exe | C:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2684 | word2[1].exe | C:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2684 | word2[1].exe | C:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp | — | |
MD5:— | SHA256:— | |||
2684 | word2[1].exe | C:\ESLGIW-MANUAL.txt | text | |
MD5:E6B620ECFCF43DEF813453221D4BD218 | SHA256:5DC7A7BE24CE06ADC46A1D8107041BD8172E26A29FEBF8332690E4B7851AECE2 | |||
2684 | word2[1].exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\ESLGIW-MANUAL.txt | text | |
MD5:E6B620ECFCF43DEF813453221D4BD218 | SHA256:5DC7A7BE24CE06ADC46A1D8107041BD8172E26A29FEBF8332690E4B7851AECE2 | |||
2684 | word2[1].exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\ESLGIW-MANUAL.txt | text | |
MD5:E6B620ECFCF43DEF813453221D4BD218 | SHA256:5DC7A7BE24CE06ADC46A1D8107041BD8172E26A29FEBF8332690E4B7851AECE2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2684 | word2[1].exe | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2684 | word2[1].exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
— | — | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2684 | word2[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2684 | word2[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |