File name: | rechnungen.doc |
Full analysis: | https://app.any.run/tasks/167c7b07-91f3-4e65-b72c-29baa1294213 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | January 10, 2019, 16:49:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Ghost, Template: Normal.dotm, Last Saved By: Ghost, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 8 17:22:00 2019, Last Saved Time/Date: Tue Jan 8 17:22:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 444749249E358F3C67D0ABC468B8349C |
SHA1: | CA3C9CA7AB17B1F7E6D5796449DE7C90601B0A04 |
SHA256: | D9C89E4F9100D4053CFC35F7C7FB9576FB4229E8049CE34CBEC281F14A126621 |
SSDEEP: | 768:lY+1o93SK815S/FCOhpzJ9BRU/waOxjb3w+byp:lY+a93pO5KUOb/RUIaOpfW |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:01:08 17:22:00 |
CreateDate: | 2019:01:08 17:22:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Ghost |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Ghost |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3008 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\rechnungen.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
2892 | C:\Users\Public\yeZjqHFMWjXi.exe | C:\Users\Public\yeZjqHFMWjXi.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Abbott Laboratories Integrity Level: MEDIUM Description: Succession Directoryshell Modules
| |||||||||||||||
2616 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | yeZjqHFMWjXi.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREA06.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB1A3790111E2CF63.TMP | — | |
MD5:— | SHA256:— | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF298F016DBE48DD26.TMP | — | |
MD5:— | SHA256:— | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF2293A6EC8EAC38F8.TMP | — | |
MD5:— | SHA256:— | |||
2892 | yeZjqHFMWjXi.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:7BAFC70A170EB811A819C2F144A4E4FD | SHA256:669486C35034EBF5DDC0F7C691028DC76BD5B02D47712EFC74E63495E5AE3526 | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{34548643-48F5-4E33-9EB0-FCD0B1D44F93}.tmp | binary | |
MD5:E856C3B18A15817D93B5D217B361D364 | SHA256:80DD0C09510038ED690FBF634488E925B7920150CC47FA41A683A2E951BF999B | |||
2892 | yeZjqHFMWjXi.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
2892 | yeZjqHFMWjXi.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
3008 | WINWORD.EXE | C:\Users\Public\yeZjqHFMWjXi.exe | executable | |
MD5:ACB2A86049680D7E4B95BF501B9B11CC | SHA256:7ED9F02E68DF5D325B8612944D9E1C5DEE6DF7EA68425E6CD8508FA7FD218664 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2892 | yeZjqHFMWjXi.exe | GET | — | 217.26.53.161:80 | http://www.haargenau.biz/ | CH | — | — | malicious |
2892 | yeZjqHFMWjXi.exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
2892 | yeZjqHFMWjXi.exe | GET | 301 | 80.244.187.247:80 | http://www.hotelfarinet.com/ | GB | — | — | suspicious |
2892 | yeZjqHFMWjXi.exe | GET | — | 217.26.53.37:80 | http://www.hrk-ramoz.com/ | CH | — | — | malicious |
2892 | yeZjqHFMWjXi.exe | GET | 302 | 192.185.159.253:80 | http://www.pizcam.com/ | US | — | — | malicious |
2892 | yeZjqHFMWjXi.exe | GET | 301 | 104.24.22.22:80 | http://www.belvedere-locarno.com/ | US | — | — | shared |
2892 | yeZjqHFMWjXi.exe | GET | 301 | 83.166.138.7:80 | http://www.whitepod.com/ | CH | — | — | whitelisted |
2892 | yeZjqHFMWjXi.exe | GET | — | 212.59.186.61:80 | http://www.hotelweisshorn.com/ | CH | — | — | malicious |
2892 | yeZjqHFMWjXi.exe | GET | 301 | 83.138.82.107:80 | http://www.swisswellness.com/ | DE | — | — | whitelisted |
3008 | WINWORD.EXE | GET | 200 | 94.73.146.109:80 | http://karbonkoko.com/rundll.exe | TR | executable | 526 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3008 | WINWORD.EXE | 94.73.146.109:80 | karbonkoko.com | Cizgi Telekomunikasyon Anonim Sirketi | TR | suspicious |
2892 | yeZjqHFMWjXi.exe | 217.26.53.161:80 | www.haargenau.biz | Hostpoint AG | CH | malicious |
2892 | yeZjqHFMWjXi.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
2892 | yeZjqHFMWjXi.exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
2892 | yeZjqHFMWjXi.exe | 74.220.215.73:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
2892 | yeZjqHFMWjXi.exe | 136.243.13.215:80 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
2892 | yeZjqHFMWjXi.exe | 192.185.159.253:443 | www.pizcam.com | CyrusOne LLC | US | malicious |
2892 | yeZjqHFMWjXi.exe | 138.201.162.99:443 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
2892 | yeZjqHFMWjXi.exe | 192.185.159.253:80 | www.pizcam.com | CyrusOne LLC | US | malicious |
2892 | yeZjqHFMWjXi.exe | 83.138.82.107:80 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
karbonkoko.com |
| suspicious |
www.2mmotorsport.biz |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
www.swisswellness.com |
| whitelisted |
www.hotelweisshorn.com |
| unknown |
www.whitepod.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3008 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab Ransomware HTTP |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |
2892 | yeZjqHFMWjXi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |