Cryptam // document analysis


Sample Details

original filename: 19c0fcf82a74c02237e228f476898a5c85cda5f1282bf45ff382dc6c5c8a1c8d_6bYDuh9tfbBfVYg7up.doc

size: 2052608 bytes
submitted: 2018-10-07 06:00:08
md5: 24d6190a328d219ec1d26b248acdf146
sha1: 560058ba071b70025d434b2bdbc38885e7c03ea9
sha256: 19c0fcf82a74c02237e228f476898a5c85cda5f1282bf45ff382dc6c5c8a1c8d
ssdeep: 49152:MlgYTQ3IgOfQAWMBYNRatUsiy+QD5Dl65F8/DqgVvH:dYkIiApBbn1Nw5F8bH
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 4.70 s
result: malware [100]
embedded executable: found

signature hits:

766537: exploit.office embedded Visual Basic execute shell command Wscript.Shell
71758: string.This program cannot be run in DOS mode
318828: string.GetCommandLineA
78066: string.GetProcAddress
316064: string.EnterCriticalSection
78284: string.CloseHandle
78392: string.KERNEL32
78150: string.ExitProcess
766493: string.vbs On Error Resume Next
dropped.file exe 53a3e884883046c47a8f42fda231ada3 / 20992 bytes / @ 71680
dropped.file exe 473355262e65f3befcd93a521788dfe8 / 255488 bytes / @ 92672
dropped.file exe 796f37b197137c300dce850f01f8edf4 / 1704448 bytes / @ 348160


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 71680
md5: 53a3e884883046c47a8f42fda231ada3
sha1: e22662b6d54e942848b834828ec607700567e1d4
sha256: 6d24a8dfc2c0bfdd478b1c7c5b24388c22e713d2e8fda4aa397e350043fcbfb4
view strings

exe at 92672
md5: 473355262e65f3befcd93a521788dfe8
sha1: 6f974aefc11d944199039f803b7ea2fed54395bd
sha256: 1a51b6b1eabd6dad31199427084c21e443fd3d0475b022f53667b300fa816234
view strings

exe at 348160
md5: 796f37b197137c300dce850f01f8edf4
sha1: 9f6483a7df9b0af4bb601832b15e24d01fbe1fba
sha256: b07c186b1959f2a4f65637e61262031f789a6f7e4c25027d266cd2dd5298858e
view strings