Cryptam // document analysis


Sample Details

original filename: [as.oehiv.xyz][839]HP1.msi

size: 3025920 bytes
submitted: 2019-09-01 21:35:43
md5: db1a492a5e1ca3738d1e94ac3d2b035b
sha1: f1e718d63651fd2bca6fb3a3b5111a66648dfcc4
sha256: 3c7ae1c2d3189af76db212e3d9350e939909d86c231110260146098814a3e7dc
ssdeep: 49152:11dYBQ3IgOfDAKMBYNRatUP8h0tmDYC6zI3rHtds7Yiedgbz0bKAt9fT8brqDeG1:5Y2ItA9BYo0tmDazIb/s7YiedMz0P9rO
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 7.20 s
result: malware [100]
embedded executable: found

signature hits:

755628: exploit.office embedded Visual Basic execute shell command Wscript.Shell
62542: string.This program cannot be run in DOS mode
309612: string.GetCommandLineA
68850: string.GetProcAddress
306848: string.EnterCriticalSection
69068: string.CloseHandle
69176: string.KERNEL32
68934: string.ExitProcess
755584: string.vbs On Error Resume Next
dropped.file exe 29cb19c01866c047aa93163795415ac3 / 20992 bytes / @ 62464
dropped.file exe d6bf50e1b22580075d7916f242effeb7 / 255488 bytes / @ 83456
dropped.file exe b074a4a158cd1e0c60f8bbbd54f30778 / 2686976 bytes / @ 338944


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 62464
md5: 29cb19c01866c047aa93163795415ac3
sha1: da151578473a5a99161362ede460333225546a39
sha256: af14745d9479920498c717203d1c7c601dae4728f4b41241ff307ee646d39ffe
view strings

exe at 83456
md5: d6bf50e1b22580075d7916f242effeb7
sha1: c4528e8872ca643339c57df8ac7ea17ac1190aa8
sha256: 371c8061a5c3d177c2fe25a5894f69f80ac653baa0056081f682b3689e1bae07
view strings

exe at 338944
md5: b074a4a158cd1e0c60f8bbbd54f30778
sha1: 14350158f7df2c46675038474f67d87d41c96253
sha256: 84dfb03e7ce1b169dd173e9f481b4b16f1ee67f8e1c46697328b6d3aee3d0276
view strings