File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/45a999d6-5e2a-439d-b500-5566b42954c4 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 12:44:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 49AB6A1D6AB1C20661F29699A749A0D8 |
SHA1: | D868674D8DD9C7C2E95E7627527AFCD0F2E7587F |
SHA256: | 043278F5BADD9991C7D2CEDE395750CCCF8EC5B9A60C2574AEAC117BF973DE12 |
SSDEEP: | 6144:cvcdZ6z4gX2r6S3mR0SO4KexDlt/YUl6NYctJiys9+vYhMAdto:eXGOUQdxYxJLs9+Qnt |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2848 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2412 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\PH3O0R2D\Transfer Copy-Payment Plans.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | OUTLOOK.EXE | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3720 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\PH3O0R2D\Transfer Copy-Payment Plans.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3888 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2304 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3888.0.116194211\1535973508" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2716 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | AcroRd32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3600 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2716 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4048 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3888.1.818382449\706970314" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2772 | "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3 | C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Reader and Acrobat Manager Version: 1.824.27.2646 | ||||
2936 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe | — | AdobeARM.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat SpeedLauncher Exit code: 0 Version: 15.23.20053.211670 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRDD62.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFAE11926F0F608B1F.TMP | — | |
MD5:— | SHA256:— | |||
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\PH3O0R2D\Transfer Copy-Payment Plans (2).pdf\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3720 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:B52BA43375828C7C90C4FA818347BF82 | SHA256:3C3DCBD89DD17A2289BC754586CADA21E958C11CAB09DF28A2DCAD95A37CF22D | |||
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\PH3O0R2D\Transfer Copy-Payment Plans.pdf | ||
MD5:BFE1B67691241D43FF0B22545E267F54 | SHA256:E706AD3EB7C32FBDD8EAFC0636E9AE00E139E204A9F3C0ECAF0B083765721E5B | |||
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\PH3O0R2D\Transfer Copy-Payment Plans (2).pdf | ||
MD5:BFE1B67691241D43FF0B22545E267F54 | SHA256:E706AD3EB7C32FBDD8EAFC0636E9AE00E139E204A9F3C0ECAF0B083765721E5B | |||
3720 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages | sqlite | |
MD5:71289F8F8D3000638A846F994C51E52B | SHA256:A67239B25EF289BB16B95FEB12A1D0A77FEF6772CD26901970BCE3116D81FCB9 | |||
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\PH3O0R2D\FWDWIRE TRANSFER-OUTSTANDING INV .msg | msg | |
MD5:6890B6FFFB5E70B2EDEB7785639D498F | SHA256:6675CC4D4EE78A3827B0B8CA493E84DD76808B097BCC092A93337BD44CE3FB0F | |||
2848 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{96CA0D49-A8C4-4509-A5CF-5DEA2DE2103C}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2412 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
2412 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | unknown | — | — | whitelisted |
2848 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3600 | iexplore.exe | GET | 302 | 92.53.96.169:80 | http://www.trudsaratov.ru/css/css/log/plan/plans/ | RU | — | — | suspicious |
2412 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
3600 | iexplore.exe | GET | 200 | 92.53.96.169:80 | http://www.trudsaratov.ru/css/css/log/plan/plans/xr4c2310sco0gjbt3dp9ybie.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&ident=&.rand=13InboxLight.aspx?n=1774256418&fid=4 | RU | html | 12.4 Kb | suspicious |
2412 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
2412 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
3600 | iexplore.exe | GET | 302 | 92.53.96.169:80 | http://www.trudsaratov.ru/css/css/log/plan/plans/ | RU | text | 26.3 Kb | suspicious |
3600 | iexplore.exe | GET | 200 | 92.53.96.169:80 | http://www.trudsaratov.ru/css/css/log/plan/plans/asd/ScriptResource.axd?d=YfbPqEYj0W31Qd6b83PGlWON7nZi7y2471DNsdTWssElkCGzwOy2JjZMN6Q2J0CxzcQQMZxoFp-M9jgIk2__cRVfgn6cWZ7Z_b9bpoSJ9398HB6BkZgWc5aKYHnJsU-BmVVRY4UUCV5Fic6Gmpm_oZLb8Buaqp86-tiOy7lm8vuLYoTaNPLJWb1IMmHTO7uG0&t=545ba255 | RU | text | 26.3 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2848 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3600 | iexplore.exe | 2.19.34.64:443 | static.sharepointonline.com | Akamai International B.V. | — | whitelisted |
3600 | iexplore.exe | 2.16.186.40:443 | spoprod-a.akamaihd.net | Akamai International B.V. | — | whitelisted |
2412 | AcroRd32.exe | 2.16.186.32:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
2716 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2412 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3600 | iexplore.exe | 92.53.96.169:80 | www.trudsaratov.ru | TimeWeb Ltd. | RU | suspicious |
— | — | 92.53.96.169:80 | www.trudsaratov.ru | TimeWeb Ltd. | RU | suspicious |
2716 | iexplore.exe | 92.53.96.169:80 | www.trudsaratov.ru | TimeWeb Ltd. | RU | suspicious |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.trudsaratov.ru |
| suspicious |
static.sharepointonline.com |
| whitelisted |
spoprod-a.akamaihd.net |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3600 | iexplore.exe | A Network Trojan was detected | ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017 |