File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/399dcaa9-7c60-4871-a18a-c3ab5945afdd |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 13:05:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | C278BA9BE2C2A522B7FB8B954EF95824 |
SHA1: | A113141CAA2BFA3A46C608A18C19F97E48C89CF0 |
SHA256: | 1F2749912ADBFF4059D3785F7F6D8E115710AC316E164E8927607ABE2963B7AD |
SSDEEP: | 1536:/ZbWnWfrp/k4tYt63TP+bwaHVBWUWwNcaikqtUwgBwEB4:Rbrt1tYtuta1fN4tI |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1608 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
944 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J1X0W1F8\♫ VMailMessage_Wav327.html | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4016 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:944 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRB63B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFD1D9900BB258C49A.TMP | — | |
MD5:— | SHA256:— | |||
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J1X0W1F8\♫ VMailMessage_Wav327 (2).html\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:6367D107A8ADA76789E52CED7C4FD0AB | SHA256:690AB1910A1C48456BE967A977B1C92A16BD709097F18622D33669240320D474 | |||
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:01791A3EB968EDD9DD2B2BCB1BD44D2C | SHA256:76027174F3217C2194FB84B79D7E84C6E283ED0CE048DE205FBA49A6D87AD986 | |||
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J1X0W1F8\+1-2745203402-632.msg | msg | |
MD5:C17C2E8CE4AA8BB7BF7354A0F3D666E3 | SHA256:2E308C36A56CFF6573017A5A639AC6C9FDAA16A949E6A04D0EE54C1A3FB0FDE5 | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:8316FE9036FFA9B74BA7892611A451A8 | SHA256:EA1AACA96683FAE4ED233349D18CB847903C8E88EA7060D2BB760C46C0994A56 | |||
944 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_986AE00C5D1885419128945485B4A12A.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD | |||
1608 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_2672C6B21EA58D4C9FCA41F260A0A5FA.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1608 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
944 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
4016 | iexplore.exe | 108.179.223.88:443 | anixt.co.uk | CyrusOne LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.bing.com |
| whitelisted |
anixt.co.uk |
| unknown |