File name: | Re_ Final report.eml |
Full analysis: | https://app.any.run/tasks/8c32b499-7cb7-4d2b-861a-dfef67f40977 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 23:03:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with CRLF line terminators |
MD5: | 3077A324864E5D62E5959BF760975A9B |
SHA1: | C0BAC049019719C601D56414BE2ADB30280B5C7C |
SHA256: | 32D80A86D33D82D0D570E872C97DE70DF63310A117D727A97B18E4B0F17A3B9E |
SSDEEP: | 6144:QwTEt+pf20YMhE375zmeQRZGh6vme/gwjBTsZfkcInOW7LzKPHRcl90wsYLbrjIt:gme2We//ZGZ1WLKH |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3536 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Re_ Final report.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2352 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\7089820762_JA.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2400 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3420 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\0.7055475.jse" | C:\Windows\System32\WScript.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3088 | "C:\Users\admin\AppData\Local\Temp\rnhl8s6qc.exe" | C:\Users\admin\AppData\Local\Temp\rnhl8s6qc.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2688 | "C:\Users\admin\AppData\Local\Temp\rnhl8s6qc.exe" | C:\Users\admin\AppData\Local\Temp\rnhl8s6qc.exe | — | rnhl8s6qc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3208 | --6a7e44d1 | C:\Users\admin\AppData\Local\Temp\rnhl8s6qc.exe | — | rnhl8s6qc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3068 | --6a7e44d1 | C:\Users\admin\AppData\Local\Temp\rnhl8s6qc.exe | rnhl8s6qc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3396 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | rnhl8s6qc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2404 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B0C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp9D11.tmp | — | |
MD5:— | SHA256:— | |||
3536 | OUTLOOK.EXE | C:\Users\admin\Desktop\7089820762_JA.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR10E8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2352 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_B0426CD8-B81D-40BE-8CB7-975C54FB178E.0\FA31A089.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:981264CD6C2900241FA4CE6F3759A7F9 | SHA256:7FFB0862C672C2BF52117DF69008263F78B3BCBF10275DC3BB05CF2A452E1C41 | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RRL0X9S2\7089820762_JA.doc | document | |
MD5:8E3A11755CD42166E8359F98C94321AC | SHA256:492200F1889C3F0351BFB8829F4C9C0E75E49CA7236594C69B503968A2203A0C | |||
3536 | OUTLOOK.EXE | C:\Users\admin\Desktop\7089820762_JA.doc | document | |
MD5:8E3A11755CD42166E8359F98C94321AC | SHA256:492200F1889C3F0351BFB8829F4C9C0E75E49CA7236594C69B503968A2203A0C | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_E15AD21F8B3EA04EB23DF3A769BEC26F.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
2352 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:2A7D1083C446FC0442653887B0207125 | SHA256:773E68FDED581DC91E8E7AB9797C29A0B784B303287F9CC79899B6EC6D02C68C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3536 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3664 | easywindow.exe | POST | 200 | 190.18.146.70:80 | http://190.18.146.70/scripts/ | AR | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3420 | WScript.exe | 47.101.216.114:443 | www.wuus.org.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
3536 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3664 | easywindow.exe | 190.18.146.70:80 | — | CABLEVISION S.A. | AR | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.wuus.org.cn |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3664 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3664 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |