File name: | Re_ Final report.eml |
Full analysis: | https://app.any.run/tasks/d20cd8f6-0ac2-4439-9a94-199bdb05794f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 00:47:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with CRLF line terminators |
MD5: | 3077A324864E5D62E5959BF760975A9B |
SHA1: | C0BAC049019719C601D56414BE2ADB30280B5C7C |
SHA256: | 32D80A86D33D82D0D570E872C97DE70DF63310A117D727A97B18E4B0F17A3B9E |
SSDEEP: | 6144:QwTEt+pf20YMhE375zmeQRZGh6vme/gwjBTsZfkcInOW7LzKPHRcl90wsYLbrjIt:gme2We//ZGZ1WLKH |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2808 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Re_ Final report.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3728 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2516 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\7089820762_JA_copy.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3180 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2768 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\0.7055475.jse" | C:\Windows\System32\WScript.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3948 | "C:\Users\admin\AppData\Local\Temp\6giixoryu.exe" | C:\Users\admin\AppData\Local\Temp\6giixoryu.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2996 | "C:\Users\admin\AppData\Local\Temp\6giixoryu.exe" | C:\Users\admin\AppData\Local\Temp\6giixoryu.exe | — | 6giixoryu.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2760 | --55a553aa | C:\Users\admin\AppData\Local\Temp\6giixoryu.exe | — | 6giixoryu.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3880 | --55a553aa | C:\Users\admin\AppData\Local\Temp\6giixoryu.exe | 6giixoryu.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2736 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 6giixoryu.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2808 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR8C85.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2808 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp8EC8.tmp | — | |
MD5:— | SHA256:— | |||
2808 | OUTLOOK.EXE | C:\Users\admin\Documents\7089820762_JA_copy.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2808 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\1VPA75AJ\7089820762_JA (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2808 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\OICE_C8479BDD-03A7-4333-9A60-C2EE0552BA2E.0\6E37F462.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2808 | OUTLOOK.EXE | C:\Users\admin\Desktop\7089820762_JA_copy.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD8A8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2808 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:0F827FE2CBC752F99F0C598E7BABB86F | SHA256:4E044383FF1B86CB912FDF3137516FBED58D84EF657155ABA29AEECD568C1B08 | |||
2808 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\OICE_C8479BDD-03A7-4333-9A60-C2EE0552BA2E.0\6E37F462.doc | document | |
MD5:8E3A11755CD42166E8359F98C94321AC | SHA256:492200F1889C3F0351BFB8829F4C9C0E75E49CA7236594C69B503968A2203A0C | |||
2516 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3A869B240995C7C1E99C1A92D0FC288 | SHA256:B8D434FA2C12A002CA687D2D363CD60F46C0720DF02F45E6C1810AD6951B8729 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2808 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2068 | easywindow.exe | POST | 200 | 190.18.146.70:80 | http://190.18.146.70/prep/ | AR | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2808 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2768 | WScript.exe | 47.101.216.114:443 | www.wuus.org.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
— | — | 190.18.146.70:80 | — | CABLEVISION S.A. | AR | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.wuus.org.cn |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2068 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2068 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |