File name: | source (1).eml |
Full analysis: | https://app.any.run/tasks/80978b69-18ce-41c4-9574-2597d86dcb85 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 14:44:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | AA2CFE4D0E9FED3362E14DB238982668 |
SHA1: | 26437E80E72A943986159B07B261DE893DBCB599 |
SHA256: | 57FE29F318041D17FC5A6856C091052CDFE6B1146447258FCC55D4611F97A2C2 |
SSDEEP: | 3072:xF6Kvwfs6rI+MVvEZnPssOD+qwelcAWyAYML3xUUghJWMPdB1j7mhQ:f6KvwfBrXrnoD+qMAWNFL3xUbhJLB1n |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2648 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\source (1).eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
680 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\H6ESEY7K\Order_documents_829800259.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
768 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3264 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-process -FilePath "wscript" -ArgumentList @('/e:Jscript','\"c:\users\admin\appdata\roaming\microsoft\word\startup\margee:14.0"') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1952 | "C:\Windows\system32\wscript.exe" /e:Jscript "c:\users\admin\appdata\roaming\microsoft\word\startup\margee:14.0 | C:\Windows\system32\wscript.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2992 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\H6ESEY7K\Order_documents_829800259.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2216 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2648 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6126.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2648 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\H6ESEY7K\Order_documents_829800259 (2).docm\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
680 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9F9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
680 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_8C2FA181-20B3-4FD4-814C-6E3C2DE594FC.0\EA2D86CE.docm\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
768 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_8C2FA181-20B3-4FD4-814C-6E3C2DE594FC.0\32DEA33A.png | — | |
MD5:— | SHA256:— | |||
768 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_8C2FA181-20B3-4FD4-814C-6E3C2DE594FC.0\~WRS{DF47C1F1-FAED-49E8-8068-4AC7C9705F33}.tmp | — | |
MD5:— | SHA256:— | |||
768 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_8C2FA181-20B3-4FD4-814C-6E3C2DE594FC.0\~WRF{B24E8314-7DE0-454A-854F-C94987C8677C}.tmp | — | |
MD5:— | SHA256:— | |||
3264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0T4CY33SGO2Q0LL8Z67Z.temp | — | |
MD5:— | SHA256:— | |||
2648 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:775B0C8C7F3B3B6E6E05234CF40767FA | SHA256:55711FD4686AE8FFCCB9C5B85D37B69021CD85CBB3E757FF75303848A71463A7 | |||
2648 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{34BE5E56-6C40-4740-8AF2-D6B6924E06C4}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2648 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2648 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |