File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/604c31bf-8bc2-4e4b-b90d-189095b70c61 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 15:23:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 13D9224986D9DCCBCCD3689B65416F37 |
SHA1: | 2E20CF942C8C31562396FA3B6BDBD00C76895A21 |
SHA256: | 5F2131CC35C6493BC1068403C3E25E3D56F8B20C988E57BDE6169C68C48EF9BE |
SSDEEP: | 1536:ncWTWascLFNTE4CFFi0t3lcYWNWt//gG/u0ThR2ikIUewe3XVo622z1RlRKOjDw+:nHsiFNTkFBkgxmikjCmxgLSQWn |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3328 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
344 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IEPOLPB3\TRANSCONTINENTAL REVISED ORDER.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3256 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3328 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRED89.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3328 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF1B9F735C32532F27.TMP | — | |
MD5:— | SHA256:— | |||
3328 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IEPOLPB3\TRANSCONTINENTAL REVISED ORDER (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
344 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB28F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
344 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_92A42788-71B7-479E-9AA3-48CAA2C736A9.0\6A18F2E4.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_92A42788-71B7-479E-9AA3-48CAA2C736A9.0\7EF5A899.png | — | |
MD5:— | SHA256:— | |||
344 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C4F2D95.png | — | |
MD5:— | SHA256:— | |||
3328 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:F1BC2DAB3D838542880692E356C7F28D | SHA256:E5FED4629490E489378101BBA992C5607B3ECB35DFB8C81F956B6A6B25058BDB | |||
344 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_92A42788-71B7-479E-9AA3-48CAA2C736A9.0\6A18F2E4.doc | text | |
MD5:880211678F7B8369C12E36363D20282B | SHA256:B7554ACB5D5DA53F55754E31FCB16FABBF694403D117F532FF308A52931D27B4 | |||
3328 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IEPOLPB3\TRANSCONTINENTAL REVISED ORDER (2).doc | text | |
MD5:880211678F7B8369C12E36363D20282B | SHA256:B7554ACB5D5DA53F55754E31FCB16FABBF694403D117F532FF308A52931D27B4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3328 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
344 | WINWORD.EXE | GET | 404 | 78.138.105.197:80 | http://78.138.105.197/client1.exe | DE | xml | 1.03 Kb | suspicious |
344 | WINWORD.EXE | GET | 404 | 78.138.105.197:80 | http://78.138.105.197/client1.exe | DE | xml | 1.03 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
344 | WINWORD.EXE | 78.138.105.197:80 | — | velia.net Internetdienste GmbH | DE | suspicious |
3328 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
344 | WINWORD.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
344 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
344 | WINWORD.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
344 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |