File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/f061710d-41e0-4afe-8240-9c98387fd118 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 14:50:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 0F005E0D13813A4ADC58FD151345CABC |
SHA1: | B392A223FBC5660DBDB85EA74174BCE68A0D81D6 |
SHA256: | 850442C173201988ACD6B1DE2B36FC0527FB9CD887060BCCF383ED2EE27B8FCD |
SSDEEP: | 1536:J4S6W/WRigFwr1+aFp6f84U0R/WCWH5fOq1pQkoYjcoGkYz2+fcP:J4Sz15a870RyOqX9nAI |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1004 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3008 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CWVH5TNH\🕪 VM- 09-10-2019 - Cellphone - Missed Call.htm | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1288 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3008 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRD8E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFADA251BA27824BD4.TMP | — | |
MD5:— | SHA256:— | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CWVH5TNH\🕪 VM- 09-10-2019 - Cellphone - Missed Call (2).htm\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_E4DE57343F63F94BB37FC63ED3858D0D.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7A03B3F.dat | image | |
MD5:356D58EDA352591EA528B035E1AE29A5 | SHA256:7C4E9B8FB1BD218A298C0B08D67E3767C30EC33E2BC31777A76A118226E63D9F | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:FE9C04F8A6D849CF83045F7E3EF7FFC8 | SHA256:8ED5BC1DA406C683892FDE543ADFC3804A57DC0B68FA4627F8BC53432E35D949 | |||
1288 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:7D221444C035F98887D22536A59CC850 | SHA256:BA35D8D2078A68890724A538884E381634C1A415AC80A8E2C2B7452322444F3B | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CF326A5.dat | image | |
MD5:C0C19F9D5B5683789D6A5A1990D46A9E | SHA256:E5B667D552FB52C75BCB362D1C1AAF3BFF26D79F142792841611FF5F423E524F | |||
1004 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3E51C34.dat | image | |
MD5:42CB862707F3A39899F33C04797235AA | SHA256:0A49D73F4CB0C5E934BEB268C27D0E13D92EB37AC90956FA69BD1FA9239939BA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1004 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3008 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1004 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1288 | iexplore.exe | 104.28.12.143:443 | roseofworld.org | Cloudflare Inc | US | suspicious |
1288 | iexplore.exe | 152.199.23.37:443 | aadcdn.msftauth.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
1288 | iexplore.exe | 104.28.13.143:443 | roseofworld.org | Cloudflare Inc | US | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
aadcdn.msftauth.net |
| whitelisted |
www.bing.com |
| whitelisted |
roseofworld.org |
| suspicious |
dns.msftncsi.com |
| shared |