File name: | ad.eml |
Full analysis: | https://app.any.run/tasks/328cc88f-ee09-469c-aad4-05af466e7279 |
Verdict: | Malicious activity |
Analysis date: | February 18, 2019, 13:05:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, UTF-8 Unicode text, with very long lines, with CRLF line terminators |
MD5: | 13C8124A821487D5500F4B8E3A2B3E9D |
SHA1: | DCDCEABD2576E7DF46A8D8F8D917C926AF3219A8 |
SHA256: | CD4AC880AFA8BAA3D0DF88A2F276C5B5F100B9DF5B11B3D827B3D2E6EAF57E27 |
SSDEEP: | 24576:u5NcJqgfRD2iiek6jXU2x384XfVRY54iy7EgYMZ0f:eXi7ieLQw3zVRYQEgYMZI |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\ad.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
2328 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3712 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\APSC1801-00928.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3124 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
1816 | CmD /c %tMp%\A.R | C:\Windows\system32\CmD.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225477 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2268 | C:\Users\admin\AppData\Local\Temp\A.R | C:\Users\admin\AppData\Local\Temp\A.R | CmD.exe | |
User: admin Company: Auslogics Integrity Level: MEDIUM Description: Diverted Frage Painter Nesting Dreams Exit code: 3221225477 | ||||
2608 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3200 | CmD /c %tMp%\A.R | C:\Windows\system32\CmD.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225477 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2212 | C:\Users\admin\AppData\Local\Temp\A.R | C:\Users\admin\AppData\Local\Temp\A.R | CmD.exe | |
User: admin Company: Auslogics Integrity Level: MEDIUM Description: Diverted Frage Painter Nesting Dreams Exit code: 3221225477 | ||||
3904 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Setup Bootstrapper Exit code: 0 Version: 14.0.6010.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9CD2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp9ED7.tmp | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ET6J3DI8\APSC1801-00928 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\OICE_C2AC63D4-D477-48FF-BE5C-E76146939964.0\C7137173.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3976 | SearchProtocolHost.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | — | |
MD5:— | SHA256:— | |||
3976 | SearchProtocolHost.exe | C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp | — | |
MD5:— | SHA256:— | |||
3712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE792.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:65FCBF820F65ED44186BB8A3F02C7E36 | SHA256:5EBC9AA0D201930F0E5CF7C01A6543DE38722998F40550E5F99E47B0A254CA6C | |||
3976 | SearchProtocolHost.exe | C:\Users\admin\Documents\Outlook Files\Outlook.pst | pst | |
MD5:55C096FB47CB3879FF722A30A8C1EE24 | SHA256:75967B1CCFF5A1A5CE2A3FC6805DEBA4E0A494A727B79907342E1D17D03C3520 | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ET6J3DI8\APSC1801-00928.doc | text | |
MD5:D0BD2866BF356C95BE306D29A8A205C8 | SHA256:A24667CEC05DB52F217C49E5BD6DEEC1A4AF14B9FEFE3FF9D7A0310487A3FBCA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2976 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2976 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
Process | Message |
---|---|
msiexec.exe | Failed to release Service
|
msiexec.exe | Failed to release Service
|