File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/7b3a144c-4314-42d6-b531-6306be01618c |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 16:29:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 12004D89340F006F00CF2F0034A384F7 |
SHA1: | 7E5AA3B64CCBFCB0F0720936C23A599B0685F38C |
SHA256: | D225B34002ECAF76E67ACEDA6091DCF44CBDB5275B864F71D4DFB00776BD211A |
SSDEEP: | 3072:9ZApyPy7tvJJNaikHgfuPAGhzcw/orGCz:9GXEikHgfuIGtcTDz |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3708 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2364 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\AW096NFL\Shipping Documents.html | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3812 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2364 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRF686.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF806635BC5A927ABD.TMP | — | |
MD5:— | SHA256:— | |||
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\AW096NFL\Shipping Documents (2).html\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:4E30D7C2E4AFA7FD6E624F5101BDA6DC | SHA256:1394C78E16C91118197198F7AE2351F2FBE1A602B044AAAFA68DEF152A871B7F | |||
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EABFF883.dat | image | |
MD5:3AA11FBE464C74A3F53441B335740FC8 | SHA256:E38F696C893121C18ACB34ED6666855B3DE184C3BCDE530B7308B9B3CC118804 | |||
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\AW096NFL\Shipment Notification Delivered to systems@adi ca .msg | msg | |
MD5:6FA61E868368861EA7A77FADECDCFEB7 | SHA256:E6199CEF4ABC9F42267172191108D498F7362F4E0DEC0F42341B4A07C3E26611 | |||
2364 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\AW096NFL\Shipping Documents.html | html | |
MD5:24CE9F8A622D3195BD4800A7F53CCA09 | SHA256:0BFF125C3AC6719D70FC2835A5C385D28E8863D39BC3C7A3008F7F80E0A957D2 | |||
3812 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:942C183EBA9B5E8C9B38B8F6962916D5 | SHA256:34C748FE5A7A8357A6654221DED108F0FA61F00F3EA318BBE4AAEE7DB0F7FDBF | |||
3708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\AW096NFL\Shipping Documents (2).html | html | |
MD5:24CE9F8A622D3195BD4800A7F53CCA09 | SHA256:0BFF125C3AC6719D70FC2835A5C385D28E8863D39BC3C7A3008F7F80E0A957D2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3708 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3812 | iexplore.exe | GET | 200 | 103.53.172.54:80 | http://eventisisyu.com/mmrsk/[email protected] | SG | html | 283 Kb | unknown |
3812 | iexplore.exe | GET | 404 | 103.53.172.54:80 | http://eventisisyu.com/images/pattern.png | SG | html | 335 b | unknown |
2364 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3708 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2364 | iexplore.exe | 185.48.116.71:443 | pictures.attention-ngn.com | Profitbricks GmbH | DE | unknown |
2364 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3812 | iexplore.exe | 13.225.78.56:443 | d15k2d11r6t6rl.cloudfront.net | — | US | suspicious |
2364 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3812 | iexplore.exe | 103.53.172.54:80 | eventisisyu.com | USONYX PTE LTD | SG | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
d15k2d11r6t6rl.cloudfront.net |
| shared |
www.bing.com |
| whitelisted |
eventisisyu.com |
| unknown |
pictures.attention-ngn.com |
| unknown |