File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/42017fbe-3bf8-4a18-8b84-a4a6a2ddb702 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 14:42:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | F2FA01F828C2C0086802BBCF86ABF5F6 |
SHA1: | 781790088F4AB1ECB61CE077D055645E1DC1101E |
SHA256: | D86E8362CC7EBC9E866F482C3660CEA8F6E6CB5EF913360AC9C6F381E7D2CFE7 |
SSDEEP: | 24576:wb+Be2Xpohw82WfKsIYr2Lhclbho1FTA5vHm5bk/FTjLEbOKEwyZ7bA:S+1ZoebsI |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2288 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3448 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M2XMZUOJ\FINAL QUOTATION.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2296 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4076 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRFD1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF9C3DE648BFAFD958.TMP | — | |
MD5:— | SHA256:— | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M2XMZUOJ\FINAL QUOTATION (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5054.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_8EF3F25F-BC73-4B92-9D62-C5B697B510EB.0\93226DDE.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:0160A30224678BCB593A0A2A8F890655 | SHA256:E2D9DD62D43337B5782D47637E183217FA154D56991EEEA5831E074D17048662 | |||
3448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_8EF3F25F-BC73-4B92-9D62-C5B697B510EB.0\93226DDE.doc | text | |
MD5:7F731C2FB96D72CB06AFFB506DBB769E | SHA256:398ED7EAD99FE8D3BD7B9B1340194D1AF404CCCC91DE00D1C91C3947A3CF9C0E | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M2XMZUOJ\FINAL QUOTATION (2).doc | text | |
MD5:7F731C2FB96D72CB06AFFB506DBB769E | SHA256:398ED7EAD99FE8D3BD7B9B1340194D1AF404CCCC91DE00D1C91C3947A3CF9C0E | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M2XMZUOJ\RE FINAL QUOTATION.msg | msg | |
MD5:EEAB5361627059C02BB84255FEF1ED57 | SHA256:8C138DCD922CF5CC322AF1D55CAD76B516BC500BE567DE6A923E5DBF68677420 | |||
2288 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M2XMZUOJ\FINAL QUOTATION.doc | text | |
MD5:7F731C2FB96D72CB06AFFB506DBB769E | SHA256:398ED7EAD99FE8D3BD7B9B1340194D1AF404CCCC91DE00D1C91C3947A3CF9C0E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2288 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
4076 | EQNEDT32.EXE | GET | — | 162.144.128.116:80 | http://modexcourier.eu/bobbye/bobbye.exe | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4076 | EQNEDT32.EXE | 162.144.128.116:80 | modexcourier.eu | Unified Layer | US | malicious |
2288 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
modexcourier.eu |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
4076 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |