File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/d4c1159a-8bec-4741-98db-45883be0d4b0 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 15:22:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 0F148FD696FBBFB373D530DE22291C14 |
SHA1: | EEE90144417503B509E00911778D7904D781136D |
SHA256: | DC6CFD20DA7CBB9339ABC27BDCB878FFD3A520BE3492B4A5E9C523E56E43DEE2 |
SSDEEP: | 1536:uwWTWE64CLlP75Iu4tquRLt8fn2wa0DNWw0rWpSNj2fKGGKRjG/MUGRq0caS5Fl5:uJ6Vx5awZy8tS |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2348 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9ZK3TK4V\Englehart Open Quotes.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | OUTLOOK.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1936 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
324 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRED5B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF9D3E3F7F58D1A693.TMP | — | |
MD5:— | SHA256:— | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9ZK3TK4V\Englehart Open Quotes (2).zip\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1936 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR485B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1936 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF83BA4A1DFA4E20D5.TMP | — | |
MD5:— | SHA256:— | |||
1936 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\OICE_B493AEF0-D274-4547-AB32-22FE534F2A72.0\5AE78EF4.xls\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:D655C7DB1FF3E716234D5AF198AB385B | SHA256:A538705C670B80D7D8A7DD51A8C5E82D1B4F655D22308BF6ABA81147EB0372BA | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9ZK3TK4V\Englehart Open Quotes (2).zip | compressed | |
MD5:3B60C88F6C363A6A96AF4137B0F4ADD6 | SHA256:B480BC1F60955EBA5EAC502563431E2C3200C20B244ADF2A16BDF034EFBBBE10 | |||
324 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\OICE_B493AEF0-D274-4547-AB32-22FE534F2A72.0\~DFE5775EA430516ADE.TMP | — | |
MD5:— | SHA256:— | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9ZK3TK4V\Englehart Open Quotes.zip | compressed | |
MD5:3B60C88F6C363A6A96AF4137B0F4ADD6 | SHA256:B480BC1F60955EBA5EAC502563431E2C3200C20B244ADF2A16BDF034EFBBBE10 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3376 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3376 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |