File name: | Urgent! Overdue Account - Action Required Inv.msg |
Full analysis: | https://app.any.run/tasks/3ad4334f-c92b-4335-800a-ab949826744f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 22, 2019, 17:00:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 8C92679BA7FAD0ED456156EC1A745303 |
SHA1: | 413758903C35032DEADC2E768CCAFD93A1C95794 |
SHA256: | DFECD325EB3A040CCA55186267EF905E91F2F396C1B58AA5D6CD0F4CD706AE30 |
SSDEEP: | 1536:J1WW6W2WFfR0xTJgQisS7WWfWYMWtWeXqybkwvzWtyybtV:J3R0xTJgbshWXqybN7WtyybtV |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2708 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Urgent! Overdue Account - Action Required Inv.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3116 | "C:\Program Files\Internet Explorer\iexplore.exe" http://labourlawlearning.com/Information/2019-01 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2056 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3116 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR593C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3116 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3116 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3116 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFB469C58314732320.TMP | — | |
MD5:— | SHA256:— | |||
3116 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF71C36407F934EF5C.TMP | — | |
MD5:— | SHA256:— | |||
3116 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8F7800DEBF5EE015.TMP | — | |
MD5:— | SHA256:— | |||
3116 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IYMO3XX4R9FZWL04B6RL.temp | — | |
MD5:— | SHA256:— | |||
2708 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:82B74517D9D983B6709AD428DF43CE94 | SHA256:12A6013F553CCCF1663A2552EC9FFC15962F8B850B60589ACB0DE788252A5F15 | |||
3116 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{54E3150A-1E67-11E9-91D7-5254004A04AF}.dat | binary | |
MD5:130692A0AE09F39B0DFC0300434A3BFB | SHA256:9E5BBED1C2967AC1EF24173BD446DFF61C7FF171DF5842C05CF427CA4AB6DD49 | |||
2708 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B6C6496A-B461-4082-B008-32C5D25EBE5E}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2708 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3116 | iexplore.exe | GET | 200 | 87.229.71.152:80 | http://labourlawlearning.com/favicon.ico | HU | — | — | malicious |
2056 | iexplore.exe | GET | 200 | 87.229.71.152:80 | http://labourlawlearning.com/Information/2019-01/ | HU | xml | 199 Kb | malicious |
2056 | iexplore.exe | GET | 301 | 87.229.71.152:80 | http://labourlawlearning.com/Information/2019-01 | HU | html | 257 b | malicious |
2708 | OUTLOOK.EXE | GET | 200 | 52.109.32.27:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={CFF13DD8-6EF2-49EB-B265-E3BFC6501C1D}&build=14.0.6023 | GB | xml | 1.99 Kb | whitelisted |
3116 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2708 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3116 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2056 | iexplore.exe | 87.229.71.152:80 | labourlawlearning.com | Deninet KFT | HU | malicious |
2708 | OUTLOOK.EXE | 52.109.32.27:80 | office14client.microsoft.com | Microsoft Corporation | GB | whitelisted |
3116 | iexplore.exe | 87.229.71.152:80 | labourlawlearning.com | Deninet KFT | HU | malicious |
2708 | OUTLOOK.EXE | 52.109.120.28:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
labourlawlearning.com |
| malicious |
www.bing.com |
| whitelisted |
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2056 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possible malicious Office doc hidden in XML file |