File name: | Administrator Notification_ Redirecting email with malware.msg |
Full analysis: | https://app.any.run/tasks/c92d6c25-d551-425b-b3a1-a530616a3359 |
Verdict: | Malicious activity |
Threats: | Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous. |
Analysis date: | July 17, 2019, 12:46:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 1EBDA1EAB863F6C2C511BD502C475975 |
SHA1: | CB27B255DFC90DEF1584C8332E3F57C0C8D4BD4F |
SHA256: | FF99F0D3336015CF47B5F77C8DF6A6137111BE53020A02710FC8B353CC79D9B4 |
SSDEEP: | 3072:0PySx4mBl3r5b8TuYVKMX4tchye8ZBXHL+JLqaCj1v:a35gKKochyeEXLgQj |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3716 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2508 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FJ03QP7K\Sadie-invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3872 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FJ03QP7K\Sadie-invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2380 | wmic os get /format:"C:\\Windows\\Temp\\aXwZvnt48.xsl" | C:\Windows\System32\Wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3716 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRF5DA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3716 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF4DE2E1605FAD3847.TMP | — | |
MD5:— | SHA256:— | |||
3716 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FJ03QP7K\Sadie-invoice (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3600.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFADD49086B40D9B95.TMP | — | |
MD5:— | SHA256:— | |||
2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFDAF9121B80F59BD0.TMP | — | |
MD5:— | SHA256:— | |||
2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB2ECF0591C19D21C.TMP | — | |
MD5:— | SHA256:— | |||
2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF48C10D69AE4B9466.TMP | — | |
MD5:— | SHA256:— | |||
2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF34637706EAD588D1.TMP | — | |
MD5:— | SHA256:— | |||
2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1248140F-9446-445A-8314-F12BA98AAA66}.tmp | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3716 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2380 | wmic.exe | 185.80.3.202:443 | iccf-bg.com | SuperHosting.BG Ltd. | BG | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
dns.msftncsi.com |
| shared |
iccf-bg.com |
| suspicious |