File name: | Purchase Order 003263 Karl Crowell Insurance.eml |
Full analysis: | https://app.any.run/tasks/c5867549-18c1-4169-a90b-2e3a47356f64 |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 22:36:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | news or mail, ASCII text, with CRLF line terminators |
MD5: | 6AA549BF17A0594D4ADDD85DED9ACBF1 |
SHA1: | E13514FEC9DFA4CC04F24E1FDFE4095AF6004BF2 |
SHA256: | 05C369E9647D0552BDF05C9E17752FE8E067F233C615A7F119FD4B40029DEDFF |
SSDEEP: | 3072:lrxMA2CgPb1zDHz2NOOHftzbCZ3DHvcx7ZLW:i3Pdf2NO8fBCxr |
.eml | | | E-Mail message (Var. 2) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3160 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Purchase Order 003263 Karl Crowell Insurance.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
4084 | "C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.com/v3/__https:/jorneysemola.app.box.com/notes/1031367226161?s=kr2viuy0unaqvdxa2nncfcw3ivn3wb5b__;!!LkjWUF49MRd51_ry!ZJ6tegCkfNrweOoWwqAwxyFO1z0c-ATFllwGZMjBxfDmWf2iZHw8s59j8uM6aiTlYxB3qjf44y6ETetSAV1byne8b6qHbz4MSUZxux-P$ | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3272 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4084 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1928 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4084 CREDAT:3413263 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE106.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3160 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
3272 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:5F65A4C3A9178D93E52F484ECE7058F4 | SHA256:1391A35C5C77DBCCFF0CEF9ECC7B325E453EBF043691FA83824A60684741E14B | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB95F372.dat | image | |
MD5:0C47CB7390112A8F964E1A4591B4F163 | SHA256:D166FF3514D92B82244E44A5D94C83732AEEF0363FB217CD80DDEAA21ABDFEFC | |||
3272 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:463F3CE3C73858FD04A2FF68B8B6ADE2 | SHA256:CF62F3A6E61409881E9EBE17A27248EAD36A8655E7B23118D6AFEF38CF870EB2 | |||
3272 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | der | |
MD5:B6F52795B677B4E2AD47736FFE3704A5 | SHA256:C8AFF1F15506340E6ABD76C8A8382E9CAEBA4FA8E8483254CF7AB9D22C2A57FE | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:3B79C5EE1C3AFB2A1D0C1E0738177622 | SHA256:ADFD0B577904003A7A021F045922D98B5E2F9FC95AE48EDC5E9D2006681C1372 | |||
4084 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:B8BDA0B382A7D056A4241B388338B778 | SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2 | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:F54C1DD9CF62E207FFC26EC2EF197AF4 | SHA256:F9B75AF59F684CDDD23005B05922F67ECBFDE31CB1672E371844D1FEDC124FAA | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3160 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3272 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 1.42 Kb | whitelisted |
3272 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA7ze%2BiSFHmYKH4I97FkjrU%3D | US | der | 471 b | whitelisted |
4084 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
1928 | iexplore.exe | GET | 200 | 172.217.20.67:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
3272 | iexplore.exe | GET | 200 | 67.26.137.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?65420842d452265b | US | compressed | 4.70 Kb | whitelisted |
3272 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D | US | der | 2.18 Kb | whitelisted |
3272 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEA2KFitLH9n0LY9WTWFSpcE%3D | US | der | 471 b | whitelisted |
1928 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 2.18 Kb | whitelisted |
4084 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4084 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3272 | iexplore.exe | 67.26.137.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | malicious |
3272 | iexplore.exe | 104.18.32.68:80 | ocsp.comodoca.com | CLOUDFLARENET | — | suspicious |
4084 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3272 | iexplore.exe | 52.204.90.22:443 | urldefense.com | AMAZON-AES | US | suspicious |
3160 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3272 | iexplore.exe | 74.112.186.144:443 | jorneysemola.app.box.com | GOOGLE-CLOUD-PLATFORM | US | suspicious |
3272 | iexplore.exe | 172.64.155.188:80 | ocsp.comodoca.com | CLOUDFLARENET | US | suspicious |
3272 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
1928 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
urldefense.com |
| shared |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
jorneysemola.app.box.com |
| suspicious |