File name: | Administrator has responded to your request for 'Standard Contact Block'.msg |
Full analysis: | https://app.any.run/tasks/02ed0cdf-c8ca-4b8f-835b-bdce5a7a9f39 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 13:07:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | C5B839127BFECD4FA86145C04E7BE7CF |
SHA1: | C5ABEB7E958EA6DAE27DC6E240E7094998D6F394 |
SHA256: | 05D4A55A48541F6B3B2B5F271D3F670C9DFF15B9B68FA69C6060E0CC2AE3A50C |
SSDEEP: | 768:UKdndmd9EP50k5sRk7O0O47WsK3WsK4pqb9HoSzWsKg5N67rdD67O/SVof6iDNhg:1dM9EPDWfWg8vW4eJPfyHW |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3140 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator has responded to your request for 'Standard Contact Block'.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2832 | "C:\Program Files\Internet Explorer\iexplore.exe" https://nam04.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Fepicor.sharepoint.com%2Fsites%2FHorizonContent%2FShared%2520Documents%2FGeneral%2FStandard%2520Contact%2520Block.docx%3Fd%3Dw3aef17d0280142c19f3c4ce263903f79&data=02%7C01%7CECain%40epicor.com%7C6440d7ee283b4470873508d6f65bcced%7C4f4f4c56a772461a967e7890c3960b3a%7C1%7C1%7C636967271478427240&sdata=WL3nATb0x0TSUsSNq11sT7OSreQJQBWQ53nEnCMzXCc%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3120 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRDB23.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2832 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2832 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3120 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt | — | |
MD5:— | SHA256:— | |||
3120 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt | — | |
MD5:— | SHA256:— | |||
3120 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\authorize[1].txt | — | |
MD5:— | SHA256:— | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:10CDFD9A8CCAFC71AF5C9BE05ABF3A8C | SHA256:55D60942D13652D6BB4419415ADA6781B4278668E219ECA0C11CBCFFFD8B06BF | |||
3120 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:84F1BD6D3C9FCED7157D67F4E2A43338 | SHA256:D6B17434640C4B2E476A35751B04645FA4C3210D38B1F23BC82F22567DC2BEF5 | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_74811D62C2E9A647ACD6D0429BCB990E.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
3120 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\converged.v2.login.min_bxeixgi3llnj-nuc4-xqwa2[1].css | text | |
MD5:6F11225E02372CB349FA7B9CE3E5EAC0 | SHA256:21CC48423EE47207382CC9C1C3885913079BE17805E6FF81E76E0E7165CA32CD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2832 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3120 | iexplore.exe | 20.190.137.98:443 | login.windows.net | Microsoft Corporation | US | suspicious |
3120 | iexplore.exe | 13.107.136.9:443 | epicor.sharepoint.com | Microsoft Corporation | US | whitelisted |
2832 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3120 | iexplore.exe | 104.47.46.28:443 | nam04.safelinks.protection.outlook.com | Microsoft Corporation | US | whitelisted |
3140 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3120 | iexplore.exe | 40.126.9.66:443 | login.microsoftonline.com | Microsoft Corporation | US | unknown |
3120 | iexplore.exe | 152.199.23.37:443 | aadcdn.msftauth.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
2832 | iexplore.exe | 152.199.23.37:443 | aadcdn.msftauth.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
3120 | iexplore.exe | 184.31.91.84:443 | secure.aadcdn.microsoftonline-p.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
nam04.safelinks.protection.outlook.com |
| whitelisted |
www.bing.com |
| whitelisted |
epicor.sharepoint.com |
| suspicious |
login.windows.net |
| whitelisted |
login.microsoftonline.com |
| whitelisted |
aadcdn.msftauth.net |
| whitelisted |
secure.aadcdn.microsoftonline-p.com |
| whitelisted |