File name: | Correo.msg |
Full analysis: | https://app.any.run/tasks/92931d5c-4f5d-46af-8914-2262fa6e6d21 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 08:10:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | AA64C38D2211F8416F836B97F23E3E5A |
SHA1: | E7F2D21C433550624AE17073E1376DBA94B9C4F1 |
SHA256: | 08A8A0328E959B40A9905ED491FA71ED36A601046A313E8F0598C1AC3B0CA46A |
SSDEEP: | 3072:BGTzC8aLXOKzZ2UFdSzq/5NcCF+4gAjyw9vLIifQWZ2PYL4q/hh:MTOxOcsUF8zq/S4wq/ |
.msg | | | Outlook Message (45.3) |
---|---|---|
.oft | | | Outlook Form Template (26.5) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2596 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Correo.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2204 | "C:\Program Files\Internet Explorer\iexplore.exe" https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313632f7-454445555731-1d4f8f0907e9394e&q=1&e=9c83c2fb-6964-47c2-8864-9f8c3d7eb76d&u=https%3A%2F%2Fjoinfishbowl.com%2Flive_trkptkoga5 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1380 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2204 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2664 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2204 CREDAT:660747 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
956 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2204 CREDAT:3413271 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR5C7E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2596 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:27D5FA25A398A7996541FAE02FB40F6F | SHA256:EE5F596BC634C225FD8102AA6C32AE91B95DBDE838B39216B78713C442A93818 | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BCB67D7ECB470284AF35679F339E879F | der | |
MD5:2B766E3250A854E478284AD11D923C8B | SHA256:F384AED02B5C5F3EF7EAF1154F124A585A6541F3CA656E05D946E8436268BCB5 | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | der | |
MD5:C7B33A5171B37E83B2AC6D3473E63BE3 | SHA256:334F918A1C31E0077473B071BD772E41E445988FD3237E99DE91576DD604E0C1 | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F | der | |
MD5:8352A68E577A4F7AA01A568BA9110CF9 | SHA256:0F7F8E22508EFC9EAF167F51ED956BC7703C69B0B848A0B94A5D988AEAA369A0 | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:EB9A8426CEB162FEC0460B9F3ECD654A | SHA256:34ABB3FFE59E9D7915875A543E5BB1338B63A0187D5E9FCBECAF9762D86AE9C9 | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C8B22604-2682-43D3-8404-12A016C72588}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:7AF4BB4E262A452F0313475D2CFA9D85 | SHA256:5F4B3A9865699C856A858B9E02EA06F2F1C92EE3192E3A40D2B3150B2F754552 | |||
2596 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BCB67D7ECB470284AF35679F339E879F | binary | |
MD5:D6729A8F2375A65A48AA1EDCC6B2EC33 | SHA256:DF2304C770405C4789052B6D49FAD393034447F70EA0D95BEAD2EDC2213CA4F9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2596 | OUTLOOK.EXE | GET | 200 | 18.66.242.155:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
2596 | OUTLOOK.EXE | GET | 200 | 143.204.101.195:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
2596 | OUTLOOK.EXE | GET | 200 | 13.32.118.119:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
1380 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2204 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
2596 | OUTLOOK.EXE | GET | 200 | 167.89.123.124:80 | http://url6814.fishbowlinvites.com/wf/open?upn=nAITq6FnM0Z-2BzwYFZ6zErXhbXV8wfg2mOpXkRr7zKoBMvzO1RhsFHolJewPeGQJKzjg-2B-2FcYZZLWbqjpk9eTVn0n0xWxyMxIh3giAcqN7pQe5GFFjZ7v9OweDeCcRWPHSufuduLgQt2G2cqqJa7kXB5tk5koo8-2BdNZgkdm2RSHrMCqNOKYj0idOZ9SrScbbfdPhgG6mXtT8OGKSpPzr0iH-2FBjn8S-2F7eLNPFeFPptE5woGusxleM31jHxxYvBDm9VF3luidl7c2upKNkjsP4Jl0y04rP5LufY-2F5KMv-2BvKmDd9ohAz6S1Y5fcf-2BcpqC-2FLr2E-2BlmcXheJDRlkddd7z7zW-2FKBLOEB-2FYO7hqVK7d3vgj-2FR3kF-2BMBfMv-2FM-2BiQAfPnasnPY99lPdcbXg9ezzMkH-2FSfzI1vrjiVMFj8nHrp6-2FUyM-3D | US | image | 43 b | suspicious |
2204 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
2204 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
956 | iexplore.exe | GET | 200 | 167.89.118.52:80 | http://url6814.fishbowlinvites.com/asm/unsubscribe/?user_id=3922174&data=Y2pKb_iITacBF_GWfl6reAFhrTF6TbOhs0eIVOEzWhZoMDAwdTAwMI6SEGN7GedZ3xcUvJ8CKsui5YMlF6CDUfM4WV1Ak0_cbnxHxnQLw4EIItyHnfpiOybVGBo2eHZy05tH6DXmae-nRissf2OYK-FgA_2ZvUQmtjM88KmxDQf9QsnROsB78DP7PQjbHe5DTkuaS6Kg0dobexCayVZIxWfOyQ8qMVdXruz-hCQCvetoxbW0-BWk4b0GqpW3aPPuRVvGh5ieqffzeREtkwcaeLZ0oNRejhjbniQJzCrZSJ48F354QCzOTB8kdFZdTmjC3JbvY-jOxcFF1pt53fHxKWVQid_KzW7PzfXdaOAN2GRuqJ1Q5qi51p4ff058jg1zkMqUtgyi7uRvAaJR5PIyR6z-GvKstf27pJlEqigA3beJwJg8VhILjN8KF4cnShpvXZzbFCxxzfDnhN0A-jW6XARMt5abTpZQQC4BIim63PDwYii8FL4kGUWwGX98fDpHiFG3T7ckAGjN9_vVVcbjyTkY6ag1XjEkNva8AaOhTEMgzRkLABP05FZR-J0lu5_qy-RG7qJ0dzQ= | US | html | 1.19 Kb | suspicious |
2596 | OUTLOOK.EXE | GET | 200 | 18.66.107.167:80 | http://crl.rootg2.amazontrust.com/rootg2.crl | US | der | 660 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2596 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2596 | OUTLOOK.EXE | 167.89.123.124:80 | url6814.fishbowlinvites.com | SendGrid, Inc. | US | suspicious |
2596 | OUTLOOK.EXE | 18.66.248.58:443 | dslntlv9vhjr4.cloudfront.net | Massachusetts Institute of Technology | US | suspicious |
2596 | OUTLOOK.EXE | 18.66.242.155:80 | ocsp.rootg2.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
2596 | OUTLOOK.EXE | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2596 | OUTLOOK.EXE | 143.204.101.195:80 | o.ss2.us | — | US | unknown |
1380 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2596 | OUTLOOK.EXE | 13.32.118.119:80 | ocsp.rootca1.amazontrust.com | Amazon.com, Inc. | US | whitelisted |
2596 | OUTLOOK.EXE | 18.66.107.167:80 | crl.rootg2.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
2204 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
dslntlv9vhjr4.cloudfront.net |
| whitelisted |
url6814.fishbowlinvites.com |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
crl.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
protect2.fireeye.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1380 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
1380 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2664 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2664 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |