URL: | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App.html |
Full analysis: | https://app.any.run/tasks/cc229a8b-d278-4434-99ec-9e66b166b744 |
Verdict: | Malicious activity |
Analysis date: | September 07, 2018, 17:50:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | E94A6D5A95AD20EF9865F895398D72B1 |
SHA1: | 46426E2F908DA02B7F0E7735218F7E39A988E626 |
SHA256: | 0B5A742FDF7522ABA019CED4ABB14B3CA0F11D2AFEE696D61E1E608F092ECFF5 |
SSDEEP: | 3:N1KL4QDiW5IL3RByOA9gX6V5uJn:CMYHOA9ZVwJn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2120 | "C:\Program Files\Internet Explorer\iexplore.exe" http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App.html | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2172 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2120 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2120 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHUAAB7W\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2120 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2172 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018090720180908\index.dat | dat | |
MD5:C119FA15C561AA5A3BCDB96CAD4D69F9 | SHA256:C54691BBFAB1349C5A8BF466A0649409889624C355C7EF2E30C95A1B8D2F04DB | |||
2172 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XBSSZHSR\flogon.js[1].download | text | |
MD5:4FFFC7A2F8347CCF6F476E2FDC9F80E5 | SHA256:9DF110E704669AC9AA0FD7F8CED706C08E607009AAD5BF9607679537998A2EE0 | |||
2172 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT | smt | |
MD5:2BFFB1464FE701EFC8E0695C3ABBCDE6 | SHA256:AFA5A6A2647CBD511D4DD96E13E2F113FB9C14F8C4F656FAAD0816C37B0947D9 | |||
2172 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MJG226QK\Outlook%20Web%20App[1].htm | html | |
MD5:3DAFC3441F92263CD91CD0E41EFCCC48 | SHA256:109E6C34EAAC9E304493AEB92A66A67A030A6713E8FEB07E7ACE46B8D01C9F0F | |||
2172 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat | dat | |
MD5:6913B0648F95CA12B68DF97B4AC35025 | SHA256:67D69295B717A2DD13F829B7BD8ABB042AFE22029F8122F0F46DF76C56E54652 | |||
2172 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MJG226QK\robot[1].js | text | |
MD5:3989EC6E557A54899DF7178D97EE72E3 | SHA256:155F47B4257ED5352385F7D8B06DD567DA1FE0FB3FA4C0A9996D250846DB0600 | |||
2172 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\4935IXA8\ucsd-webapp.7m[1].xml | text | |
MD5:24ACC1FD5108D73E78AB88966E96D5E4 | SHA256:E508542FFC7CB0F836A9DBFF596DF51188D2B53CBA2D7881F8E0BA4240C959C4 | |||
2172 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5A31W00O\lgntopl[1].gif | image | |
MD5:CB58FADBCB38C91ECA38D856FB2ECF0A | SHA256:3399C024F898D2ED9078B197FA0184622D1B1F9FB26C546C63E5D0FA04C9D73D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2172 | iexplore.exe | GET | — | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/logon.css | DE | — | — | malicious |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/lgnbotl.gif | DE | image | 2.25 Kb | malicious |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App.html | DE | html | 3.58 Kb | malicious |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/flogon.js.download | DE | text | 3.92 Kb | malicious |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/lgntopr.gif | DE | image | 2.34 Kb | malicious |
— | — | GET | 200 | 216.58.211.98:80 | http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | US | text | 26.6 Kb | whitelisted |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/lgntopl.gif | DE | image | 5.62 Kb | malicious |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/logon.css | DE | text | 2.77 Kb | malicious |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/lgnbotr.gif | DE | image | 1.77 Kb | malicious |
2172 | iexplore.exe | GET | 200 | 88.99.33.244:80 | http://ucsd-webapp.7m.pl/hsmail/ucsd/owa/Outlook%20Web%20App_files/owafont.css | DE | text | 4.71 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2120 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2172 | iexplore.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2120 | iexplore.exe | 132.239.82.186:443 | hsmail.ucsd.edu | University of California, San Diego | US | unknown |
2172 | iexplore.exe | 216.58.212.162:443 | adservice.google.fr | Google Inc. | US | whitelisted |
2120 | iexplore.exe | 104.17.102.175:80 | crt.usertrust.com | Cloudflare Inc | US | shared |
2172 | iexplore.exe | 104.40.240.52:443 | login.microsoftonline.com | Microsoft Corporation | NL | whitelisted |
2172 | iexplore.exe | 13.107.6.156:443 | www.office.com | Microsoft Corporation | US | whitelisted |
2172 | iexplore.exe | 88.99.33.244:80 | ucsd-webapp.7m.pl | Hetzner Online GmbH | DE | malicious |
2172 | iexplore.exe | 172.217.17.34:443 | adservice.google.com | Google Inc. | US | whitelisted |
— | — | 216.58.211.98:80 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
ucsd-webapp.7m.pl |
| malicious |
www.bing.com |
| whitelisted |
dns.msftncsi.com |
| shared |
pagead2.googlesyndication.com |
| whitelisted |
adservice.google.fr |
| whitelisted |
adservice.google.com |
| whitelisted |
7m.pl |
| whitelisted |
hsmail.ucsd.edu |
| unknown |
crt.usertrust.com |
| whitelisted |
www.office.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2172 | iexplore.exe | Potentially Bad Traffic | ET INFO Possible Phish - Saved Website Comment Observed |
2172 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL |
2172 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Likely Cloned .EDU Website Phishing Landing 2018-02-02 |
2172 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14 2016 |