File name: | malicous_email.msg |
Full analysis: | https://app.any.run/tasks/3d687e2a-d1ae-4349-af06-29af78bc99a4 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 18:22:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 73AFA476920CE270F3A884C3924783E6 |
SHA1: | CE5658C6D409EEBF27743EF69FE5970F1D2A5F91 |
SHA256: | 1412D2E328C8D9A01D47EBDDD2E98257DB59E3817FDC7BF238AAAD017A658E2E |
SSDEEP: | 6144:cLc4kvX5sBoQGoNQJTVErdgwSJh0mn4QuOd8MVzEcfacTObj:cWoiJBs/SwpQF1Qcffs |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1704 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\malicous_email.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3976 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J9XXVPLB\message_v2.rpmsg | C:\Windows\system32\rundll32.exe | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2220 | "C:\Program Files\Internet Explorer\iexplore.exe" https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cVI1PR0402MB284748D4BD5B6375756BBCA2E75A9%40VI1PR0402MB2847.eurprd04.prod.outlook.com%3e | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1000 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2220 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1704 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6BA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1704 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
1000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1 | binary | |
MD5:01F02CAF4AE5AEDA2630BA49FCD0FF16 | SHA256:89826C7B2BE9292752CB0AAD43B760C767DC8FAD55ED71A2FB57F83820094AF6 | |||
1704 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:BB2500835907EF5FF5A98B9E80834520 | SHA256:1C16CDC759E62AE73FDEDB61635D46B888270338523A65335BA265B85B17C4F6 | |||
1704 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:E893C4604D91DC332A912A1D46A600CC | SHA256:11563AB2B3D5192EE7A63D22B6E1D33C72DCF7751EBA55DF15E99B68F46D0C3E | |||
1704 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_DFAD1754B8544E49AC640544C6D1A926.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
1000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:39A53BA63266042D4121FBBD18A2FEA7 | SHA256:02EA814E1957A14F1F3ECBB7B1DD17E9AF491E29F6B28EE77BC4855E1ABEF2DC | |||
1704 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J9XXVPLB\message_v2 (2).rpmsg | rpmsg | |
MD5:002886FB8293716BBA3022873C51BE1E | SHA256:CCB9CE180602DEAC1FAD538ABA0C527A1A6B02985F5CEAC8FB286AC51EEF552F | |||
1704 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J9XXVPLB\message_v2.rpmsg | rpmsg | |
MD5:002886FB8293716BBA3022873C51BE1E | SHA256:CCB9CE180602DEAC1FAD538ABA0C527A1A6B02985F5CEAC8FB286AC51EEF552F | |||
1000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1 | der | |
MD5:E801D1A2D51ABEC12AA55BC30483F34D | SHA256:D7B952A955D4089706D9D5E3A8036B950F8B9D52B24A20100016B359EA06A27E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1000 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1000 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
— | — | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.68 Kb | whitelisted |
1000 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8XGkjG8iOAkhjNLtbdwOg%3D | US | der | 471 b | whitelisted |
1000 | iexplore.exe | GET | 200 | 104.18.25.243:80 | http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSjA8CoiHvUecQnjrXXWH08EsBNpAQU%2Fy9%2F4Qb0OPMt7SWNmML%2BDvZs%2FPoCE38AIDfLvRE4agVL6JIAAAAgN8s%3D | US | der | 1.70 Kb | whitelisted |
1000 | iexplore.exe | GET | 200 | 23.32.238.201:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?abf27f95aec7368b | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1704 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1000 | iexplore.exe | 52.97.137.82:443 | outlook.office365.com | Microsoft Corporation | US | unknown |
1000 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1000 | iexplore.exe | 23.32.238.201:80 | ctldl.windowsupdate.com | XO Communications | US | suspicious |
2220 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2220 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1000 | iexplore.exe | 20.190.159.132:443 | login.microsoftonline.com | Microsoft Corporation | US | suspicious |
2220 | iexplore.exe | 152.199.23.37:443 | aadcdn.msftauth.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
1000 | iexplore.exe | 152.199.23.37:443 | aadcdn.msftauth.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
dns.msftncsi.com |
| shared |
outlook.office365.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.microsoftonline.com |
| whitelisted |
aadcdn.msftauth.net |
| whitelisted |
login.live.com |
| whitelisted |