File name: | TCF Bank Customer Service Account Verification.msg |
Full analysis: | https://app.any.run/tasks/51bf86f7-2b7d-43a9-a3c2-42f996afe2ab |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 16:44:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | F519466A9F84D7AB5DA3DFB244DEF800 |
SHA1: | E7300390AE1BB2C188D16B4BCCF562C2F4F4382B |
SHA256: | 1624FE96189CB7A58E75013CEB45F7ED909C9070F3D89038241BDCAA08082EC1 |
SSDEEP: | 3072:7Fp9Dp9OIl3fyjjjjjjjjj4tcssxzGtpn/mqDZvzu1+9nyEtOOZIXh+sdssct4jK:z9Dp9OIl3fyjjjjjjjjj4tcssxzGtpnR |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2812 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\TCF Bank Customer Service Account Verification.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3164 | "C:\Program Files\Internet Explorer\iexplore.exe" http://kuzminskaya.ru/wp.shtml | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1328 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3164 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3616 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2812 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9689.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3164 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3164 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2812 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:0C4920A3369B38066CD6452C9D3D0439 | SHA256:092B37603540D07AE9A59D166972F87E794A64B29A0238D6F745CB8B657D67E6 | |||
1328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\hotjar-385430.js[1].download | text | |
MD5:7A12C03A02DF1B1C401EF432A9A9143C | SHA256:5737EBA945CA071CDA5ECFC7AEEC001D0E43A3813FEA75B0FECE23AC15E59F0A | |||
1328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\main[1].htm | html | |
MD5:4B120C72BA4CF200BB9483753500686A | SHA256:7DFE22046C57484E930F7A676A78D80C616A180F4C305A0A1EEEC461DEE4E10A | |||
1328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\wp[1].htm | html | |
MD5:A79B46AAE74D5C0A33DDAABDCD964EBC | SHA256:D273C2559A051CEDDE8E5E3EF0441D682A0688EECBB1DE13F6C177AAF9B3798D | |||
3164 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207\index.dat | dat | |
MD5:88E8062C7BF99F8A506D8EA921AE868B | SHA256:2F82451FB3E0070B20DE72E3949BCCA7F5EE2EFFF6549691E446ADF985E83440 | |||
1328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\master.min[1].css | text | |
MD5:99FF769E4BA04CF9956B087324DD2B70 | SHA256:6EEE4FA7AC781780F578C2B5B480ACD11EBBEC2A6604778D77534780635BD40F | |||
1328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207\index.dat | dat | |
MD5:2104A9FED5E4AA4673034B110D75FFC6 | SHA256:0A0D7B8E7D85ECB2AE7F02E85494C1EE1675E97B6529CA213AB4D56AA6F72E9A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2812 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1328 | iexplore.exe | GET | 200 | 80.78.250.103:80 | http://kuzminskaya.ru/wp.shtml | RU | html | 149 b | malicious |
3164 | iexplore.exe | GET | 404 | 80.78.250.103:80 | http://kuzminskaya.ru/favicon.ico | RU | html | 1.19 Kb | malicious |
— | — | GET | 200 | 104.109.73.63:80 | http://ssl.trustwave.com/issuers/STCA.crt | NL | der | 956 b | whitelisted |
1328 | iexplore.exe | GET | 200 | 13.107.4.50:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
3164 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1328 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3164 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1328 | iexplore.exe | 80.78.250.103:443 | kuzminskaya.ru | Domain names registrar REG.RU, Ltd | RU | suspicious |
1328 | iexplore.exe | 172.217.168.34:443 | googleads.g.doubleclick.net | Google Inc. | US | whitelisted |
1328 | iexplore.exe | 172.217.168.40:443 | www.googletagmanager.com | Google Inc. | US | whitelisted |
1328 | iexplore.exe | 172.217.168.14:443 | s.ytimg.com | Google Inc. | US | whitelisted |
1328 | iexplore.exe | 80.78.250.103:80 | kuzminskaya.ru | Domain names registrar REG.RU, Ltd | RU | suspicious |
1328 | iexplore.exe | 216.58.215.226:443 | www.googleadservices.com | Google Inc. | US | whitelisted |
3164 | iexplore.exe | 80.78.250.103:80 | kuzminskaya.ru | Domain names registrar REG.RU, Ltd | RU | suspicious |
2812 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
kuzminskaya.ru |
| malicious |
psy-m.com |
| malicious |
www.bing.com |
| whitelisted |
s3.amazonaws.com |
| shared |
s.ytimg.com |
| whitelisted |
www.googleadservices.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
bat.bing.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |