File name: | message (9).eml |
Full analysis: | https://app.any.run/tasks/49a9bb01-daeb-4ac4-8519-6dc6f4c04cad |
Verdict: | Malicious activity |
Analysis date: | November 29, 2020, 19:02:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators |
MD5: | 4EC30ACEBD00CC4AF46F407FF8C9DAA9 |
SHA1: | 5D24DB0940685C1FF4511B8E872EAE0908276D94 |
SHA256: | 169E78ED30F2A26661D698B378AC0689EE1322A5FAA6C5BF9409E4B80748D69C |
SSDEEP: | 768:IeFMzVRviWKxay2C2ickE7Pmmn7/ipkG39E70x7qLod9PRPWZg7KC:IeFMnKW/y47X7c39E70TPRPWZgeC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2208 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\message (9).eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
2228 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GG1M434I\CompensationClaim-1725245392-11242020.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | OUTLOOK.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1696 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3756 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3460 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3240 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
4056 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3728 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3556 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3724 | regsvr32.exe -s C:\LotWin\LotWin2\Horsew.dll | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR3458.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GG1M434I\CompensationClaim-1725245392-11242020 (2).zip\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1696 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR87A8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1696 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF684938635763C313.TMP | — | |
MD5:— | SHA256:— | |||
1696 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\OICE_DE3BC4FE-46F7-413B-B7CD-38DFCC01A03B.0\E1C43EE8.xls\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:B76AA43A3514CB9F5C27C9F535AA4416 | SHA256:4D48EE00D938232F6D9458E38CB7C81F4BBAF2D581D4B57AD2D158AE2FBD5102 | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:57257C4867F362CD498F5D0B76DCEF0E | SHA256:D384363749E897A2046EABCA5229D0437B74FD2903E1D852D8B29ECE5EE2BCCA | |||
3756 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\OICE_DE3BC4FE-46F7-413B-B7CD-38DFCC01A03B.0\~DF20D7A6321AB0CA97.TMP | — | |
MD5:— | SHA256:— | |||
3756 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\OICE_DE3BC4FE-46F7-413B-B7CD-38DFCC01A03B.0\~DF45DFE0B3944B8C72.TMP | — | |
MD5:— | SHA256:— | |||
1696 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF12BC7950FC497717.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2208 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1216 | EXCEL.EXE | GET | — | 107.180.77.213:80 | http://hebronfm.covenantuniversity.edu.ng/cusqxiihxze/923753.jpg | US | — | — | suspicious |
3556 | EXCEL.EXE | GET | — | 107.180.77.213:80 | http://hebronfm.covenantuniversity.edu.ng/cusqxiihxze/923753.jpg | US | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1216 | EXCEL.EXE | 107.180.77.213:80 | hebronfm.covenantuniversity.edu.ng | GoDaddy.com, LLC | US | suspicious |
3556 | EXCEL.EXE | 107.180.77.213:80 | hebronfm.covenantuniversity.edu.ng | GoDaddy.com, LLC | US | suspicious |
2208 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
hebronfm.covenantuniversity.edu.ng |
| suspicious |