File name: | phish_alert_sp2_2.0.0.0.eml |
Full analysis: | https://app.any.run/tasks/4f16712e-7edf-4eb9-a965-f3ca37acbe12 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 09:58:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 29E6C98EDE89CE2EAE67226B1E40E852 |
SHA1: | FBB160090F36D344142E870FB632A4A7629A00CD |
SHA256: | 17DB4BE7DBDAB21E7E91E4DFF8A82DC37E85CAADBC8373ED3259E49078C744C4 |
SSDEEP: | 192:rf4/oVOVxsQlOfZzrpXRhsi/LcEf8l3lyEapxyDFcyrSyS1yOOOOOOOOOKvOaRz:r4/2+wPzsijmjaxIZSuJ |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2696 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
944 | C:\Windows\system32\prevhost.exe {F8B8412B-DEA3-4130-B36C-5E8BE73106AC} -Embedding | C:\Windows\system32\prevhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Preview Handler Surrogate Host Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1896 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002.htm | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1960 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1896 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR75C7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002 (2).htm\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:1BFC690AD72BB54098A404E3CB9A3625 | SHA256:B7B60E4F2D6690CCA16718B9BE38248C31044A44D2501E6AD54F649C012E2CD4 | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:DE96D5BC07E5F83DEC3419FEB0AF5299 | SHA256:2C1AE9F807B08663FF25E52FC48A6929DFAEC6285C07E83E4394C33160C9B286 | |||
1960 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\LQYVYAD4.htm | html | |
MD5:71C280988FD3ED776BF96B4AAF1220EB | SHA256:CA9134D0C03434CE56C14B022B8CBC795839245EEA98C3416BA6549A97FB9A22 | |||
1960 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | der | |
MD5:1C400D233070530C717A810D7F9BC99E | SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0 | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002 (2).htm | html | |
MD5:71849EB39AF98ED43DA0E7BC364A9483 | SHA256:E5680FE71091EB973AB1AF50C4807D96826A2E7C799E0E4A15214E760E272E9B | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002.htm | html | |
MD5:71849EB39AF98ED43DA0E7BC364A9483 | SHA256:E5680FE71091EB973AB1AF50C4807D96826A2E7C799E0E4A15214E760E272E9B | |||
944 | prevhost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\wbkD637.tmp | html | |
MD5:71849EB39AF98ED43DA0E7BC364A9483 | SHA256:E5680FE71091EB973AB1AF50C4807D96826A2E7C799E0E4A15214E760E272E9B | |||
1960 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | binary | |
MD5:B4BB3B0A8F626DE77B627BCD7B191A23 | SHA256:78C174B799E77387163555B9F86A5307E7E7D33BEF6B326EE379D628007938B8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2696 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1960 | iexplore.exe | GET | 301 | 102.130.115.49:80 | http://redirects.sendgrid11092.cloud/?alt=media&token=91dc9f62-ce50-48b8-9084-ae0b5cd949da | unknown | html | 351 b | suspicious |
1960 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
1960 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
1960 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDqXuNQ97mPtAIAAAAAektt | US | der | 472 b | whitelisted |
1960 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D | US | der | 471 b | whitelisted |
1960 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY | US | der | 728 b | whitelisted |
1960 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDqXuNQ97mPtAIAAAAAektt | US | der | 472 b | whitelisted |
1960 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDM8p7YwCDvUCAAAAABXoPk%3D | US | der | 471 b | whitelisted |
1960 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDM8p7YwCDvUCAAAAABXoPk%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1960 | iexplore.exe | 142.250.74.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2696 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1960 | iexplore.exe | 172.217.22.42:443 | firebasestorage.googleapis.com | Google Inc. | US | whitelisted |
— | — | 172.217.22.42:443 | firebasestorage.googleapis.com | Google Inc. | US | whitelisted |
— | — | 151.139.128.14:80 | ocsp.comodoca.com | Highwinds Network Group, Inc. | US | suspicious |
1960 | iexplore.exe | 172.217.16.170:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
— | — | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 172.217.23.163:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
1960 | iexplore.exe | 102.130.115.49:443 | redirects.sendgrid11092.cloud | — | — | suspicious |
1960 | iexplore.exe | 102.130.115.49:80 | redirects.sendgrid11092.cloud | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
redirects.sendgrid11092.cloud |
| suspicious |
firebasestorage.googleapis.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
read110298.buzz |
| suspicious |
fonts.gstatic.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
www.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
1960 | iexplore.exe | Potentially Bad Traffic | ET INFO HTTP Request to Suspicious *.cloud Domain |