File name: | 760284.eml |
Full analysis: | https://app.any.run/tasks/79c8144a-7ec2-45b4-a788-e371850e17e3 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 00:48:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | SMTP mail, UTF-8 Unicode text, with CRLF line terminators |
MD5: | F7787083485EC9409C9E753BC36ECF4F |
SHA1: | 5D4BDF9210DC99F111C9DA687AB729248F342D71 |
SHA256: | 1FCA7A862D7D72BDDB747B20BC4439C878F65709E60F7A633C5F706899A6B437 |
SSDEEP: | 6144:xvqQ3zwnsX+yHHvqIkUQ3VBURhy6FRChNCB4VzMX:Xz2MqcQ3VKzHFczCBz |
.eml | | | E-Mail message (Var. 1) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2436 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\760284.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2440 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | OUTLOOK.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
2520 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
2148 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
3636 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1404 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3892 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
4052 | C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1952 | C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3404 | C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRF775.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2436 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:9445EED26512954EDA2545607801B855 | SHA256:1B1C036CA153DECB672C5A0F66D07F06128AB321A918BDEA436AA30FD6B69D9F | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmpF841.tmp | binary | |
MD5:531EEFEA4D912120940235331C152511 | SHA256:DD91F56FCB3977E3CD2FE3D4CEC292ECFEEAF37EF48516B0F011FE909588CD12 | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:CDC32A1C250F856935F42BF4E21631DD | SHA256:DBD087ACCCBA2A2B77412E0765C1CD9DC2652FB1234B0E1FDF0242B8E8D6304B | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\I7WVDEYT\comments-101 (2).xls | document | |
MD5:4A39482F8109165A29E5F2982C57A895 | SHA256:3809CB404F536733812960E2C738DE5FDED540678064FF026583E48E4F7B3025 | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\I7WVDEYT\comments-101.xls | document | |
MD5:4A39482F8109165A29E5F2982C57A895 | SHA256:3809CB404F536733812960E2C738DE5FDED540678064FF026583E48E4F7B3025 | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD4D5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_D46E0D224FDAC84DACE01D8A34C26904.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 | |||
2436 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{65C6D6EE-310E-44D5-976F-6A5DA49FBE74}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3892 | EXCEL.EXE | GET | — | 192.124.249.9:80 | http://www.demarsoft.com/ALPHAINSTALLS.US/lTsjpA6/ | US | — | — | malicious |
3892 | EXCEL.EXE | GET | 301 | 192.124.249.9:80 | http://demarsoft.com/ALPHAINSTALLS.US/lTsjpA6/ | US | — | — | malicious |
3892 | EXCEL.EXE | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4326b3a273683009 | US | compressed | 4.70 Kb | whitelisted |
3892 | EXCEL.EXE | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c5d59162c3c11ded | US | compressed | 61.4 Kb | whitelisted |
3892 | EXCEL.EXE | GET | 301 | 151.106.105.154:80 | http://cloudxml.com.br/L45R4qJJFH/ESXAIhm/ | DE | html | 707 b | unknown |
3892 | EXCEL.EXE | GET | 200 | 66.96.147.201:80 | http://clockworktradeservices.com/wp-admin/uFRWXkuTnDAbQtIO/ | US | html | 6.27 Kb | suspicious |
3892 | EXCEL.EXE | GET | 200 | 184.24.9.54:80 | http://x1.c.lencr.org/ | DE | der | 717 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2436 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3892 | EXCEL.EXE | 151.106.105.154:80 | cloudxml.com.br | Hostinger International Limited | DE | unknown |
3892 | EXCEL.EXE | 151.106.105.154:443 | cloudxml.com.br | Hostinger International Limited | DE | unknown |
3892 | EXCEL.EXE | 66.96.147.201:80 | clockworktradeservices.com | BIZLAND-SD | US | malicious |
3892 | EXCEL.EXE | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
3892 | EXCEL.EXE | 192.124.249.9:80 | demarsoft.com | SUCURI-SEC | US | malicious |
3892 | EXCEL.EXE | 184.24.9.54:80 | x1.c.lencr.org | AKAMAI-AS | DE | unknown |
3892 | EXCEL.EXE | 41.63.0.22:443 | copunupo.ac.zm | ZAMREN | ZM | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
dns.msftncsi.com |
| shared |
demarsoft.com |
| malicious |
www.demarsoft.com |
| malicious |
clockworktradeservices.com |
| suspicious |
cloudxml.com.br |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
copunupo.ac.zm |
| unknown |