File name: | Debit card delivery.msg |
Full analysis: | https://app.any.run/tasks/5ce2c5e3-5cca-4773-bfc3-6c1e5790e6e9 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 01:02:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | E5EBDE52384112B50FF4DC98A29FB5EB |
SHA1: | 026BAE6F706E4A2BEF00B9A0342ECB5352D99899 |
SHA256: | 2B197686FE4ABD7043D762DAA101FECCFC3AA524C9D412C72C9518FE421B8395 |
SSDEEP: | 1536:QA/A/u39/P6+O4WC3EV5ZS0tRiKqiv9/g:v6+O4WC0TZVtRiIK |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3720 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Debit card delivery.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
1328 | "C:\Program Files\Internet Explorer\iexplore.exe" https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbit.do%2FPaymentAramex&data=05%7C01%7Cjahangir.khan9%40hbl.com%7C76d5a769c59246d92a9308da7b4991e4%7Cc219af2ace6c45bf863be09d59889053%7C0%7C0%7C637957853149607726%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gLJOgA4M9JveXTmgHRGMqzvxPqoTjljFhtIWqXml18s%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
304 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1328 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2668 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1328 CREDAT:267534 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3720 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRBC5C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3720 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
3720 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:5BECACC1A1E6338EBD2852EE0FE5E91A | SHA256:7493AC99ABD65E46287995B599C6C059521017B75B4B2560FC6F9329D694150D | |||
1328 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:B8BDA0B382A7D056A4241B388338B778 | SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2 | |||
304 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | binary | |
MD5:C4749008973A278983A8C2B6C57997F2 | SHA256:7A76B6F5C061074D7C3D4BCDE3D43211DDDA862E89FD10F6A01643D8229EE63D | |||
304 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:4D0E4E769A91E272F77F505273E8C910 | SHA256:594703606F6706F5640376B1B5FFAE4CAE791848D26360A9E4C8805C8A1D59A0 | |||
3720 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
3720 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:7BD8A122DC4CABD84BA2BB1F7882397A | SHA256:55D8DFF8C9ADBA8C85CC89BF76B9CCBD466A1DE7C40CF2DAF669A5279A556611 | |||
304 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\PaymentAramex[1].htm | html | |
MD5:A520A14D1741D75A734C9171C90178AE | SHA256:95196DC87F1A3625FB25FBC57FC2E77B03C7665AEC950F3AB67469608E43897C | |||
3720 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_4CA33CE50F7D5241AD597E02E7170597.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3720 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
304 | iexplore.exe | GET | 200 | 142.250.180.227:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
304 | iexplore.exe | GET | 301 | 23.21.31.78:80 | http://bit.do/PaymentAramex | US | html | 328 b | shared |
1328 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
304 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6168945866392452 | US | compressed | 4.70 Kb | whitelisted |
304 | iexplore.exe | GET | 200 | 142.250.180.227:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGOlwNI5ZtyUEgHpNAgRyd0%3D | US | der | 471 b | whitelisted |
304 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D | US | der | 471 b | whitelisted |
304 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D | US | der | 471 b | whitelisted |
304 | iexplore.exe | GET | 200 | 142.250.180.227:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
304 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?334e00726304389c | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
304 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
304 | iexplore.exe | 104.47.11.220:443 | eur02.safelinks.protection.outlook.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
304 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3720 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
304 | iexplore.exe | 92.123.13.139:80 | x1.c.lencr.org | AKAMAI-AS | AT | unknown |
304 | iexplore.exe | 23.21.31.78:80 | bit.do | AMAZON-AES | US | suspicious |
304 | iexplore.exe | 151.101.194.159:443 | biancalynch.com | FASTLY | US | malicious |
1328 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
1328 | iexplore.exe | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
304 | iexplore.exe | 142.250.180.232:443 | www.googletagmanager.com | GOOGLE | US | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
eur02.safelinks.protection.outlook.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
bit.do |
| shared |
biancalynch.com |
| malicious |
x1.c.lencr.org |
| whitelisted |
www.googletagmanager.com |
| whitelisted |