File name: | Del Coleman shared Grants Financial Publishing with you.msg |
Full analysis: | https://app.any.run/tasks/c80c75c3-c057-4feb-b80e-b134bd30177c |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 20:18:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | E8C853147226C937967A467B7BABD259 |
SHA1: | E85DD1AEEFE757D46B1BB68932A480A0485099DF |
SHA256: | 2B502674D7DF2F4F19EFC1643AC21F2DFAA742552AB60EC1CFC6B19DB8F76318 |
SSDEEP: | 1536:tcsUtzOxmhv6sWLWDM6GxNSiL+DRD0ii4TsUrq3DZpvjZsNM1:ZUtzYmhv3yGVdi4YUrqTZpvCNM1 |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3160 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Del Coleman shared Grants Financial Publishing with you.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3420 | "C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.proofpoint.com/v2/url?u=https-3A__nam02.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgrantspub-2Dmy.sharepoint.com-252F-253Ao-253A-252Fp-252Fdel-5Fcoleman-252FEriQsPMI-2DNFGldapQH2lssEBlDglp17EX46TXnwa-2DLHj4Q-253Fe-253D5-25253a5HYxbx-2526at-253D9-26data-3D05-257C01-257CDel.Coleman-2540grantspub.com-257Cf41ebc89fc5a4570ad1408daa56f6d86-257Ce25181ba663a480f86e84e5c6769fc1f-257C0-257C0-257C638004195244256924-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C3000-257C-257C-257C-26sdata-3DHKnIDu5OZY2v3ZNW6s5wfWy011QRvcRqyqx-252BUfDcNfY-253D-26reserved-3D0&d=DwMFAg&c=GZoMOH7U6RHQ42pg3fQ0Q575tW81N9XCiI6bkcRUYcQ&r=TXqhuVLK80ZLOHlbHOEglf2au0Ukx0AuhJiV5cqK8v4OfPId6byCjIoZy7fgWib2&m=222XvTupfhLBN9fCUpf023IdSMsC9Aeg9Mf67BKu8n2a24Lw5UAUBvkUPPIFRY6o&s=WQp7BRVG5Xre6mSOqM7znjvAdD8SCgzjWYw9VyUpQU8&e= | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3820 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3420 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE135.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3160 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:4C16078B05F1BE897959EA2C62EA0600 | SHA256:7D58B00B8D78C278F7EEEB955A59ACEA3963F0D4C54D8E0454864AA18812BE37 | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:B3EA4E6F35A7B71822C10ADA9D1F5D97 | SHA256:C0B71B1836185E9F889B300AB772C756BE0998304532886C5E9694E43FF52FFD | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE28DA32.dat | image | |
MD5:D9DCA1CAC67A8515C5E7572528BDD5A2 | SHA256:D03539CC6A66D43CFD2347316E7F93720B2D0D9228836EAA86726D87A5113D90 | |||
3420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:5EFFAD2D6357B2B3FBEA2B16CF9B647D | SHA256:4E946E0BE89DCD3927F0EE13FAE5C28A29A76A2B5409031F3086A4497CD01E1E | |||
3420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:D9C1442ED93EC7A76EE1A8C3F68531F2 | SHA256:0C194595DA3B7DF0869C1E4437A4693EDAE5E243159E7E0A248DEA8233DB8000 | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E06B6910.dat | image | |
MD5:10756BD9D810A0202CF4B5E7828160C0 | SHA256:8BA923AECE3E1731B7CDF398D30EEE632B285A5CC91F3E6A062BB72713F38644 | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_442112C7EE500E4BA9D9C67AD7D06984.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD | |||
3160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3160 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3820 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D | US | der | 2.18 Kb | whitelisted |
3420 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
3820 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 1.42 Kb | whitelisted |
3420 | iexplore.exe | GET | 200 | 8.253.95.121:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?87bd767e3a157c33 | US | compressed | 4.70 Kb | whitelisted |
3820 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEByrgD5piqUjHxqAhX8eRyo%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3420 | iexplore.exe | 131.253.33.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3420 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3160 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3820 | iexplore.exe | 104.18.32.68:80 | ocsp.comodoca.com | CLOUDFLARENET | — | suspicious |
3420 | iexplore.exe | 8.253.95.121:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
3820 | iexplore.exe | 67.231.146.66:443 | urldefense.proofpoint.com | PROOFPOINT-ASN-US-WEST | US | suspicious |
3820 | iexplore.exe | 172.64.155.188:80 | ocsp.comodoca.com | CLOUDFLARENET | US | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
urldefense.proofpoint.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |