File name: | phish_alert_GA1.0.52-0 (3).eml |
Full analysis: | https://app.any.run/tasks/b2360b40-ad73-4091-b781-9e6e5c2f896e |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 18:38:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | SMTP mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 8F1998BE70B19D9CDA7FE1B523C2DA6D |
SHA1: | 0C810609F9F4E37EA2CCB452A495A4CC9E8A5049 |
SHA256: | 2E967B60C2F51827EC30F64C1565E51A3F1B95210377EEEA221355208F3E22CD |
SSDEEP: | 384:ezHVK7qwyJ7EOsbljVoTy51+HLkqD/DRKTEDxhu96P1OXrQ5OlnGdqXFz2lqjb:fK7ENlZx2LZD/Dr66PI7vlGdqXFA+ |
.eml | | | E-Mail message (Var. 7) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3176 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_GA1.0.52-0 (3).eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
1880 | "C:\Program Files\Internet Explorer\iexplore.exe" https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2fclt936171.bmetrack.com%2fc%2fl%3fu%3dE343ADC%26e%3d14D08F1%26c%3dE48EB%26t%3d0%26l%3d8840DF18%26email%3dSk3TMbRft7YX%252BYkZeVEsOC6j1L7FShlXvkoMUP1VmwT7DsljURckizciHg%252FVbFy1%26seq%3d3&umid=8f7c097b-86db-4766-a81f-846cc7026023&auth=d7d55759d2069bb9ccd911e20db3b5b74572a8c0-9a84c1c1cc275c376514ee60d30a62c585c5eddd | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
4020 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1880 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3176 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR4464.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3176 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
1880 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:EE87BB11E233C12009CC11725035DBDC | SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5 | |||
1880 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:AA45ADB7877A4E295343EA92AEC9AF93 | SHA256:3F7A71E05CD4D4C8E6CA8ECB1365062F7DD0B233E2F96AD3B6162465882A2DAC | |||
3176 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:35B3DD41A1C0386638161DB3389E8B31 | SHA256:64CB4BEB893CFDA12DB4EAB86D5FEBCBF819697244F63E3B688D93FFCED182FC | |||
1880 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:02AEE305DE693F7EEF1AC3910665A7C7 | SHA256:6E5B06084E468BB5FCA86A04DE823C3B923999E8DF8E700B3F389D23E5D92A49 | |||
3176 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:CB6D9D10F8C9A8900A04A380652F1625 | SHA256:696A827812508E646BE506752BB08C42F4C81420039C069A4A72CBD89BE6CC34 | |||
4020 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 | der | |
MD5:96DE27FBD89F2EF99EB34AD9AA9EC29D | SHA256:EBBBF18B40EF85315728C6962D99411BF4E836D8393695A4D6751243EEAA9B95 | |||
3176 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_6D782606D19C83438258CE2AE44D80B4.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
1880 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3176 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
4020 | iexplore.exe | GET | 200 | 151.101.2.133:80 | http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D | US | der | 1.40 Kb | whitelisted |
4020 | iexplore.exe | GET | 200 | 151.101.194.133:80 | http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDEW%2BmJUAT2jAp1nrDA%3D%3D | US | der | 1.40 Kb | whitelisted |
1880 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
4020 | iexplore.exe | GET | 302 | 44.241.57.198:80 | http://clt936171.bmetrack.com/c/l?u=E343ADC&e=14D08F1&c=E48EB&t=0&l=8840DF18&email=Sk3TMbRft7YX%2BYkZeVEsOC6j1L7FShlXvkoMUP1VmwT7DsljURckizciHg%2FVbFy1&seq=3 | US | html | 381 b | suspicious |
4020 | iexplore.exe | GET | 200 | 2.16.186.10:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQsUm8iUJy5NkAH%2BuRDE%2BoTPA%3D%3D | unknown | der | 503 b | shared |
4020 | iexplore.exe | GET | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
4020 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAlrgulzmZS6%2FVWwIdvHyL8%3D | US | der | 278 b | whitelisted |
1880 | iexplore.exe | GET | 200 | 67.27.159.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9d55989115d3dc93 | US | compressed | 4.70 Kb | whitelisted |
4020 | iexplore.exe | GET | 200 | 67.27.159.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b6ac8d8f1e5e4ce2 | US | compressed | 60.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1880 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3176 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
4020 | iexplore.exe | 151.101.2.133:80 | ocsp2.globalsign.com | Fastly | US | malicious |
4020 | iexplore.exe | 151.101.194.133:80 | ocsp2.globalsign.com | Fastly | US | suspicious |
4020 | iexplore.exe | 44.239.135.112:443 | ddec1-0-en-ctp.trendmicro.com | University of California, San Diego | US | unknown |
1880 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1880 | iexplore.exe | 67.27.159.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
4020 | iexplore.exe | 96.16.145.230:80 | x1.c.lencr.org | Akamai Technologies, Inc. | US | suspicious |
4020 | iexplore.exe | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | Cloudflare Inc | US | suspicious |
4020 | iexplore.exe | 2.16.186.10:80 | r3.o.lencr.org | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
ddec1-0-en-ctp.trendmicro.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ocsp2.globalsign.com |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
clt936171.bmetrack.com |
| suspicious |
technews.techreports.info |
| unknown |