File name: | _Phish Alert_ Brandon Foster.msg |
Full analysis: | https://app.any.run/tasks/26e2c5f1-9f18-4769-a654-9f7fafab4fa0 |
Verdict: | Malicious activity |
Analysis date: | January 18, 2020, 08:59:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 84BF36C9B5A7C72A6639CF7CE9B51D71 |
SHA1: | 2703500EAAEA04AD7D2CF8E23CE2A5FE91D40451 |
SHA256: | 30B60A504377DA3978289C03FF498190212E84983AB76862C9DBEF5E7DB36908 |
SSDEEP: | 1536:kQzWtWrWHtHWbWwWSoSl+m325l+ZS3PGS4djmc4OcpSa2ccfrN:kQqt4oQ3dPDIGN |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2480 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\_Phish Alert_ Brandon Foster.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1732 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text.txt | C:\Windows\system32\NOTEPAD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3940 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
3276 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (3).txt | C:\Windows\system32\NOTEPAD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
324 | C:\Windows\system32\prevhost.exe {1531D583-8375-4D3F-B5FB-D23BBD169F22} -Embedding | C:\Windows\system32\prevhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Preview Handler Surrogate Host Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2660 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
3972 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text.txt | C:\Windows\system32\NOTEPAD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA821.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (2).txt\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source (2).eml\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3940 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE4FB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (4).txt\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:40046F299133446B3EEBB969A5EC0D25 | SHA256:BBF1CC721F1AA30D634A41E60359387CD7C9F7CE6F22C213AAA8B680E221F430 | |||
2660 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR5029.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:0AA05B8AECD4103427EF825C82F48F78 | SHA256:0EEDE15D984A8B061EC595F7636927C696CD26E29DBFE5329DE86F884DBF92E0 | |||
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source.eml | eml | |
MD5:7348D819A3BE3955D85C2B9A3AF17418 | SHA256:149477EBF8B3C8BC92923C96E2E9C10CA4764A62C2B8C66F9763E61B5F90AF7B | |||
2480 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (3).txt | text | |
MD5:26EBC96284BA0A02A68C9529A3A27B2E | SHA256:2E5853C1124B9E70C3F75505BA33EE804AF0C4C383E72B53BB9F07D9FE5821BE |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2480 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |