File name: | FW The Prestige Group Confidential.msg |
Full analysis: | https://app.any.run/tasks/f76eb2a2-4c05-4e89-bb8a-e9531332b10e |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 20:13:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 9170AD14B4F7E6F37D9D2DAEE519E25D |
SHA1: | B5E8329298824290031AE4505F57FFA63D4403B1 |
SHA256: | 43E1A304B2177247F8FE682182E02FD88CD9B56F8BB45A96BB83E346CDE53236 |
SSDEEP: | 768:2HXUIdIKknv8f7VkFwqmIBPsKQPsKjryXgRRQJ7BKEUlG/s5HiR7Mt1pL/IGlriO:Wd5Ks8+rFE5sk0nj8 |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3424 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW The Prestige Group Confidential.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
408 | "C:\Program Files\Internet Explorer\iexplore.exe" https://summercrestnet-my.sharepoint.com/:o:/g/personal/sgunnerson_summercrest_net/EndLaok3Y-VFumPw7Ym4FxMB-guZ0gwy4SGsejY7GmiOqg?e=3mUITi | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3360 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:408 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3024 | -modal 66108 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF1CA0.tmp -ep NetworkDiagnosticsWeb | C:\Windows\system32\msdt.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3736 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3816 | "C:\Windows\system32\ipconfig.exe" /all | C:\Windows\system32\ipconfig.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2700 | "C:\Windows\system32\ROUTE.EXE" print | C:\Windows\system32\ROUTE.EXE | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3376 | "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf | C:\Windows\system32\makecab.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Cabinet Maker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2932 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR99E3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CABEF182.dat | image | |
MD5:2C37A3419D9623972FBD0E7778974784 | SHA256:678F7F5BA99DA13066499233A268073558055E669276F9C3B70D5C833A2AB436 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:EF2C8433C5C43612721B3C17473E0E5C | SHA256:8C538415BDCEBE470BBDA50EE7B8DF41F6B942A87CEC44B745992B7501F06308 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{97B32129-7266-43D1-A71F-6994C4890AC9}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\StructuredQuery.log | text | |
MD5:4CB1F48D32DE1930742DCC43A1AA14E0 | SHA256:86DB15FAA7799D92295B9B387820B9B12D59DD7C6CE732AA5E79467911E7EE85 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F59E0F9B.dat | image | |
MD5:D94F78B4F3DDC09E4CC7BD77459C414C | SHA256:FC4542BDD1063E2027272976D7ADEE27DB1A1121BF568B36DA87D5B7F4D3CAF9 | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:55BC3ABC6BDDA3289C15E9CAF22654BA | SHA256:C8AF1122355E4C4BFD1F6701FA12B216A40F03703C74700124FBEAD7130086AC | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_8099E0CD16D4B64191B558BC0DD9A3E1.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_8906F323CE71674DA070AAA58F54D943.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 | |||
3424 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_7BCFFF113541EE49A2A179CA5BC8A617.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3424 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3424 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
408 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3360 | iexplore.exe | 13.107.136.9:443 | summercrestnet-my.sharepoint.com | Microsoft Corporation | US | whitelisted |
408 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
984 | svchost.exe | 13.107.136.9:443 | summercrestnet-my.sharepoint.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
summercrestnet-my.sharepoint.com |
| suspicious |
www.bing.com |
| whitelisted |
dns.msftncsi.com |
| shared |