File name: | Dec 17 2018 receipt Invoices.msg |
Full analysis: | https://app.any.run/tasks/04280b77-e284-4a1e-b3c7-9e0175ef9d49 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 18:50:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 557656B12F839BB3FB75C398EC2B7DE5 |
SHA1: | 4EFC3B92FDC66F587F6D81DF1675CAB14833D5AA |
SHA256: | 5849512415CB79F62872DEF12A9A1F64E2C345B20A8E37A5A1F46F26A331ACEB |
SSDEEP: | 3072:x9sgKg7VA67VAc7VAN7VAJ7VAu7VAe7VAk7VAg7VA:xe |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2680 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Dec 17 2018 receipt Invoices.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2296 | "C:\Program Files\Internet Explorer\iexplore.exe" https://www.docdroid.net/OPpRBSP/dani-leather-outstanding-print-statement-due.pdf | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3008 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2296 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3668 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2296 CREDAT:6407 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3888 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 | ||||
1336 | "C:\Program Files\Internet Explorer\iexplore.exe" https://www.docdroid.net/OPpRBSP/dani-leather-outstanding-print-statement-due.pdf | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1008 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1336 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR936C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2296 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2296 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3008 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt | — | |
MD5:— | SHA256:— | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:E14F19CC5768DDC4BB8FF4DC13AFBA43 | SHA256:3A06FAB6AD3CCD47189FDE743B004288FDE664287BBABF4AA5EE18FC24EA28AA | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D119DB7F.dat | image | |
MD5:30DFF8DE87701904EAB7DB79BC4E76C2 | SHA256:B57A9714F7A90436335A87517D9B38134794491077949259284CF2B9DC596D75 | |||
3008 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\app[1].js | text | |
MD5:E1EFB402E2B6DFD6A9FC495800EAA893 | SHA256:9786CDE66D661C264B28606C0AC2AE2F187CF62498D843BD8EC483E7E0B1E21D | |||
3008 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\css[1].txt | text | |
MD5:4C7DAD4090D0A72B34CC1BCD13885C73 | SHA256:4CD4BD4AF907718DD6B740F3A4710FA82BD3EA724274EEFDE8D3DDB54DAB894F | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DC1270A6-C70E-49BD-90A0-90B8E9FE0D87}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 | |||
3008 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\app[1].css | text | |
MD5:32A6F9168A96D11B93887A6F0803D6DF | SHA256:D7DC7FF957B5D1E750E4C281536DCE50AA89850D3469CF1D02AB50459493CA45 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2680 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/search?q=virustotal&src=IE-SearchBox&FORM=IE8SRC | US | html | 41.1 Kb | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/rb/5m/cj,nj/3e6a7d75/9a358300.js?bu=EpUesx7eHeEd7gTvHfEdvx7zHfodgh6rHqkenh6THbUcuByWHQ | US | text | 4.95 Kb | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/sa/simg/SharedSpriteDesktopRewards_022118.png | US | image | 5.73 Kb | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/rs/5d/2t/cj,nj/bab57e12/ea8fe300.js | US | text | 2.75 Kb | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/fd/ls/l?IG=F6BAEC4B3E8A41FC86EB37CCD4D86129&CID=0C27724EC3806C0325D07E87C2B56DD2&Type=Event.CPT&DATA={"pp":{"S":"L","FC":125,"BC":188,"SE":-1,"TC":-1,"H":313,"BP":485,"CT":500,"IL":4},"ad":[192,523,772,444,1089,498,0]}&P=SERP&DA=DUB02 | US | image | 5.73 Kb | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/rs/8/1o/cj,nj/29936c4f/dacba8f4.js | US | text | 391 b | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/rs/5m/1l5/cj,nj/e90431ed/b2fe50be.js | US | text | 171 b | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/rs/2Y/1I/cj,nj/5983aa50/f8c6dd44.js | US | text | 773 b | whitelisted |
3668 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/rs/6o/4R/cj,nj/57324345/ae00a169.js | US | text | 1.72 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3008 | iexplore.exe | 172.217.168.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2680 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3668 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3008 | iexplore.exe | 104.19.198.151:443 | cdnjs.cloudflare.com | Cloudflare Inc | US | shared |
3008 | iexplore.exe | 54.37.79.95:443 | www.docdroid.net | OVH SAS | FR | suspicious |
2296 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3008 | iexplore.exe | 216.58.215.227:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
3668 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3668 | iexplore.exe | 52.231.32.10:80 | fae022955607f783054b3eff7175594d.clo.footprintdns.com | Microsoft Corporation | KR | whitelisted |
3668 | iexplore.exe | 157.55.135.134:443 | login.live.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.docdroid.net |
| whitelisted |
www.bing.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
cdnjs.cloudflare.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
login.live.com |
| whitelisted |
fae022955607f783054b3eff7175594d.clo.footprintdns.com |
| unknown |
3a295de1ee8d2625c5f68f439ee23bbb.clo.footprintdns.com |
| unknown |
6b39b5c76e7961258a8accbd1b82fe3b.clo.footprintdns.com |
| suspicious |