File name: | COVID19 Work Survey!.msg |
Full analysis: | https://app.any.run/tasks/b833c95c-26b4-4d0c-b729-ae45b48657d4 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 09:27:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | EE6DD0F2D6E898F9FFFA946CF423FA10 |
SHA1: | 645553C0B249FE8026FD2BF5A0AA7C3142536984 |
SHA256: | 631CD9F9C43A2DE9FD7A3DF81F8E005B028127F81A7A3A41A8E52DE9CF56232D |
SSDEEP: | 768:dlI3TeBss3fXeCgSKDM0FZuWgJUUWsKtW2K3fXqRYLRqxM:DDCOyZuDPWVWlI2q |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1000 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\COVID19 Work Survey!.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
836 | "C:\Program Files\Internet Explorer\iexplore.exe" https://www.templatent.com/ind/4d8b04bf-7a7c-48a0-b6e3-38da5008297e/61c9e0e8-a9e5-484a-acdb-b2003bdbe3d7/50e4c52b-d32b-495c-9986-4f32616c57eb/landing?id=bXp1ZjUyUnliaGtGMDVDNXZnRzlwSVpsRmxVdkt5TXJoamJoYkxrWldLU1Zra1lvZVo2WVBVYkRYeDdOVkVRL0NSWms1WG5FWnZKVUp6UlVvazBPeThIZFpQaWNTM2lUMURVOGdYTU9ja0o0UUVKZDRuT0lGN01lOGhNTGhBSlB6RVBVNENDNUNVZ201UVlLa0ppOXk4MVJZdEwzNlVHOXR1WXdPbHN4bzRkY3g2RENYYUMxWVE4dS9xbFJUV091L3ZNWXJDOXpaNTRMUnpRTE50UW9tbks5eU5TVmc4dnVPdGs5bG1HTDdjMmtRUS9PUWNCenljL1pid09SdTVWVkpJYVVOejFOL0oxd1NvWTF5cGpPUDRjcHVNaDBjZjI3b0RPR204UGdRRyttMWs5d0VJNHp6cHAzZ3RNNlVZSkZkU21SL2p1QW1uYitrV0lQNDJTVXpnPT0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3996 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:836 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1000 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR94F3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1000 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
1000 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:FD05055FB7C90CE5CB65C2C6AB92E7F7 | SHA256:D80A81F4078DD5C3088CFCA00A3D0E890A837003E8EEB764E7261696D1C13600 | |||
3996 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | binary | |
MD5:8221AA63CCDDE87545FAE4723EBA2F44 | SHA256:A081761A823559590DC3495255ADFBEEDBCD8AA3C4FBB78B3AB5670EEFB652DF | |||
836 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342 | SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E | |||
3996 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | der | |
MD5:6070D165F317137BFA0039387B244CDB | SHA256:534AD56166D4D29D7744322BD18EBE9E8EFE5DEFF1C0E367C70F774478D7C738 | |||
1000 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:306027CA63A8AFEA7E26856A7C58BAB2 | SHA256:D5BDFD66F6D2B7006D5E30A013F5EC30408CD344CC2DE1AF3C3A80D2A481E174 | |||
836 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:2F7C07C448F98CD3A9F15D72FA52F248 | SHA256:3A70F82136DDF56746BBE728F43D496171A9F061EF62C3F5513BB06070062B3D | |||
836 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:31590CEC34C20640A4C5A0C0C2445E7A | SHA256:37ED4DAA6987AD4FD671D927604EFAD92D4341B4843A2B6C9CC97A638C74F262 | |||
836 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[2].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1000 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3996 | iexplore.exe | GET | 200 | 13.107.40.203:80 | http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQN1VoiX40jVOMldh7uDThi9DqeewQU1cFnOsKjnfR3UltZEjgp5lVou6UCEzMANPAzk2JZiyvmkdgAAAA08DM%3D | US | der | 1.74 Kb | whitelisted |
836 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3996 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
836 | iexplore.exe | GET | 200 | 41.63.96.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0313db5469b36e55 | ZA | compressed | 4.70 Kb | whitelisted |
3996 | iexplore.exe | GET | 200 | 41.63.96.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9dfc310853302a4f | ZA | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1000 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
836 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3996 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3996 | iexplore.exe | 41.63.96.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
836 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
836 | iexplore.exe | 41.63.96.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
3996 | iexplore.exe | 13.107.40.203:80 | oneocsp.microsoft.com | Microsoft Corporation | US | whitelisted |
3996 | iexplore.exe | 13.107.227.45:443 | www.templatent.com | Microsoft Corporation | US | suspicious |
836 | iexplore.exe | 13.107.22.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
836 | iexplore.exe | 152.199.19.161:443 | r20swj13mr.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.templatent.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
oneocsp.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |