File name: | Payment Slip - Transferred 06062019.msg |
Full analysis: | https://app.any.run/tasks/ba6ec641-ebe0-4d5a-841e-d7cf4be10d45 |
Verdict: | Malicious activity |
Analysis date: | June 12, 2019, 11:21:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 014A944BDF7643D1612020E9B9EFA773 |
SHA1: | EA765C48666C751D7DBEEECCA84BE3569E799461 |
SHA256: | 674204216467BD983FBD56871A7DB7503D07CEDDC95677C1BE31521C7A33BC79 |
SSDEEP: | 12288:aYV6MorX7qzuC3QHO9FQVHPF51jgcswPk1gNkn5Mq3:JBXu9HGaVHAn5n |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1520 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Payment Slip - Transferred 06062019.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2652 | "C:\Windows\System32\isoburn.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\W781O7WL\payment.img" | C:\Windows\System32\isoburn.exe | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Disc Image Burning Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3668 | "C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- . C:\Users\admin\Desktop\payment.img | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3956 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\payment.img | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVREBD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\query[1].asmx | — | |
MD5:— | SHA256:— | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\W781O7WL\payment (2).img\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1520 | OUTLOOK.EXE | C:\Users\admin\Desktop\payment.img\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:E84E3302AC4FACD8BCFBC42BAB87FD7E | SHA256:804F0355DB5899CEF2F8540821814ACF49F76699279E21AB7554950AE6958D47 | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\54946941a2b45a5ba7f3e1b905b42959.xml | xml | |
MD5:B6765CC4941C7CC1672D0557EC7E20CA | SHA256:D2A7F0D6F0958E99EB50573A716820C114F433B3413A656F58D09BAB60C81D1B | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\MSB1CACH.LEX | binary | |
MD5:65ED73302867155303E6B70B19E2063C | SHA256:C06250C9E8CCC21F3EBB7AFC1AE6FBE6DF701738FD635F9A5A3F9DA07DEAB4B2 | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\W781O7WL\payment (2).img | gmc | |
MD5:213918DBA4E42B2FD0AD29202EC9AE90 | SHA256:DAEF2714D03114E6CFD29AD0C50C5F4C6A06ED19B7DB9DF39D25CAEC2A21D4B2 | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\54946941a2b45a5ba7f3e1b905b42959.sig | binary | |
MD5:056BE265B58E1E905E7E225A93162678 | SHA256:0F1B23EE20C5E99CE8E2AB3C5D00984B26BEA80D4A30CA20EFC3A6867FB3FEDE | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_B92DC0887044F746BCF87359EF5896A4.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1520 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1520 | OUTLOOK.EXE | GET | 200 | 52.109.88.8:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={CFF13DD8-6EF2-49EB-B265-E3BFC6501C1D}&build=14.0.6023 | NL | xml | 1.99 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1520 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1520 | OUTLOOK.EXE | 52.109.120.29:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
1520 | OUTLOOK.EXE | 52.109.88.8:80 | office14client.microsoft.com | Microsoft Corporation | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |