File name: | Лотерейный билет.eml |
Full analysis: | https://app.any.run/tasks/04cd0846-285e-4736-9025-56fc54e6cbce |
Verdict: | Malicious activity |
Analysis date: | March 30, 2020, 15:51:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | SMTP mail, UTF-8 Unicode text |
MD5: | 4A208B33104FFD964DD03C62647FA8A9 |
SHA1: | 4C071E42970934F944D1D17A14D73E3B99004CCA |
SHA256: | 67E9D9BABA822D133D94A930ADBCA2055C821FB93D1151177F1209B361871430 |
SSDEEP: | 48:STqeqw+KqtM+1LnsU5u1McJO3W9fvVT55RlbjZp9TWUiQLqyLRb+bVy40C/TsiB/:2qeqwQxjX9hEfdd5HbjHgUiQLDwYLE |
.eml | | | E-Mail message (Var. 1) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Лотерейный билет.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1760 | "C:\Program Files\Internet Explorer\iexplore.exe" http://pgvquantum.com/wp-content/themes/twentysixteen-child/template-parts/footer/3/ | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3464 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1760 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2612 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR8862.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1760 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3464 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabC57B.tmp | — | |
MD5:— | SHA256:— | |||
3464 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarC57C.tmp | — | |
MD5:— | SHA256:— | |||
3000 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:FF2FE9B1A62EECB7C213463B671F8BA3 | SHA256:48E2567141C05C4DD29C43214626218DCD7B39020FB934CD32B68B6608B97B1F | |||
3000 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:FEC2711B945FC3C2B1A3CC8F6C7B1C0E | SHA256:B88F6EA20781729DC868BAAA738A49F13CCED058EC468E9F2029B7DE6C69B916 | |||
3464 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C | der | |
MD5:63311A320518E4CA5045931F3E6ADE16 | SHA256:23B7BECCB98DAF194EF0EE6709E93CAC4632C1214F6478FCFA2A547515237D83 | |||
3000 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
3464 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE52899963CDE_8CB36310D7DE2704E6294B3E104E72F7 | der | |
MD5:503F6318AEBCDDE71943FDE206942183 | SHA256:3F1EA1F2C7FAE4006130B74DF173F5906EA867226C43C71B41E39146FD7FA5EE | |||
3464 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\41065586[1].htm | html | |
MD5:EBDD9AC765892D8D91E1AEBD09497451 | SHA256:1E4448DDE176A769FD2BA81018CECE4C8C9248088D4B114B655E6F5B0D0AE767 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3464 | iexplore.exe | GET | 200 | 104.18.21.226:80 | http://ocsp2.globalsign.com/rootr3/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCCwQAAAAAATGJxkTJ | US | der | 1.48 Kb | whitelisted |
3000 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3464 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEA8Byg3xePJ2xAXD21b7Wg8%3D | US | der | 471 b | whitelisted |
3464 | iexplore.exe | GET | 302 | 112.213.89.7:80 | http://pgvquantum.com/wp-content/themes/twentysixteen-child/template-parts/footer/3/ | VN | — | — | suspicious |
3464 | iexplore.exe | GET | 304 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx | US | der | 1.49 Kb | whitelisted |
3464 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAfPgrgEmbcjJexpgYUf%2BBU%3D | US | der | 471 b | whitelisted |
3464 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAlcEGMQ6%2BaXcVfbcNX89rE%3D | US | der | 471 b | whitelisted |
3464 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEA9Fw%2BeisXO35WtYpu%2BqoDw%3D | US | der | 471 b | whitelisted |
3464 | iexplore.exe | GET | 304 | 104.18.21.226:80 | http://ocsp2.globalsign.com/rootr3/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCCwQAAAAAATGJxkTJ | US | der | 1.48 Kb | whitelisted |
3464 | iexplore.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx | US | der | 1.49 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1760 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3464 | iexplore.exe | 112.213.89.7:80 | pgvquantum.com | SUPERDATA | VN | malicious |
3000 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3464 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3464 | iexplore.exe | 217.69.139.14:443 | likemore-go.imgsmail.ru | Limited liability company Mail.Ru | RU | unknown |
3464 | iexplore.exe | 217.69.130.233:443 | mcdn.imgsmail.ru | Limited liability company Mail.Ru | RU | unknown |
3464 | iexplore.exe | 217.69.139.33:443 | news.mail.ru | Limited liability company Mail.Ru | RU | unknown |
3464 | iexplore.exe | 94.100.180.36:443 | cp-filin.mail.ru | Limited liability company Mail.Ru | RU | unknown |
3464 | iexplore.exe | 94.100.180.197:443 | rs.mail.ru | Limited liability company Mail.Ru | RU | unknown |
3464 | iexplore.exe | 217.69.139.36:443 | news.mail.ru | Limited liability company Mail.Ru | RU | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
pgvquantum.com |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
news.mail.ru |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
status.geotrust.com |
| whitelisted |
likemore-go.imgsmail.ru |
| whitelisted |
mcdn.imgsmail.ru |
| unknown |
rs.mail.ru |
| whitelisted |