File name: | EXTERNAL FW (1) tl.msg |
Full analysis: | https://app.any.run/tasks/1ef27d88-0a18-44da-8a1c-d7e04c7e6e34 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 14:10:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | E02CD9A3420EC6D5DA59CBD428834C2B |
SHA1: | AF2597FF50FE2FC95BF24A8F1636B1F6ACD67DE8 |
SHA256: | 6FF9C6630B24B621801AC8A69AD91FFC5DEF7B1FB7445E29903AB02730D6163B |
SSDEEP: | 768:QoSVk+Yc/wcuGPQcqpr85FONfHpg5HsKx6pHDO5/Y2n:tpGPQcq1+ |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\EXTERNAL FW (1) tl.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3952 | "C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.proofpoint.com/v2/url?u=http-3A__consultoresms.com.ve_rmxkyuhn_fh52bu-3Ffm32-2D6jshh&d=DwMCaQ&c=bfDIjndM4yMe-djHIe5wsJolRw51AujaHd3btXbOjK4&r=kfY2SaXbhi8eY7rhsEeWi5fRp_Lt_whAHNqXTGSG4qU&m=lOy1M-Frhh09iGQaZ92y_7jEgdt64B79MN9wrn4M-hE&s=ah6n6GkETAy6V92PdWJs2oYGCjUUi3K3yfF-UGqVNsg&e= | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2636 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3952 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4016 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3952 CREDAT:203009 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2944 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR8AE1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3952 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2636 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\keto-intl-desktop4[1].txt | — | |
MD5:— | SHA256:— | |||
2944 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:3D7D3D5DEBA797601A415D3F01D1D737 | SHA256:F60D0053126885AD84620FEB9407343FCF351013253AB502F16374E0AB4A7AC5 | |||
2636 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@goodline-4burnfat[2].txt | text | |
MD5:39FE83A7902880993F16E0473A095FA7 | SHA256:79AAE33F5676005FE8EE84ACA705553C7713C6AA2A460D766641F83E0E664BF3 | |||
2944 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_2B9CFB2E711AB040BED40CBFEE760F85.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2636 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@goodline-4burnfat[1].txt | text | |
MD5:290C9D51567383ACCB74D44307B4609E | SHA256:4FAF58FC8F0187285D9E42E9B39E822D14FEBA1BFEE085D89A68A668C0037DA7 | |||
2944 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_544BB3D1BDA21943882716055F6F378B.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
2636 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\keto-intl-desktop4[1].htm | html | |
MD5:1ED965ED291C319741D215E9A5B951F0 | SHA256:D2FE6C215C43D54B2F3F2F886D48FE1AE2E2A4C6DA1279F6B1C6048A21967E2D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2636 | iexplore.exe | GET | 302 | 190.9.44.26:80 | http://consultoresms.com.ve/rmxkyuhn/fh52bu?fm32-6jshh | PA | html | 242 b | unknown |
3952 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2636 | iexplore.exe | GET | 301 | 104.254.57.161:80 | http://goodline-4burnfat.net/?a=1YV9&c=diet&s=1403 | US | html | 185 b | unknown |
4016 | iexplore.exe | GET | 301 | 162.243.11.107:80 | http://burnfat-keto.com/keto_int/?click_id=03_11787514_5e4e6eb6-8db3-48dc-b942-ff27a464fa53&subid1=418240&netid=3&ver=old&ad=1YV9 | US | html | 178 b | unknown |
3952 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3952 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2636 | iexplore.exe | 67.231.146.66:443 | urldefense.proofpoint.com | Proofpoint, Inc. | US | suspicious |
2636 | iexplore.exe | 190.9.44.26:80 | consultoresms.com.ve | BroadbandONE, Inc. | PA | unknown |
2636 | iexplore.exe | 104.254.57.161:443 | goodline-4burnfat.net | Purevoltage Enterprises Inc. | US | unknown |
2636 | iexplore.exe | 104.254.57.161:80 | goodline-4burnfat.net | Purevoltage Enterprises Inc. | US | unknown |
2944 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3952 | iexplore.exe | 104.254.57.161:443 | goodline-4burnfat.net | Purevoltage Enterprises Inc. | US | unknown |
4016 | iexplore.exe | 104.254.57.161:443 | goodline-4burnfat.net | Purevoltage Enterprises Inc. | US | unknown |
2636 | iexplore.exe | 172.217.22.106:443 | ajax.googleapis.com | Google Inc. | US | whitelisted |
4016 | iexplore.exe | 172.217.22.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
urldefense.proofpoint.com |
| whitelisted |
www.bing.com |
| whitelisted |
consultoresms.com.ve |
| unknown |
goodline-4burnfat.net |
| unknown |
ajax.googleapis.com |
| whitelisted |
burnfat-keto.com |
| unknown |
www.googletagmanager.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |