File name: | Still Time to Vote in SHRM's 2023 Board of Directors Election.msg |
Full analysis: | https://app.any.run/tasks/a969359b-5f80-4d7c-9d60-ad14333aa6d3 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 06:55:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 014A849233CB8E1D0037E04FE3F9BBD9 |
SHA1: | D0D04FE78CB4299726B44FF7B141CB0963ACC84D |
SHA256: | 739E99416EF7CC31BCF33B737FAFC5AC312936404A55317C88BC4C3F4E06FDE9 |
SSDEEP: | 768:dxo8k3+QsKOQkmMSdss4G4IhSna6fYOqQLJ2GsKJsK4UunFn6n4L0uWtWHYfboZ6:Lo8e+QBMS6G4IgJLxjunFn6n4L07 |
.msg | | | Outlook Message (45.3) |
---|---|---|
.oft | | | Outlook Form Template (26.5) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3052 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Still Time to Vote in SHRM's 2023 Board of Directors Election.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3188 | "C:\Program Files\Internet Explorer\iexplore.exe" https://secure-web.cisco.com/16LEa4_f8dG4T2ZiU92PEwZEPRfuxc0gNhkIjg6kofYL0_BVZsdSHXhvRZdTKXDKXFmuAuyopjz6jmqTx-aNj_zQ9GkXq-PJqPl9Dvnr1VttVNM8Omx_psQBV43ahDlGCc5gN5V5TisEGaaru7v1r1swg1l6957HELqSwBqDrMIPCtVaJERXteCHFImF2JyOCZxXbL0oswNYUVHvDvakMC14f5YOLwYc2N7T68rZHJBt9xm3iPZralVZ1q_HBqUI_r3B9FLlVpR-zTUxADq00qQO_fxHl98k1Sa1zsorGIBFTIELbMkkU2wptIrNA_V5O/https%3A%2F%2Femail.mg.electionservicescorp.com%2Fc%2FeJwdjkGLgzAUhH9NchEkviSad8jB2pQeurBsD3tOYqyCscWkLf33qwsDHzMwwwRd1bVAIUEx2mvpHIOGTpobeZCq5QZRCQOmFcg6rCXnou1kp4hg5tp9_5oD0FEP0FjwAq10qvIoEZptL7hBeORN5eisx5wfifCWwGnT655DGZL_p7_HLUrjuqMPg33OubTpQfjpwgk_hminma462vVjl-UW4rRM5c1G22833kvaF2jW1_PPVwEMoDB7o6gYk7v9A83NQfk | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1712 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3188 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3052 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR4C6E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3052 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
1712 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:D15AAA7C9BE910A9898260767E2490E1 | SHA256:F8EBAAF487CBA0C81A17C8CD680BDD2DD8E90D2114ECC54844CFFC0CC647848E | |||
1712 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:8AC60C951610D04ABF965EADE92204F5 | SHA256:5502A2F3EE7C768243891901E2D31C59EC30840A707CCB6C9EE325CC71DA528C | |||
3052 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:5934F666D7DFFCAE0B25C3610BF6B04B | SHA256:DB99B046A721FFA080E65D7B791629E68FF8D82BA63C106D563177EC12A0EC86 | |||
3052 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:EC3A129E403B5C899BC5CB02D34003DD | SHA256:8956EAB4DE52B0BB8475A30DC1970A5C91C3E2F331B5D9EF64B939FCFDC4DC1F | |||
1712 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\263821BCA2CBC5EA0B25012F05788322_41310C887E59D4EB5B8FD9D3DCA2C98D | der | |
MD5:0486FDAD7057227425277A951A446E0C | SHA256:9A78991040A814AD9DC24BD7FB1E6303AC44A1510915FAEE282E84F13083F1D9 | |||
1712 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6CFED4E1A8866BE87BE17622BFB4D726_FBADB8F7FD7B56EE191ACF24A8989D94 | der | |
MD5:9097C37DBB0EA77712342D24E8D4B887 | SHA256:5B6AC21CAD44EBBB58B971F460558BD87B6AF328A6540A4829926B32EDBBA336 | |||
3052 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_29F56949C1460647A800FFBBED40382F.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
1712 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab9FDD.tmp | compressed | |
MD5:D15AAA7C9BE910A9898260767E2490E1 | SHA256:F8EBAAF487CBA0C81A17C8CD680BDD2DD8E90D2114ECC54844CFFC0CC647848E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3052 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1712 | iexplore.exe | GET | — | 23.45.105.185:80 | http://x1.c.lencr.org/ | NL | — | — | whitelisted |
3188 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
1712 | iexplore.exe | GET | 200 | 178.79.242.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b4fc1b2f20fe6bb5 | DE | compressed | 60.9 Kb | whitelisted |
3188 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1712 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDjmTL5NIrO9%2B84JPrh00LV | US | der | 472 b | whitelisted |
1712 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
1712 | iexplore.exe | GET | 200 | 2.16.218.144:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgOjqBB9JdBmeefTHtyNP0RSdQ%3D%3D | unknown | der | 503 b | shared |
1712 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 2.18 Kb | whitelisted |
3188 | iexplore.exe | GET | 200 | 178.79.242.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?396408a45b3f325b | DE | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3188 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3052 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1712 | iexplore.exe | 146.112.255.69:443 | secure-web.cisco.com | OPENDNS | US | suspicious |
3188 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3188 | iexplore.exe | 178.79.242.0:80 | ctldl.windowsupdate.com | LLNW | DE | whitelisted |
1712 | iexplore.exe | 3.226.157.7:443 | email.mg.electionservicescorp.com | AMAZON-AES | US | suspicious |
1712 | iexplore.exe | 2.16.218.170:80 | r3.o.lencr.org | Akamai International B.V. | DE | unknown |
1712 | iexplore.exe | 178.79.242.0:80 | ctldl.windowsupdate.com | LLNW | DE | whitelisted |
1712 | iexplore.exe | 69.18.198.241:443 | vote.escvote.com | MINDSHIFT | US | suspicious |
1712 | iexplore.exe | 172.64.155.188:80 | ocsp.usertrust.com | CLOUDFLARENET | US | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
secure-web.cisco.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
commercial.ocsp.identrust.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
email.mg.electionservicescorp.com |
| suspicious |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |