File name: | FW_ New positions near University Park_ NM - 03-29-2020.msg |
Full analysis: | https://app.any.run/tasks/da4ca7bf-9023-46d5-a437-628c3bc7b733 |
Verdict: | Malicious activity |
Analysis date: | March 30, 2020, 15:07:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 2329C7ACA2A993F9035185ADFFFA7098 |
SHA1: | C353A32A78EF7E05C2D773B55DD4A7A246615F25 |
SHA256: | 75919E12F950985567B67544CE1A25678AD96E12F6D519C691E4A5D072F83586 |
SSDEEP: | 3072:9HLBB7vw5t5uEyeArhUgCgs8uwSP4Mp3DbDfqebce9P4SO4SO4SAEwvR4pJoX6CD:J3QLkeAGP8R+qi/wDKce |
.msg | | | Outlook Message (45.3) |
---|---|---|
.oft | | | Outlook Form Template (26.5) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1520 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW_ New positions near University Park_ NM - 03-29-2020.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3328 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 Modules
| |||||||||||||||
3568 | "C:\Program Files\Internet Explorer\iexplore.exe" https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fl.koraljobs.com%2Fmps2%2Fc%2FCAE%2FgMpRAA%2Ft.30h%2FQ_NybzRgTjahebIBComZ2w%2Fh1%2FJxHK25qWkKvvP5zJa79GzfKlpQle5C-2FuDcQFDj5Tfid9xkKcd8xhMDZqcBS8R5-2BcvMKiAg6A8a754h54CpuguxuyV9jY2fQhWviX-2FpGPKQk-3D%2FwJHl&data=01%7C01%7Chasana%40nmsu.edu%7C54d68f8a983e42ca467e08d7d4b24e43%7Ca3ec87a89fb84158ba8ff11bace1ebaa%7C1&sdata=jHuiU%2F8FKPHZosyOEZVSum%2FwJLSDLcnzUezKRZaAkH0%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
780 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3568 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B45.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3328 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR841C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
780 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabA2FF.tmp | — | |
MD5:— | SHA256:— | |||
780 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarA300.tmp | — | |
MD5:— | SHA256:— | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:23D82C667AD1357E3A5E471FC972BEF1 | SHA256:59EF0D46C7C0BC279AEB0E08B2BC48B54DF01A10B554F73D41F5E1E7943B6F69 | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:1A2FA43E37E4B317614B864F33034DD6 | SHA256:24AE6EBC000DCF822D868743DB979D5CC3A6A7B49CE1C9B0F5799B7EC095642B | |||
780 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | der | |
MD5:C46FECE849A4FB720D4468E63C72F67B | SHA256:C56079EA1777990734700448194E09528413A80B118DAA63ECD47DD20EDAA2C4 | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4586D5E8.dat | image | |
MD5:B2F312C70D97DE875CED8DE200E9A27C | SHA256:FE548822C3A475670FD9321FA26EBEAABF15844279915D3FCF51EE255E9DB935 | |||
780 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | binary | |
MD5:F16FCD85213B3FFFD8E5991602FA7929 | SHA256:158F4C8115EA0B3ED5421EA3A8465D8AA484F0E16044CA40FE6034066B4DDD91 | |||
1520 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1520 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
780 | iexplore.exe | GET | 200 | 13.225.87.155:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
780 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D | US | der | 471 b | whitelisted |
780 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | US | der | 471 b | whitelisted |
780 | iexplore.exe | GET | 200 | 143.204.98.91:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
780 | iexplore.exe | GET | 200 | 13.225.87.121:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
780 | iexplore.exe | GET | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
780 | iexplore.exe | GET | 200 | 13.225.87.142:80 | http://crl.sca1b.amazontrust.com/sca1b.crl | US | binary | 682 Kb | whitelisted |
780 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
780 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
780 | iexplore.exe | 104.47.32.28:443 | nam01.safelinks.protection.outlook.com | Microsoft Corporation | US | whitelisted |
1520 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
780 | iexplore.exe | 13.225.73.74:443 | l.koraljobs.com | — | US | suspicious |
780 | iexplore.exe | 143.204.98.91:80 | ocsp.rootca1.amazontrust.com | — | US | whitelisted |
780 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
780 | iexplore.exe | 13.225.87.61:80 | o.ss2.us | — | US | suspicious |
780 | iexplore.exe | 13.225.87.155:80 | o.ss2.us | — | US | unknown |
780 | iexplore.exe | 13.225.87.121:80 | ocsp.rootg2.amazontrust.com | — | US | whitelisted |
780 | iexplore.exe | 143.204.98.63:80 | ocsp.sca1b.amazontrust.com | — | US | whitelisted |
3568 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
nam01.safelinks.protection.outlook.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
l.koraljobs.com |
| malicious |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
ocsp.sca1b.amazontrust.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |