File name: | 79195cc577298634d2d1b48aa2187f592b5968b36aa6e0a73c5620565d2f3af0.eml.danger |
Full analysis: | https://app.any.run/tasks/dfa022ab-2639-469a-8cbe-4e90741a6e5f |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 14:04:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | SMTP mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 194BEF7976776CD7C7DD2215AD5BD5F3 |
SHA1: | E727AEE9AE069F36AAB8713F6AC254BDAF1761A4 |
SHA256: | 79195CC577298634D2D1B48AA2187F592B5968B36AA6E0A73C5620565D2F3AF0 |
SSDEEP: | 6144:M/RAkyw3ME8j5SQlyjjhZH9hRrjzoPmw1:yS7WME8FfujhZVrbw |
.eml | | | E-Mail message (Var. 1) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3324 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\79195cc577298634d2d1b48aa2187f592b5968b36aa6e0a73c5620565d2f3af0.eml.danger.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
4028 | C:\Windows\system32\prevhost.exe {DC6EFB56-9CFA-464D-8880-44885D7DC193} -Embedding | C:\Windows\system32\prevhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Preview Handler Surrogate Host Version: 6.1.7601.17562 (win7sp1_gdr.110217-1504) Modules
| |||||||||||||||
1328 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /b /id 4028_1293088567 /if pdfshell_prevf258fb8c-763a-47f7-82ff-b1e298f251c4 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | prevhost.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
2292 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /b /id 4028_1293088567 /if pdfshell_prevf258fb8c-763a-47f7-82ff-b1e298f251c4 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
3524 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\BANK SLIP.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | Explorer.EXE | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
3724 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\BANK SLIP.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
1500 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | AcroRd32.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 20.13.20064.405839 Modules
| |||||||||||||||
1532 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1072,17037485413862934246,1696119802163570653,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1568017958623079636 --renderer-client-id=2 --mojo-platform-channel-handle=1192 --allow-no-sandbox-job /prefetch:1 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 20.13.20064.405839 Modules
| |||||||||||||||
3116 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1072,17037485413862934246,1696119802163570653,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=15171155138954557964 --mojo-platform-channel-handle=1212 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 1 Version: 20.13.20064.405839 Modules
| |||||||||||||||
2056 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1072,17037485413862934246,1696119802163570653,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=3752961725070742662 --mojo-platform-channel-handle=1404 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 1 Version: 20.13.20064.405839 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3324 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR4464.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3324 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
3324 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:2C726EC8A2F6D54DB1C8698C9D344B7A | SHA256:E5B50D34629ECCA6672CDD6487AD01FE0BB6D84B08C975709E0275A697058906 | |||
3324 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\UD76XLWL\BANK SLIP.pdf | ||
MD5:D0D4B5A1ED023A194D478676D9846112 | SHA256:6A06FD6CF886814AFEC199027A9E6A18B44F97273219A7C273F09BB9C11F3CE9 | |||
3324 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp45CC.tmp | binary | |
MD5:C372DD2B7BAD73E416C958E56F967A7D | SHA256:AF7F18A20A21AAD3BED4D2B12779DECF937637A4F456465397150678B5A95E7A | |||
1500 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 | binary | |
MD5:C1225C2FB6C7E8D742E8EF95BC1DC915 | SHA256:1B5BD13CC4A754CFDB6CF3C5352B8FD692A8E1210DAA9EBF301D174B5F1B3146 | |||
3324 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\UD76XLWL\BANK SLIP (2).pdf | ||
MD5:D0D4B5A1ED023A194D478676D9846112 | SHA256:6A06FD6CF886814AFEC199027A9E6A18B44F97273219A7C273F09BB9C11F3CE9 | |||
3324 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:57423799AAC9BDF0B574C74284799438 | SHA256:B910E542E8E20F0288D332455B1C4283EB6A78F9B81D17E6C052C1806168DFF5 | |||
3724 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R130my6t_fx61ga_2vg.tmp\has been verified. However PDF, IMG, xls, .docx | document | |
MD5:A1500D8F5588BC9BA3952C99276B657D | SHA256:6C21FB87A14EB312683C6026392B61C791C6E2643D4E80162D7326511105E4A3 | |||
1500 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 | binary | |
MD5:DAB35CC59F7F0A97D21C71F30A36DA19 | SHA256:19E28BC42716B56590AE415B040EA8FF4C8C4C53E8A4420E2E9D226AE7B0703D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3580 | WINWORD.EXE | HEAD | 301 | 52.222.236.89:80 | http://aws3.link/XLxFAp | US | — | — | malicious |
3580 | WINWORD.EXE | OPTIONS | 403 | 52.222.236.89:80 | http://aws3.link/ | US | html | 1.03 Kb | malicious |
3524 | AcroRd32.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
3524 | AcroRd32.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?27f0a60c6ef682c0 | US | compressed | 4.70 Kb | whitelisted |
3524 | AcroRd32.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d950300507103ff0 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3324 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1500 | RdrCEF.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3580 | WINWORD.EXE | 52.222.236.89:443 | aws3.link | Amazon.com, Inc. | US | suspicious |
3580 | WINWORD.EXE | 52.222.236.89:80 | aws3.link | Amazon.com, Inc. | US | suspicious |
1500 | RdrCEF.exe | 23.35.236.137:443 | geo2.adobe.com | Zayo Bandwidth Inc | US | suspicious |
3524 | AcroRd32.exe | 23.48.23.54:443 | acroipm2.adobe.com | TRUE INTERNET Co.,Ltd. | US | suspicious |
1500 | RdrCEF.exe | 52.5.13.197:443 | p13n.adobe.io | Amazon.com, Inc. | US | suspicious |
892 | svchost.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3524 | AcroRd32.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2864 | AdobeARM.exe | 23.48.23.39:443 | ardownload3.adobe.com | TRUE INTERNET Co.,Ltd. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
dns.msftncsi.com |
| shared |
aws3.link |
| malicious |
geo2.adobe.com |
| whitelisted |
p13n.adobe.io |
| whitelisted |
armmf.adobe.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ardownload3.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3580 | WINWORD.EXE | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3580 | WINWORD.EXE | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3580 | WINWORD.EXE | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3580 | WINWORD.EXE | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
892 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |