File name: | EXTERNAL Exchange MX [email protected] |
Full analysis: | https://app.any.run/tasks/7f2cce8f-4523-452d-95c2-211228f93ac6 |
Verdict: | Malicious activity |
Analysis date: | December 02, 2019, 20:15:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | A524A7BF7CFA94D2BF42460E985F3826 |
SHA1: | 5CD69818DA1ADBA96AA2D536B59108E89A27B9CC |
SHA256: | 7BE78F881980C498E89BF90389AB90DEB067A659F670908824AD55B6F22394AF |
SSDEEP: | 768:DbUWsKeWsKwLmeWsK18mk/DNhQ9qHzK+13TTWsKuMWU5:DIWGWoLmeWd8m+K+tW |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\EXTERNAL Exchange MX [email protected]" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
748 | "C:\Program Files\Internet Explorer\iexplore.exe" https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Furl9325.mastersacts.com%2Fwf%2Fclick%3Fupn%3DAPMi-2BwjYaaJh3lPIhLMcS3b4ZUwiPvxps7Ils0fpGU7ZH75lbWzDWVT2jNyZF-2BskwXGN8GwbI27i9wh70HAf9IblF0na5HvEBSha764NN8cZQHbHlrpTwmvGVxNmADLN6C134GTepa6JuBwcOQuSZzmMUKYskcx6v-2B066T4r4bpVG5eCgr3-2F-2BKjKr6kme8SUdJXwrfP-2BzGbq-2FfQkf8N8dC0Rapzp9xhfNS-2FOwzqnoJ8s2PCL03K8oXY1hbOgWUsOZh8nUel1IBmh-2BgZz6eSd7g-3D-3D_palDskKho4VuKoYryZqMTOh5muiZe3oMr74LfoOCYfdlhMTY3HTi4Tlc311pv84DsiuBjMRozW1-2BSKtqHsZ2GYuwEHj9cx6L2z5leXtljOmHJQUjuV5pY0ak1ZpIaskUuPYEruQ-2F4EmN2-2BZbOBQWnyamFugvyO7utM707YHVqnaTupCjLPmlsWZhNXQu-2Bwi8jtChotoBVusKwM9C2IeURA-3D-3D&data=02%7C01%7Cpsherrill%40nses.com%7Ce359a94701b14e0b1d9708d77752651c%7C78d5360854ca4a748beb8a1399c1189c%7C0%7C1%7C637109068087055632&sdata=GZ6ytMn5VD4e9MHqQbGVfenISxp8K26BHPEivf0BReQ%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1292 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:748 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2528 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2500 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6a61a9d0,0x6a61a9e0,0x6a61a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
1780 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2800 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3932 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11273443785022729811 --mojo-platform-channel-handle=988 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
1428 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15695361287669630257 --mojo-platform-channel-handle=1608 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2096 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11729344122599236426 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2900 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15763623269606557028 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2424 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE00F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:9505DCCEEB1E2F89D39131BFB543DC93 | SHA256:2BB2FE7AD9F01DB15A291FAEA5F9FBE3EB26D9A1482A24179B1F769F7181FAFC | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:9087BC5A39BDC5779789AD636A7D681E | SHA256:CBF900815FC254984B828E624B0205B8571A32E88F3EB874625C7CE7A68079AC | |||
1292 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\166B5S8Z\forms_office_com[1].txt | — | |
MD5:— | SHA256:— | |||
1292 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:8B89E40A7632A7397231401862F376B5 | SHA256:5055D0E0D103C9D252679737154402E22B99D040455ADB7407D9B8D5B743E577 | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\StructuredQuery.log | text | |
MD5:F5ED8061BAC533AE3FCCBF0A0111B762 | SHA256:65DA46FAD51DBF36103CCCDA1EDD25B4E1BE4DABC9A577F160E3379014AE7FD6 | |||
1292 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:562E1DB7A82B2609C754137FA878F9DD | SHA256:A7C25DA8A0BE2502223C23C120F1B564E6B14760744373DEEEA69D64F03FF2AD | |||
748 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
748 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].htm | — | |
MD5:— | SHA256:— | |||
748 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1428 | chrome.exe | GET | 200 | 159.148.69.143:80 | http://r4---sn-a5uoxu-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1575317722&mv=m&mvi=3&pcm2cms=yes&pl=24&shardbypass=yes | LV | crx | 293 Kb | whitelisted |
1428 | chrome.exe | GET | 302 | 172.217.22.14:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 533 b | whitelisted |
1428 | chrome.exe | GET | 302 | 172.217.22.14:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 538 b | whitelisted |
1428 | chrome.exe | GET | 200 | 159.148.69.142:80 | http://r3---sn-a5uoxu-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1575317209&mv=u&mvi=2&pcm2cms=yes&pl=24&shardbypass=yes | LV | crx | 862 Kb | whitelisted |
748 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
748 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1292 | iexplore.exe | 152.199.19.160:443 | az725175.vo.msecnd.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1292 | iexplore.exe | 52.109.76.79:443 | forms.office.com | Microsoft Corporation | IE | whitelisted |
748 | iexplore.exe | 52.109.76.79:443 | forms.office.com | Microsoft Corporation | IE | whitelisted |
1292 | iexplore.exe | 2.16.186.106:443 | cdn.forms.office.net | Akamai International B.V. | — | whitelisted |
— | — | 2.16.186.106:443 | cdn.forms.office.net | Akamai International B.V. | — | whitelisted |
1292 | iexplore.exe | 104.47.41.28:443 | nam03.safelinks.protection.outlook.com | Microsoft Corporation | US | whitelisted |
1292 | iexplore.exe | 167.89.118.52:80 | url9325.mastersacts.com | SendGrid, Inc. | US | suspicious |
2844 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1428 | chrome.exe | 216.58.206.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
nam03.safelinks.protection.outlook.com |
| whitelisted |
www.bing.com |
| whitelisted |
url9325.mastersacts.com |
| suspicious |
forms.office.com |
| whitelisted |
cdn.forms.office.net |
| whitelisted |
az725175.vo.msecnd.net |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |