File name: | EXTERNAL Password mozilla@##.msg |
Full analysis: | https://app.any.run/tasks/41a36d3b-c929-4bcd-b42b-11bee58dd344 |
Verdict: | Malicious activity |
Analysis date: | February 18, 2019, 19:14:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 30836F08106F2CF25C1624838C4F1387 |
SHA1: | D5FEFACABA079FE73ED70FECB869901F528601F7 |
SHA256: | 828D3D232735D493D147395A40A60A7CD5EA004F5A90B089218A93790A22CC8A |
SSDEEP: | 24576:pyQZ5+348jgTZRfQ5yK4LxJSmdHie5RT3gCn0Y8u+yTu56NXjmD3LadHs+0gF:TiPgvf4Z4L/mo93Vn0Y8356pi7OD |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3140 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\EXTERNAL Password mozilla@##.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
3576 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\C6ANGDR0\PO-Inv#217.ace" | C:\Program Files\WinRAR\WinRAR.exe | OUTLOOK.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 1073807364 Version: 5.60.0 | ||||
2244 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3576.29442\PO-Inv#217.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3576.29442\PO-Inv#217.exe | WinRAR.exe | |
User: admin Company: Live Software Integrity Level: MEDIUM Description: Bulk Mailer Exit code: 4294967295 Version: 9.3.0.1 | ||||
3764 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3576.31835\PO-Inv#217.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3576.31835\PO-Inv#217.exe | WinRAR.exe | |
User: admin Company: Live Software Integrity Level: MEDIUM Description: Bulk Mailer Exit code: 1073807364 Version: 9.3.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE822.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\C6ANGDR0\PO-Inv#217 (2).ace\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF5B93A70289B1DE6C.TMP | — | |
MD5:— | SHA256:— | |||
3140 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | — | |
MD5:— | SHA256:— | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3BB45DD0-BAE2-4C54-BECF-06381A0D9060}.tmp | — | |
MD5:— | SHA256:— | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:8B75B279CD2FDDF49F5881F92D36D482 | SHA256:402C3DF23C6E67CEC247997953811D92A8A31639C6EC1EB856F7D16C0CE65DE3 | |||
3576 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3576.29442\PO-Inv#217.exe | executable | |
MD5:770006EEAA6ADBF99D4EEE36F0356A16 | SHA256:AFF716CFAD4E37543CE83A551A16AE4795EAAA93BE76F22A61855891C2C2C0C1 | |||
3140 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | pst | |
MD5:5BDDA12C2E28C514BF25BBE5B521F99E | SHA256:55CE24F3CAB5DF6460B050C521F9B199FA3D1F17783025FF0E8E61CEF9614425 | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_A56652063274FA4ABE2DB199D03C7CD5.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 | |||
3140 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_0DDECFB6E704934BA8303648D39282FF.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3140 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3764 | PO-Inv#217.exe | 188.125.73.29:587 | smtp.aol.com | — | CH | unknown |
2244 | PO-Inv#217.exe | 188.125.73.29:587 | smtp.aol.com | — | CH | unknown |
3140 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
smtp.aol.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2244 | PO-Inv#217.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3764 | PO-Inv#217.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |