File name: | R Inserimenti sotto Terza variante met. Catania-Augusta .msg |
Full analysis: | https://app.any.run/tasks/7d24d2ce-11e6-4272-a103-66f15d4af6f2 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 10:11:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | EE0121585C95302B61A91A7006C0F93A |
SHA1: | D792E6592DCA231FA7901EEB60EFA6A58AE239EE |
SHA256: | 97E3C0286FD1CC69D6DF7D56F078EC617180BE782A738596D7EC50599699E285 |
SSDEEP: | 1536:BEoFL8tRnQsWpIEwW7VKs1wdXjbsBmWZjLE/ULri:fWnQnIoKs1wNjWri |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1200 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\R Inserimenti sotto Terza variante met. Catania-Augusta .msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
2140 | "C:\Program Files\Internet Explorer\iexplore.exe" https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Flondon.upopolis.com%2Fwp-content%2Fsites%2FN5HgzOGEOJ5cstyf%2F&data=02%7C01%7CCarloMaria.Caputi%40snam.it%7C7ee01c48f9954127acd608d8649ded6d%7C19646c181578452eb5fb8504eb919aaa%7C0%7C1%7C637369976757645488&sdata=xYmlF2WpXL2BUoEUG8SZeGdf%2F9Maw8cvJR1QRI7IX1c%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1148 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1200 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR763A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1148 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabAC00.tmp | — | |
MD5:— | SHA256:— | |||
1148 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarAC01.tmp | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
1200 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:47D1AA7E6F7E6EA9A7626349382A920F | SHA256:082386B1ECCE544B2E73EF95A8F6389C226F0AF00212F8FDC121CEA03C5005DB | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\TarBC7C.tmp | — | |
MD5:— | SHA256:— | |||
1200 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:E9D7818D4F00D9C0C7BC9EE67DAA3371 | SHA256:CCD9D7FA700E8BBD925E500439E745B992EB8CC5BE0DD1302380607B21576D57 | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].htm | — | |
MD5:— | SHA256:— | |||
1148 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | der | |
MD5:9D15BAEBA9F8618EF88F4EA27F887484 | SHA256:CDAE980735D0506AAF9479646444911A0FCDF2673E77C48EEEFD8AF8F9A3060E | |||
1200 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A3CE7E91-2E29-4EA7-9874-40DDB02D5115}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1200 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1056 | svchost.exe | GET | 200 | 172.217.23.163:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D | US | der | 492 b | whitelisted |
1056 | svchost.exe | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | der | 781 b | whitelisted |
2140 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2140 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
1056 | svchost.exe | GET | 200 | 104.18.25.243:80 | http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0%2Fv9GUvNUu1EP06Tu7%2BChyAQUkZ47RGw9V5xCdyo010%2FRzEqXLNoCEyAAASWxwt68EQiA3cUAAAABJbE%3D | US | der | 1.75 Kb | whitelisted |
1056 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D | US | der | 471 b | whitelisted |
2140 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
1056 | svchost.exe | GET | 200 | 23.55.161.142:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.5 Kb | whitelisted |
1056 | svchost.exe | GET | 304 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2140 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1200 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1056 | svchost.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1148 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1148 | iexplore.exe | 104.47.9.28:443 | eur03.safelinks.protection.outlook.com | Microsoft Corporation | US | whitelisted |
2140 | iexplore.exe | 104.47.9.28:443 | eur03.safelinks.protection.outlook.com | Microsoft Corporation | US | whitelisted |
1056 | svchost.exe | 172.217.23.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
1056 | svchost.exe | 2.16.186.74:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
2140 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1056 | svchost.exe | 23.55.161.142:80 | www.download.windowsupdate.com | Akamai International B.V. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
eur03.safelinks.protection.outlook.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
ocsp.msocsp.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |