File name: | You [email protected] receieved a shared document.msg |
Full analysis: | https://app.any.run/tasks/3ccc5562-85bb-415e-a476-4f32c6d900c4 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 07:43:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 8B9ADCD216D74E0070512FD5962ACB53 |
SHA1: | 03146C38927B4624EA5405274A567092B9E5489E |
SHA256: | 9CE399566653A8D17627F3B45E2CFBBEF7651DE4E76553D4E33696A15DBADFC0 |
SSDEEP: | 768:ipfbJX1sKtsKRGLHjxJvUf0Qd3SelCGpmb01rffwG4eX:irX1VsJMf0Qd3SelCGpm0w6 |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
696 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\You [email protected] receieved a shared document.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2480 | "C:\Program Files\Internet Explorer\iexplore.exe" https://u27450775.ct.sendgrid.net/ls/click?upn=XbYMJcAS8Q0fgcw-2Bg1ATKTeSxfMeUmN6KNOC6Wh4YU3DVQB0qeHChv6cI2WROJII3C-2FcaRQwT7mqOFjrz4213BuY0BqaxszCRT3PCZeTOTYdg1T75c6DjN1mX5b9TZD70xc2GJFmkva-2F1kKVJTt7XA-3D-3D2DOo_QxExAhMclvv1bul8mqbZ76V1fEF6A5uzbK-2Fa0-2BSun3FIAZxkWZF4TnV9IMFtlznjl4oAO2DGq8s5fEaVeU-2BPMNeTJrTn-2BtKsZUA8boXPlR7whbf9xX3dVKZijLDYsg7BvDtpkEFmXzM3KYWR0758KYhhjKh7aUDUof2XTahuIvLiLJGMn8azvThWLdShEFBWEy-2Bu4sVYNey4xvdkgVfuTz6tOBd5Og4E8xyH8KDNcww-3D | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1648 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR985E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
696 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
1648 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | binary | |
MD5:5816D760338F7501A8BFFEAD7842D854 | SHA256:936E6EE75D688CFC795948B1ACDB199C56A958EF11EC217848C63BDB5474328F | |||
696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:FC79503F6571324B19109151F12F64DD | SHA256:29D68FC5D73B65029811A10CF08726AB27D255B9EEE6E49B05F76DE47C7821F7 | |||
2480 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F | der | |
MD5:DF6DEECBA36F8D0AF53EAFA9C51AB1F7 | SHA256:60D1053BDE5FBCA23ED8976F1EABAEE9C4BB459D9C997E5A76BB2182EE916D98 | |||
1648 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | binary | |
MD5:F97B6323F97828CEA41EB02D479AE1CC | SHA256:363614FEC0B8D065E0756E9BD0A23D71EB8FD414E3B264949A874C60ED8EAC70 | |||
696 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:1087631A72C7BF5E3E748DBF09E942C9 | SHA256:0989FC84664253B2E5884AFD921740C5214D5D65B1ADBA407E159DCFA2BE6A88 | |||
1648 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:3FFAF5F91F9C984009B5ECC84982F83C | SHA256:1D3DA70B046146DD748A5C43DDE91939601A4D87304C80E77F832818A522D260 | |||
696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_0F242EEAA0585B468D62D25D2E18C8E8.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 | |||
1648 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | der | |
MD5:594D802A0CCC428FCDFC397BD6ED09AA | SHA256:E11D57A7187C2B184F45CE8158C0749F632403F5D4EDC2910107A1868951A9A2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1648 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
2480 | iexplore.exe | GET | — | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | — | — | whitelisted |
2480 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
2480 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertGlobalRootCA.crl | US | der | 631 b | whitelisted |
1648 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
1648 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCbtonfHJ3EDA%3D%3D | US | der | 1.74 Kb | whitelisted |
2480 | iexplore.exe | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb8914ef1e77e13 | US | compressed | 4.70 Kb | whitelisted |
1648 | iexplore.exe | GET | 200 | 95.140.236.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c7f7165edb602f14 | GB | compressed | 4.70 Kb | whitelisted |
2480 | iexplore.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bfd2a261415bbe34 | US | compressed | 4.70 Kb | whitelisted |
1648 | iexplore.exe | GET | 200 | 95.140.236.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ddc2078ffd4ec683 | GB | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2480 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1648 | iexplore.exe | 95.140.236.0:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | GB | whitelisted |
696 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2480 | iexplore.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
1648 | iexplore.exe | 192.124.249.41:80 | ocsp.godaddy.com | Sucuri | US | suspicious |
1648 | iexplore.exe | 167.89.123.122:443 | u27450775.ct.sendgrid.net | SendGrid, Inc. | US | suspicious |
2480 | iexplore.exe | 23.216.77.69:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
2480 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2480 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
u27450775.ct.sendgrid.net |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |