File name: | IT Support (TICKET-1803) FW New Order ready for shipment FOB CHINA PORT.msg |
Full analysis: | https://app.any.run/tasks/7d375ae5-cf63-410b-87db-1df9c4628207 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 20:07:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | D5641FC62C6D4F6AB52EFFAC8AE16D99 |
SHA1: | 6DDBACABC16D2CBC67840081374C30C1FCFA7ACE |
SHA256: | A3BC77A4A2B81BBB88FF1E85496215D4192FE78AF66566BD01A097FAC3755EAB |
SSDEEP: | 768:FxJx4+gk34sKBsKjQUqXvTi+9FiRzLRVnqKwReKpvLgYJ24LEO/9U1oMCkm9Ufg4:FdmZ7skzDnqnReyDgYJ24L69Lsy |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\IT Support (TICKET-1803) FW New Order ready for shipment FOB CHINA PORT.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2732 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR8F46.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\78A10873.dat | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CC63FD8.dat | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF994DF9.dat | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D2B2BA6.dat | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\a9f987c1c1e26cbdab09da4b998e0370[1].png | — | |
MD5:— | SHA256:— | |||
2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRFCD5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84F91481.dat | image | |
MD5:C89A7E8E8045136F406568E913FA8E86 | SHA256:0911A222C0D7247628799B1B0340FD542E739B7424EA7060C3362D78452756FC | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2B8C680.dat | image | |
MD5:56F494890BD197BB6E926300E2BAB236 | SHA256:B5482D7601C7D9D6445D0FACA7AB95AB16D20C23A85CB52451DB552648252D6D | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:0E74D8644A7B516F079AFCF236994182 | SHA256:8AC26F4488771329945E90EE1610AE5A0AFA37BF8D31DEDAB010032D8CDC9649 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2976 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2976 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2976 | OUTLOOK.EXE | 67.217.38.247:443 | support.wcgrp.com | NetSource Communications, Inc. | US | unknown |
2976 | OUTLOOK.EXE | 192.0.73.2:443 | www.gravatar.com | Automattic, Inc | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.gravatar.com |
| whitelisted |
support.wcgrp.com |
| unknown |
dns.msftncsi.com |
| shared |