File name: | FW_ Telstra Bill - Arrival Notification.msg |
Full analysis: | https://app.any.run/tasks/485935e1-53d9-4595-8cf6-b6bcabee8cee |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 02:38:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | E9A034926CFB12C6C3DCC89A2FBD1A97 |
SHA1: | BBE98B0D33B10A5B203191545C956C77EC570302 |
SHA256: | A9FDC40ECDB76A5CF60A70853D08CCCB3B024509AD66A87734C95AC2EEB96507 |
SSDEEP: | 3072:BCgmoB/PBwx5EtT4MqX6kmnc02TsT7lRAQtuanV9A4RnQP2suImGlraCwr5jOK+h:lwSi6kmn0s18vmnw2zNJBlOMK |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW_ Telstra Bill - Arrival Notification.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2336 | "C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.proofpoint.com/v2/url?u=http-3A__onlinebilling.sddiscountpropertymanager.com_corporatebill_96a5671ca8b1993d197686ca7d4c01d3&d=DwMFaQ&c=nRJHdZJfdIRF1qIIQpwlLw&r=geqTGYAtUB8PQ3xj2wLBNHDtlFamgDqnuxUhSVrE1i0&m=2tZ4mbb0xKb9ZB-ph9diH1ZAHUw7-JbzUE0dOnh2p7c&s=3gJPuyjvLtXdTbj5Tr3pB2XqPPlupXjfB6hrEe9FC-g&e= | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3020 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2336 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2268 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3220 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x61a100b0,0x61a100c0,0x61a100cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
2800 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2264 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
2232 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=952,4336180940483287014,11847328860378142835,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=F591EB9CBCC6E1CC93C8496CE7DBBC24 --mojo-platform-channel-handle=1012 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 | ||||
3616 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=952,4336180940483287014,11847328860378142835,131072 --enable-features=PasswordImport --service-pipe-token=1DCDCC294A0864B686666923D6AE66A3 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1DCDCC294A0864B686666923D6AE66A3 --renderer-client-id=5 --mojo-platform-channel-handle=1916 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 | ||||
2324 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=952,4336180940483287014,11847328860378142835,131072 --enable-features=PasswordImport --service-pipe-token=333BAB9AF93EDE3385929923726CCF11 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=333BAB9AF93EDE3385929923726CCF11 --renderer-client-id=3 --mojo-platform-channel-handle=2056 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
4088 | "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "https://urldefense.proofpoint.com/v2/url?u=http-3A__onlinebilling.sddiscountpropertymanager.com_corporatebill_96a5671ca8b1993d197686ca7d4c01d3&d=DwMFaQ&c=nRJHdZJfdIRF1qIIQpwlLw&r=geqTGYAtUB8PQ3xj2wLBNHDtlFamgDqnuxUhSVrE1i0&m=2tZ4mbb0xKb9ZB-ph9diH1ZAHUw7-JbzUE0dOnh2p7c&s=3gJPuyjvLtXdTbj5Tr3pB2XqPPlupXjfB6hrEe9FC-g&e=" | C:\Program Files\Google\Chrome\Application\chrome.exe | — | OUTLOOK.EXE |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA51D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2336 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2336 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3020 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\96a5671ca8b1993d197686ca7d4c01d3[1].txt | — | |
MD5:— | SHA256:— | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BE30EDB.dat | image | |
MD5:51288B631A0AFF5461FFB34CBE6A9AC6 | SHA256:A4E90A76175996FE49B527210594D728C4CC2BA393FB5B217DB4FB1B97E4E6B1 | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D955DC2.dat | image | |
MD5:137BE5B6EB2620F4D9DC579E1FCA1A81 | SHA256:12D788AA22D29DD8A3B747E77125595267691FFEE98208A077E8CB6CA8A558FB | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:1AD6EF3D190D965EE1682C27CC3E5809 | SHA256:826912A92FE1DF765A145C3E4E61B880E48CF31949DCF328ABBD7C84636FB780 | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
3020 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\myaccount-app[1].css | html | |
MD5:A23BFD75B8B63BA88C8A6EB2475B7BFC | SHA256:16ACEF3ADBB99D90AC97415D52C306AAB02F4BBBD1DD2357CCE68BC8D5149B09 | |||
3020 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\96a5671ca8b1993d197686ca7d4c01d3[1].htm | html | |
MD5:A23BFD75B8B63BA88C8A6EB2475B7BFC | SHA256:16ACEF3ADBB99D90AC97415D52C306AAB02F4BBBD1DD2357CCE68BC8D5149B09 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2948 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3020 | iexplore.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/index_files/jquery.css | FR | html | 1.62 Kb | unknown |
3020 | iexplore.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/index_files/nr-spa-1099.js | FR | html | 1.62 Kb | unknown |
3020 | iexplore.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/96a5671ca8b1993d197686ca7d4c01d3 | FR | html | 1.62 Kb | unknown |
2336 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 54.4 Kb | whitelisted |
3020 | iexplore.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/index_files/myaccount.css | FR | html | 1.62 Kb | unknown |
3020 | iexplore.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/index_files/id | FR | html | 1.62 Kb | unknown |
2268 | chrome.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/index_files/jquery.css | FR | html | 1.62 Kb | unknown |
3020 | iexplore.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/index_files/jquery-plugin.css | FR | html | 1.62 Kb | unknown |
2268 | chrome.exe | GET | 200 | 188.165.252.125:80 | http://onlinebilling.sddiscountpropertymanager.com/corporatebill/96a5671ca8b1993d197686ca7d4c01d3 | FR | html | 1.62 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2336 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2948 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2336 | iexplore.exe | 203.36.149.160:443 | www.my.telstra.com.au | Telstra Pty Ltd | AU | unknown |
3020 | iexplore.exe | 188.165.252.125:80 | onlinebilling.sddiscountpropertymanager.com | OVH SAS | FR | unknown |
2336 | iexplore.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3020 | iexplore.exe | 67.231.146.66:443 | urldefense.proofpoint.com | Proofpoint, Inc. | US | suspicious |
2268 | chrome.exe | 172.217.168.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
2268 | chrome.exe | 172.217.168.35:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
2268 | chrome.exe | 172.217.168.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2268 | chrome.exe | 172.217.168.36:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
urldefense.proofpoint.com |
| whitelisted |
www.bing.com |
| whitelisted |
onlinebilling.sddiscountpropertymanager.com |
| unknown |
www.my.telstra.com.au |
| unknown |
www.download.windowsupdate.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
www.google.de |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |