File name: | Your_Encrypted_Message_Activation_Information.eml |
Full analysis: | https://app.any.run/tasks/c7d50d59-666a-4182-b5fa-23cc9791baee |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 22:00:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | 6A60EBB4468D8406033FB8EA2E225C5D |
SHA1: | FFB752735D510EC2B68C53306560F866135BA17D |
SHA256: | AE3E7F2F1C666E5B05838509556896B51FD7B7B6098E9E5D8CBBA384FA1F2AA6 |
SSDEEP: | 384:hvjc62oVlpxdM01LA98nPVTYbdIbnqKXimDhbA9UcuZedC5nOkyitE:hvQ62oDnmGM9QdT0d+nqKSmDNy3uZedj |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2656 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Your_Encrypted_Message_Activation_Information.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2632 | "C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.com/v3/__https:/us.pbe.encryption.symantec.com/login.html?msgUserId=41e6598b746ab112&enterprise=questdiagnostics&rrRegcode=FyZnfK9q&locale=en_US__;!!Fou38LsQmgU!qejWhB4V3iXILxZtm7aJIoFMdhOfNEbodJ7I0OrKd7URz3VpStxUHYVnkoJm2XecRsnFlDOPByVs5Y6ebnVTVfL3RbOVWxrT$ | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3724 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2632 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2656 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR5C5F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2656 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2656 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:34F7012E577FC16F427BC9F06B80BB4D | SHA256:EC02685A75BE7D24BCEC84373392E22641D4D8D1E285078F8B09EE7481BF6C44 | |||
2656 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:4BB199433070A41AF0240C302A21BCE2 | SHA256:B98A28398423E3B2A13081E3F72466A154401E8C3F3936CC8168C34485ECDDCE | |||
3724 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:418479EA5E787239C5BC549A53F5D289 | SHA256:A5700FC5AAC77EF7A581223E40225A79581862E07785A0CDF37D4DD46A8D0DA5 | |||
3724 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B | binary | |
MD5:4C6C523DC05FECA9A4694138AB56F4F1 | SHA256:D80E7DFEF441F4769884F040E56775AED7D51C14216862A7CF26EE178D1F60B5 | |||
3724 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_F0B960C3B1E522BB9772662759982F90 | binary | |
MD5:BB2F91397A7BBB9985D90D5F9702D6D6 | SHA256:F2CCFA114A96A7805B6F76F4BC8374D377619B123FC6A3042A07A7DAEA6798AF | |||
3724 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:9EBFAC5B5B77AB69E21BBF5838674D86 | SHA256:A28A93B785C7BC995E0633C9E71327271CD730F3BE59593C7E74826B0C204A62 | |||
2656 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5027FC80-8FDF-4BF6-92F1-50CB65E8829C}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
3724 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | der | |
MD5:6AAC8582893304B7B678B7E864946238 | SHA256:8986A95049C4208CB8D384C59720ADA1E8CF2795CB9AEAE70317D88789049590 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2656 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3724 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D | US | der | 2.18 Kb | whitelisted |
3724 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 1.42 Kb | whitelisted |
3724 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEA2KFitLH9n0LY9WTWFSpcE%3D | US | der | 471 b | whitelisted |
2632 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3724 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60fd0ccc3a9c075e | US | compressed | 4.70 Kb | whitelisted |
3724 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?362105c953763638 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2656 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3724 | iexplore.exe | 172.64.155.188:80 | ocsp.comodoca.com | — | US | suspicious |
3724 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
3724 | iexplore.exe | 18.190.88.230:443 | us.pbe.encryption.symantec.com | Massachusetts Institute of Technology | US | suspicious |
3724 | iexplore.exe | 52.6.56.188:443 | urldefense.com | Amazon.com, Inc. | US | suspicious |
— | — | 52.6.56.188:443 | urldefense.com | Amazon.com, Inc. | US | suspicious |
2632 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2632 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
urldefense.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
us.pbe.encryption.symantec.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3724 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3724 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |