File name: | EXT RE#H2760000 Holton-Arms School e-Invoice #INV2600002983.msg |
Full analysis: | https://app.any.run/tasks/bb77b0a8-54e5-4806-b585-630e04043a0d |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 20:48:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 9436CB53490AAC621D9B631DA8556BEF |
SHA1: | 3D4581B9CBC4E53E25B90109FCF057AD92639D71 |
SHA256: | B2AA01C97A8BCEE6AB84E4000A4B7F9583DECD3A3A51810E38312120BFE55E57 |
SSDEEP: | 3072:nygXbOcbX3yvYYhbqp7SXi/WAX3yBosKmKr2eTnoS92y:ygrDVtCdKKX |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1720 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\EXT RE#H2760000 Holton-Arms School e-Invoice #INV2600002983.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2888 | "C:\Program Files\Internet Explorer\iexplore.exe" https://secure-web.cisco.com/1vmcoHk16L0k_3ZPwV1i8ynDCTZ781yU_eJgQLV6re1q9LXArD_r3XnCKtfs11n9InEkFkWKoBDSLWzm2xiT9bav9HG8zLUisMQO1V7IDoThnR-pvC3AKMFHJ9wd9RpkIyTjUzXrNnB36mf9DfN5TDVZyhqJy3CE-XSrQx7J59SXhFKOfyIPKkxJsSZqMN88Bo0AR0GRqf1km3pFgeDdnPJ8cPRWHE5QRKbdTPtpxQFjg0A1ucbp2q7RV9GkFzJ-eiWOVgG4WP107JNARzlgeG0xX7eOLgspEGLC9wiiQi8to9OwwdBahId7fmx76OqDJdNRYleudY5J8nAZ6q-EoB9njfUhh2HUsr8HwINyVyv_yNFTj2Uhy40zKtUew4kwjSO-7wYiZ5j0re6oJxQ43C59-flo5t6Njj7Su9NChAyuoq8mfwdb0GBzMSvyRkQEsLGCM-13xLwlq_925Xei5D72HnMQCOhJiO4STyBMswkngM3YmNjqaNalY6OtR0gA96Gq8wczdi8ScKzA4yhBLjw/https%3A%2F%2Fgustygulasgroup.us4.list-manage.com%2Ftrack%2Fclick%3Fu%3D8d104840f36293e4dfb89ed2a%26id%3D0dfac2ea5b%26e%3D288b976ac7 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3900 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2888 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1720 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B35.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2888 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3900 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab98ED.tmp | — | |
MD5:— | SHA256:— | |||
3900 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar98EE.tmp | — | |
MD5:— | SHA256:— | |||
3900 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\APIIAVB5.txt | — | |
MD5:— | SHA256:— | |||
1720 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:31B4F9D6A00BA41022E97F79353D8428 | SHA256:B5B5A6669FDFDC4421CC67E74990085835F32B7F48D5903566AFA842387B3577 | |||
1720 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E1AA388.dat | image | |
MD5:A1574E58938F07206A517CB38D74C536 | SHA256:0D9AD9AA60F463334FB6CF2DB96F0186252B523807355E45838D724189E7EE80 | |||
1720 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:7C079F3D5EC3FC9AF230B5864F2D548F | SHA256:E4C4E2AFB0BFEAA872AA924D14AE1F381BAAB9E115196D983E78E8AF492270C0 | |||
3900 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2EE749B7E1A15635422518BB5EBFD338_2BE9BBF30BBE030BE7B79471EABFE00A | binary | |
MD5:EB58BE7CCD377480461DEFF856CC2080 | SHA256:92ACF5211974AE8FD01F57805C6A1D897DD825BC40D9E05C8D2753863CD180FF | |||
3900 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0F2D31D2C32B49DCC8F7CC5C73F3C5D_2C8AAFA9D67255B0364928E0BF09B2FE | binary | |
MD5:4B2A0E44ABC86000CCAE9B4331814336 | SHA256:B6863A8C5CECDC78A4B4F216029F5D24F23369BC4BC533AC6BBD624D399A1F66 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3900 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
3900 | iexplore.exe | GET | 200 | 35.156.48.155:80 | http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFHUXFneD0EN%2BtVbDV5RuRWO469Os | DE | der | 1.78 Kb | whitelisted |
3900 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
3900 | iexplore.exe | GET | 200 | 35.156.48.155:80 | http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBRPT4HWWg2N6N2sdizmyiRTaupwfgQUmGq2LS6%2Fp6qf9vfWCa%2FVi1f5ircCFAJ6LdwhHmBeL%2BjGokwlqon6ciFk | DE | der | 1.80 Kb | whitelisted |
2888 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3900 | iexplore.exe | GET | 200 | 52.219.72.94:80 | http://crl.quovadisglobal.com/hydsslg2.crl | DE | der | 46.2 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1720 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2888 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3900 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3900 | iexplore.exe | 23.8.12.241:443 | gustygulasgroup.us4.list-manage.com | Akamai International B.V. | NL | unknown |
3900 | iexplore.exe | 35.156.48.155:80 | ocsp.quovadisglobal.com | Amazon.com, Inc. | DE | unknown |
3900 | iexplore.exe | 208.90.58.178:443 | secure-web.cisco.com | Cisco Systems Ironport Division | US | suspicious |
3900 | iexplore.exe | 52.219.72.94:80 | crl.quovadisglobal.com | Amazon.com, Inc. | DE | unknown |
2888 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3900 | iexplore.exe | 62.109.0.180:443 | wpadvot.com | JSC ISPsystem | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
secure-web.cisco.com |
| whitelisted |
ocsp.quovadisglobal.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
gustygulasgroup.us4.list-manage.com |
| unknown |
ocsp.digicert.com |
| whitelisted |
wpadvot.com |
| suspicious |
crl.quovadisglobal.com |
| shared |
iecvlist.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3900 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3900 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |