File name: | URGENT - Possible Virus Fwd FW [email protected] sent you files via WeTransfer.msg |
Full analysis: | https://app.any.run/tasks/3f673a7d-d586-407d-b97a-8f323dce7cbb |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 12:39:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 7E3CC215BD36EFFDCFE3036725B463FF |
SHA1: | A1E1D7F6F51F88BCCBC6299AC4498376A5C1B8F5 |
SHA256: | B4517AA5C2AB32EACB2A6A9DA6369E2527169EC5973E4B419B00F7FFB46ED82A |
SSDEEP: | 3072:WWqhzXU7N1Is4gFN4LqpqPRC0D1OT28W88mXqHrdaXMRlcEG:F+zqnIs4mT0BOT7XMR |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
304 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\URGENT - Possible Virus Fwd FW [email protected] sent you files via WeTransfer.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.4760.1000 | ||||
1936 | "C:\Program Files\Internet Explorer\iexplore.exe" https://wetransfer.com/downloads/b6eca9b117add37a4f94bcb1a56f75b920190515102039/dd54563a64ffa58cddc67e712af16ef820190515102039/882084 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1548 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:267521 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1200 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:2561298 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
304 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRD8BE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\gtm[1].js | text | |
MD5:5099EA852FB623F2514EFF3CA439151F | SHA256:8C8DA2B5CB928FD97DCDA1D10D8A5ADF1001767DBC38BA0BAEBCBF6A98F72EED | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\en-b5bfd82fa1a1be1a23a59ee64693c2e964f5770b485afbbae7a7715469d04054[1].js | text | |
MD5:2064F8F61BAAFFC7D909EDE24BBB99BA | SHA256:B5BFD82FA1A1BE1A23A59EE64693C2E964F5770B485AFBBAE7A7715469D04054 | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\polyfill-d57ed33cb6a662f56f6b[1].js | text | |
MD5:A9C50A058A03FB59FFC4C6B1ABBC1A40 | SHA256:6D67F4748718E8DD7CC5E1FFFA258194CF77EE6C8F130025DB3E1308ABE418FD | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\advertising-af72fc2e53268ff36ec4fb73e4dd756c514c393eaf213d8c2dbe527c72494405[1].js | text | |
MD5:52361B70FD4DBDE1EF9EF831EA9D75FD | SHA256:AF72FC2E53268FF36EC4FB73E4DD756C514C393EAF213D8C2DBE527C72494405 | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\application-f7363223dc938b00a89e1c7eeb1333fb0de892239f2be9aab743a361c252e6ed[1].css | text | |
MD5:2EE43EEB591A3CA3F1E60FB831557F4A | SHA256:F7363223DC938B00A89E1C7EEB1333FB0DE892239F2BE9AAB743A361C252E6ED | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\runtime.es5-4b42fd35e10ead324716[1].js | text | |
MD5:69C0EE2C7B910BBD93B5BD70739129D5 | SHA256:4D4BB7C7ED3AC425D8634E8CFBA7A8E8F0BE08669A308AAD6A2C840EFC9309E4 | |||
304 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:65144A6A79400DEC5F93EF2BF9AC2490 | SHA256:F4A28CE3B786093A180815E9D836A7C2DB3BF17CD01FAAB3A5054C9F3D3807F6 | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\882084[1].htm | html | |
MD5:83151C3A57E0F67FC536FAF83009C920 | SHA256:C8E4C9338390200575A7B2562DDA221CCFA1A5BA60C63FDDE7A3DD04B5BDCA25 | |||
1548 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\application.es5-44cd5bbe7faabcc38b9a[1].js | text | |
MD5:66E049C68C84DF8E6F39FF86BED259D1 | SHA256:ACD0C2530070EDEA4EEB9CBCDEFDD7F40C88547E3A2B0BB1E9BFF874DB4A7AA9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
304 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1548 | IEXPLORE.EXE | GET | 200 | 52.222.157.248:443 | https://prod-cdn.wetransfer.net/assets/advertising-af72fc2e53268ff36ec4fb73e4dd756c514c393eaf213d8c2dbe527c72494405.js | US | text | 346 b | whitelisted |
1548 | IEXPLORE.EXE | GET | 200 | 52.211.136.15:443 | https://wetransfer.com/downloads/b6eca9b117add37a4f94bcb1a56f75b920190515102039/dd54563a64ffa58cddc67e712af16ef820190515102039/882084 | IE | html | 69.7 Kb | shared |
1548 | IEXPLORE.EXE | GET | 200 | 52.222.157.248:443 | https://prod-cdn.wetransfer.net/assets/runtime.es5-4b42fd35e10ead324716.js | US | text | 4.86 Kb | whitelisted |
1548 | IEXPLORE.EXE | OPTIONS | 200 | 151.101.2.2:443 | https://app.launchdarkly.com/sdk/goals/5b82f23280914154b163996e | US | — | — | shared |
1548 | IEXPLORE.EXE | GET | 200 | 151.101.2.2:443 | https://app.launchdarkly.com/sdk/goals/5b82f23280914154b163996e | US | text | 270 b | shared |
1548 | IEXPLORE.EXE | GET | 200 | 52.222.157.248:443 | https://prod-cdn.wetransfer.net/assets/locale/en-b5bfd82fa1a1be1a23a59ee64693c2e964f5770b485afbbae7a7715469d04054.js | US | text | 99.4 Kb | whitelisted |
1548 | IEXPLORE.EXE | GET | 200 | 52.222.157.248:443 | https://prod-cdn.wetransfer.net/assets/vendor.es5-9175b556e03124e5ba5b.js | US | text | 354 Kb | whitelisted |
1548 | IEXPLORE.EXE | GET | 200 | 52.222.157.248:443 | https://prod-cdn.wetransfer.net/assets/application.es5-44cd5bbe7faabcc38b9a.js | US | text | 568 Kb | whitelisted |
1548 | IEXPLORE.EXE | GET | 200 | 52.222.157.248:443 | https://prod-cdn.wetransfer.net/assets/faktpro/FaktGrkWeb-Medium-8eb863415ca103c7f90b369e54e6be4786c90c30a06ce32f3dca803206bf74dd.woff | US | woff | 91.3 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1936 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
304 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1548 | IEXPLORE.EXE | 52.222.146.185:443 | d19ptbnuzhibkh.cloudfront.net | Amazon.com, Inc. | US | suspicious |
1548 | IEXPLORE.EXE | 172.217.18.110:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
1548 | IEXPLORE.EXE | 50.19.83.243:443 | e-10220.adzerk.net | Amazon.com, Inc. | US | suspicious |
1548 | IEXPLORE.EXE | 151.101.2.2:443 | app.launchdarkly.com | Fastly | US | shared |
1548 | IEXPLORE.EXE | 172.217.18.168:443 | www.googletagmanager.com | Google Inc. | US | whitelisted |
1548 | IEXPLORE.EXE | 52.211.136.15:443 | wetransfer.com | Amazon.com, Inc. | IE | unknown |
1936 | iexplore.exe | 52.222.157.248:443 | prod-cdn.wetransfer.net | Amazon.com, Inc. | US | unknown |
1548 | IEXPLORE.EXE | 74.125.71.157:443 | stats.g.doubleclick.net | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
wetransfer.com |
| shared |
prod-cdn.wetransfer.net |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
d19ptbnuzhibkh.cloudfront.net |
| whitelisted |
app.launchdarkly.com |
| shared |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
e-10220.adzerk.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .icu Domain |
1200 | IEXPLORE.EXE | Potentially Bad Traffic | ET INFO Suspicious Domain (*.icu) in TLS SNI |