File name: | RE Risk Management COVID-19.msg |
Full analysis: | https://app.any.run/tasks/2264d061-cee4-44e3-9ecc-74f7c3a21efd |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 01:35:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | DF7AEACCA4D4DFFF2B9A76576645459A |
SHA1: | 1CB1F692909CB940820496778848A8079FA87787 |
SHA256: | B84D39E9E14358CC761B37D79C196666017510286F9297F696D5237834C014EF |
SSDEEP: | 3072:yfgD0mqfwDUL2tfewDZnFQ03RXzjipdlhOmzN8D4NT1oLKl:5fHeSnFHB8dffhfYe |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2488 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\RE Risk Management COVID-19.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2312 | "C:\Program Files\Internet Explorer\iexplore.exe" https://forms.office.com/Pages/ResponsePage.aspx?id=k5jvve-H5ECXpMfZhWmGluC71Wa73h1DjBtWS0S8a0tUOE8wTjNLRFlQT1FUU1kxMUJTVEc4RjRNNy4u | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3552 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2312 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1944 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2312 CREDAT:3413259 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2412 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2312 CREDAT:595223 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1912 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2312 CREDAT:2102573 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2380 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2312 CREDAT:857365 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2488 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6876.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3552 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabB5EA.tmp | — | |
MD5:— | SHA256:— | |||
3552 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarB5EB.tmp | — | |
MD5:— | SHA256:— | |||
2488 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:889281A220768A6D1DF9B03181F27039 | SHA256:6684D6ADD000BB00516189935E9DE309D2B72AEC797FB8DA21918C9EF95BCBE6 | |||
2488 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:97D6C55871691B846A3B48E5B9EDFE43 | SHA256:F9469D2ADDE100683A8B54BE39EBA2FD309C7CC0C14AA296B4C09AB6229F484A | |||
2488 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D2136E8.dat | image | |
MD5:2863166B733F3E9863A194F4CDA5A507 | SHA256:AE2F0EEAC5B81BDDBD6773558E8A021585AD0CED26FAFED5872222C532FC2AD6 | |||
3552 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4 | der | |
MD5:A5460F87F08C0F1059DD2241790F4EEC | SHA256:3CA837D792078CA4412529FF535F114DA5A7276C50DC8AB526D65F75931E99F9 | |||
3552 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1G23L19Q.txt | text | |
MD5:6BADDAFC7A5F499695F2B604A611A874 | SHA256:EED49E1F4E946A31A2161120250A697AA7547553E5BFF0107DCA764F5313A45B | |||
2488 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F33839C9.dat | image | |
MD5:63DA75D3DD103606260C4B2B02EBAC46 | SHA256:0EB4E26EE4DB18C710D750751F6566D0719647B61C7BE7F551924A8C0A7EC83D | |||
3552 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:6C2E536B8722D9BCB46F207E08267286 | SHA256:44C4E0A898C2A65D0CD2FDF19C71D336BBFE0F1A136436A45D0FDDA7D1A78891 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2488 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D | US | der | 1.47 Kb | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D | US | der | 1.47 Kb | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D | US | der | 1.47 Kb | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D | US | der | 1.47 Kb | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3552 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2312 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2488 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3552 | iexplore.exe | 152.199.19.160:443 | az725175.vo.msecnd.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3552 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3552 | iexplore.exe | 23.55.110.59:443 | cdn.forms.office.net | NTT America, Inc. | US | suspicious |
3552 | iexplore.exe | 52.109.76.79:443 | forms.office.com | Microsoft Corporation | IE | whitelisted |
3552 | iexplore.exe | 20.36.253.92:443 | c.office.com | — | US | whitelisted |
1944 | iexplore.exe | 52.109.76.79:443 | forms.office.com | Microsoft Corporation | IE | whitelisted |
3552 | iexplore.exe | 40.77.226.250:443 | web.vortex.data.microsoft.com | Microsoft Corporation | IE | whitelisted |
1944 | iexplore.exe | 23.55.110.59:443 | cdn.forms.office.net | NTT America, Inc. | US | suspicious |
— | — | 40.77.226.250:443 | web.vortex.data.microsoft.com | Microsoft Corporation | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
forms.office.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cdn.forms.office.net |
| whitelisted |
az725175.vo.msecnd.net |
| whitelisted |
c.office.com |
| whitelisted |
web.vortex.data.microsoft.com |
| whitelisted |
c.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |