File name: | COVID-19 Positive Staff Member Update ID8098 Monday 03302020.msg |
Full analysis: | https://app.any.run/tasks/cfbc1278-86d8-4924-8683-9a2921d09083 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 07:24:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 3D0F16121CD54427F73F55533B404C02 |
SHA1: | 0D120487E19E162A92BB8BC5FD58383A25A87AE7 |
SHA256: | BC5C82CB6C1364FCAF9BB5364CCC72482F6752C399BE06C2EEC853A9AF0CCE94 |
SSDEEP: | 768:IAsSeGzsUI/rubmdOG50LWsKsWsK6IQDojsJiX6PqkfKdGNEefHYlKR2fYl06NFQ:IOYabSOI0LWEWChDisJTqv1PJ |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2952 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\COVID-19 Positive Staff Member Update ID8098 Monday 03302020.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2824 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\UPI6MK7G\Covid-19_in_Building_Information_1717-pab pdf.htML | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1168 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2824 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6AA9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\UPI6MK7G\Covid-19_in_Building_Information_1717-pab pdf (2).htML\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:CA8C06A7F4F85B3DF390A04ED767B931 | SHA256:B3350386D3CB980725D992FAF4BB042251526256990BE5092A43B9EBAAD1B631 | |||
2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:2D9ACB2DB387800439D10493024BEAC1 | SHA256:8F71B7E10CF32DF03716A84AFB71A08B57B10C2EC64664A176159E4E302A8568 | |||
1168 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\styles[1].css | html | |
MD5:757E8524F301A7C3FFB1CA329D815228 | SHA256:17F39A1D03640659B4A38FD490AAEDDE97CEE21CE643FEE6D309AD5F605EA48A | |||
2824 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\UPI6MK7G\Covid-19_in_Building_Information_1717-pab pdf.htML | html | |
MD5:D155DB5BD1CB22E30B35B2ED1997D4DB | SHA256:A133B5A33DAD437325C0CBD814CEA422158D3DD033175FF6294A61EC6448366F | |||
1168 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\errorPageStrings[1] | text | |
MD5:E3E4A98353F119B80B323302F26B78FA | SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66 | |||
2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
1168 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\NewErrorPageTemplate[1] | text | |
MD5:CDF81E591D9CBFB47A7F97A2BCDB70B9 | SHA256:204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1168 | iexplore.exe | GET | 200 | 2.21.242.197:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
1168 | iexplore.exe | GET | 200 | 2.21.242.197:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
2824 | iexplore.exe | GET | 200 | 166.62.13.1:80 | http://ozturkkilcadir.com/favicon.ico | US | — | — | suspicious |
1168 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D | US | der | 471 b | whitelisted |
1168 | iexplore.exe | GET | 200 | 50.87.153.159:80 | http://ibuykenya.com/vendor/doctrine/styles.css | US | html | 29.1 Kb | suspicious |
1168 | iexplore.exe | GET | 200 | 2.21.242.197:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
1168 | iexplore.exe | GET | 200 | 166.62.13.1:80 | http://ozturkkilcadir.com//wp-content/22323454-76878989/wrng.html | US | text | 761 b | suspicious |
1168 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D | US | der | 727 b | whitelisted |
1168 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
1168 | iexplore.exe | GET | 301 | 51.15.16.245:80 | http://i.postimg.cc/vHgYSJgT/arrow.jpg | NL | html | 162 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1168 | iexplore.exe | 184.31.91.84:443 | secure.aadcdn.microsoftonline-p.com | Akamai International B.V. | NL | whitelisted |
1168 | iexplore.exe | 51.15.27.129:443 | i.ibb.co | Online S.a.s. | NL | unknown |
1168 | iexplore.exe | 209.197.3.24:443 | code.jquery.com | Highwinds Network Group, Inc. | US | malicious |
1168 | iexplore.exe | 51.15.16.245:80 | i.postimg.cc | Online S.a.s. | NL | unknown |
1168 | iexplore.exe | 50.87.153.159:80 | ibuykenya.com | Unified Layer | US | suspicious |
1168 | iexplore.exe | 51.15.16.245:443 | i.postimg.cc | Online S.a.s. | NL | unknown |
2824 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1168 | iexplore.exe | 2.21.242.197:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | NL | whitelisted |
1168 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
ibuykenya.com |
| suspicious |
secure.aadcdn.microsoftonline-p.com |
| whitelisted |
i.postimg.cc |
| whitelisted |
code.jquery.com |
| whitelisted |
i.ibb.co |
| shared |
www.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .cc TLD |
1168 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Http Client Body contains pass= in cleartext |