File name: | email8-13.msg |
Full analysis: | https://app.any.run/tasks/b71eb8ae-b6b1-41e2-aba7-486fa1dd695a |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 18:52:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 881ACF92BD011BF451961729EC789F87 |
SHA1: | 54108F66BF325F253E040AAA8A620D2D84C63204 |
SHA256: | CCCACFEB3FAF029A23F2DC4CAAF02DACBE3F07E8E87E398D3F3F2139EE61883F |
SSDEEP: | 1536:+CTxVg/X1VwzqFMHrisYMIgVgNM2gQLCtIDdcB6qy:+C3IgNQOGDC |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2984 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\email8-13.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3104 | "C:\Program Files\Internet Explorer\iexplore.exe" http://info.snowflake.com/UnsubscribePage.html?mkt_unsubscribe=1&mkt_tok=eyJpIjoiTURZMk9EQmxNVFprTnpJeiIsInQiOiJXSmRwTXozaklxRndIYjFHV0hzaU45ZmNmWks0NDFZZ3VqQU8wbDZPMFNQK21qQngvTHFzeVJ4Ris3OE5xV2o5V3R1OWNlWjc5eWFrNmlLdXFlc0pwYjJmODFzUUVNMHQ3b1g3Z2d0TWNycURZdytTTjhMajhQVjNYM2ZaZ29YWiJ9 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
184 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3104 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2324 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2984 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRCC80.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2984 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFFB46F33A959B182A.TMP | — | |
MD5:— | SHA256:— | |||
2984 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\msoE79B.tmp | — | |
MD5:— | SHA256:— | |||
3104 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3104 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2984 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:F63165C56EB3AF63F188A041C6804E00 | SHA256:883D3768FB58E9A6B5EC6B63151301AA97DD14461BE752608126B1B1D98A80F2 | |||
2984 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\B0FTUKTF\Cloud Data Warehousing for Dummies - Download now.msg | msg | |
MD5:274AAD8F9F8FEA7EF93387BD54DD083D | SHA256:F679D864EF8D97AB2E8F644E2AA2D2DD2B740F0B35F97BA77D8BD65D7BDC789E | |||
2984 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
2984 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{47825FF6-B421-4C75-93A8-4C4C2B88A45F}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 | |||
184 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GUHA15O8\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2984 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
184 | iexplore.exe | GET | 200 | 199.15.212.5:80 | http://info.snowflake.com/UnsubscribePage.html?mkt_unsubscribe=1&mkt_tok=eyJpIjoiTURZMk9EQmxNVFprTnpJeiIsInQiOiJXSmRwTXozaklxRndIYjFHV0hzaU45ZmNmWks0NDFZZ3VqQU8wbDZPMFNQK21qQngvTHFzeVJ4Ris3OE5xV2o5V3R1OWNlWjc5eWFrNmlLdXFlc0pwYjJmODFzUUVNMHQ3b1g3Z2d0TWNycURZdytTTjhMajhQVjNYM2ZaZ29YWiJ9 | US | html | 4.71 Kb | suspicious |
184 | iexplore.exe | GET | 200 | 199.15.212.5:80 | http://info.snowflake.net/rs/252-RFO-227/images/dpi-ppc-tracking-script.js | US | text | 1.65 Kb | suspicious |
184 | iexplore.exe | GET | 200 | 216.58.206.10:80 | http://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,400,600,700,300 | US | text | 167 b | whitelisted |
184 | iexplore.exe | GET | 200 | 199.15.212.5:80 | http://info.snowflake.net/rs/snowflakecomputing/images/snowflake-logo.png | US | image | 4.32 Kb | suspicious |
184 | iexplore.exe | GET | 200 | 199.15.212.5:80 | http://info.snowflake.net/rs/snowflakecomputing/images/facebook.gif | US | image | 1.37 Kb | suspicious |
184 | iexplore.exe | GET | 200 | 199.15.212.5:80 | http://info.snowflake.com/js/forms2/polyfills/placeholder/placeholder.css | US | text | 365 b | suspicious |
184 | iexplore.exe | GET | 200 | 199.15.212.5:80 | http://info.snowflake.net/rs/snowflakecomputing/images/twitter.gif | US | image | 1.39 Kb | suspicious |
184 | iexplore.exe | GET | 200 | 199.15.212.5:80 | http://info.snowflake.net/rs/snowflakecomputing/images/googleplus.gif | US | image | 1.42 Kb | suspicious |
184 | iexplore.exe | GET | 200 | 172.217.23.163:80 | http://fonts.gstatic.com/s/opensans/v17/mem8YaGs126MiZpBA-UFVZ0f.eot | US | eot | 15.0 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
184 | iexplore.exe | 199.15.212.5:80 | info.snowflake.com | MARKETO | US | unknown |
— | — | 172.217.23.163:80 | fonts.gstatic.com | Google Inc. | US | whitelisted |
— | — | 216.58.206.10:80 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2984 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
184 | iexplore.exe | 216.58.206.14:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
184 | iexplore.exe | 104.111.251.133:80 | munchkin.marketo.net | Akamai International B.V. | NL | whitelisted |
184 | iexplore.exe | 172.217.22.35:443 | www.google.no | Google Inc. | US | whitelisted |
184 | iexplore.exe | 216.58.205.228:443 | www.google.com | Google Inc. | US | whitelisted |
— | — | 199.15.212.5:80 | info.snowflake.com | MARKETO | US | unknown |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
info.snowflake.com |
| suspicious |
www.bing.com |
| whitelisted |
info.snowflake.net |
| suspicious |
fonts.googleapis.com |
| whitelisted |
munchkin.marketo.net |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
stats.g.doubleclick.net |
| whitelisted |
www.google.com |
| whitelisted |