File name: | phish_alert_sp2_2.0.0.0.eml |
Full analysis: | https://app.any.run/tasks/0f8482b6-e2b9-4cf7-9747-a6bfe0a88d7d |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 17:18:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | A66B59C95D25D78C5BBED0FDCA31036B |
SHA1: | E49638AB75AA3215B43A5ACF40381284F25A8081 |
SHA256: | CD12D354E5F998B96929E323CCB4C30EA3EF8361D7BC67FF6585F7C727C2AC3E |
SSDEEP: | 384:U8CUcxL8RUOT60eYoRoT/pj/xHfonoR2bkCRVqx2dI2dMYZaH2pCRaWN1dYn:JCeN6Wt2a2R0Yn |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3904 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3436 | "C:\Program Files\Internet Explorer\iexplore.exe" https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.cascade.app%2Fe3t%2FBtc%2FZS%2B113%2FcBYBv04%2FMW0DXL94CTNVf5T9L1CdTkDW5DT7xy4DJc2bN3V8l9h3q3nJV1-WJV7CgBrTW5Dd0Ty8fGz3gN3JsyM2yT7mZN96Whbdhjv7NW6cLG6R4cRnS9W6Sqpvh75j7MWW2r9-VK87Qn5_W79mgGh627H4hVrCcSL3K79z0W5WdK396Q5Z-KW8sxs0m4vcncXW32gCtY5JP42xTf5bC36PDfCW7Dvd9b4RTtTXN88N9fwFQ9ZrW2nx_FD76Dh0RW1Z-fq51rfn1NW6n1qZC7z2pvzW1clTJP3shGbhW6PPVZl2sy0kpN2bg0MYyCLGLN6sztWzQ5zkbW6KSCTT6MHlzvW3PxqWR78scbQVqrWtB28nBkc3khs1&data=04%7C01%7Cleslie.rott%40phl.org%7C803ccc67c4074f5ba7f108d9df3bd98d%7C2182f890679042acab9758afd4eb2b6d%7C0%7C0%7C637786270429461941%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kjFnDxYHco8OJg0%2FNgRWv4W8PjA0yIMzjVXqUEFoJpM%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3456 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3504 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:202003 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2836 | C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exe | — | svchost.exe | |||||||||||
User: admin Company: Adobe Integrity Level: MEDIUM Description: Adobe� Flash� Player Installer/Uninstaller 32.0 r0 Version: 32,0,0,453 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3904 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE581.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3904 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
3904 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:EFEC4FF812E0AC3B4953F96D01FC7475 | SHA256:1DE81F6303BDCCE1FC25191BC86FAE9AABBB35AB5ED18A7C4F65D47A87E5309A | |||
3904 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:0825F2E8B09633937F2139DECCBB546C | SHA256:939E7A80CFC5CF66EB8D620448C3CB9975E6FC93B28EA8AD829129402CFF4DD8 | |||
3456 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:494A7483CEAF488A79CB45418E88ECCD | SHA256:9A65904F97742B3D8844EFAFCE7D9E9DA7C1B96A8FDE541E718768AE68293D50 | |||
3904 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_0074ED7F273F62439988DDF77A9BD760.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
3456 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | der | |
MD5:DAC4619E319FD2C836D2FCEB1542D665 | SHA256:B715BCE5A46505ECF3DF445B5427EBFCD74279271DA1F019C2CAC521D56B8EA3 | |||
3904 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_900B09412C69204E810729D082D11276.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 | |||
3456 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:1A313AB055DE56D639A0046B9FBDE0C1 | SHA256:96FFE97E9A7566A408FF4BAAB98C37BF0B6B673FC05C0D1B33ED4FD35473F9A0 | |||
3456 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\7HO9X1MF.htm | html | |
MD5:B4328A295921878997F910E1A25FD52F | SHA256:C6F66A6C7448C4EEF8FA6DBBF0812A262C639CC45ED63E5FC5915DDBE42944D6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3456 | iexplore.exe | GET | — | 143.204.101.124:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | — | — | shared |
3436 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3904 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3456 | iexplore.exe | GET | 200 | 104.18.21.226:80 | http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHophRq39F1meVBmQbb%2F1x0%3D | US | der | 1.40 Kb | whitelisted |
3456 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D | US | der | 471 b | whitelisted |
3504 | iexplore.exe | GET | 200 | 142.250.184.195:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
3456 | iexplore.exe | GET | 200 | 142.250.184.195:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
3456 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
3504 | iexplore.exe | GET | 200 | 143.204.101.74:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAcU6FXlzkyB0IyouWSBENc%3D | US | der | 471 b | whitelisted |
3456 | iexplore.exe | GET | 200 | 23.32.238.201:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?677e3690ae312f31 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3904 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3456 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3436 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3436 | iexplore.exe | 23.32.238.201:80 | ctldl.windowsupdate.com | XO Communications | US | suspicious |
3456 | iexplore.exe | 23.32.238.201:80 | ctldl.windowsupdate.com | XO Communications | US | suspicious |
3504 | iexplore.exe | 104.47.64.28:443 | gcc02.safelinks.protection.outlook.com | Microsoft Corporation | US | suspicious |
3456 | iexplore.exe | 104.47.64.28:443 | gcc02.safelinks.protection.outlook.com | Microsoft Corporation | US | suspicious |
3456 | iexplore.exe | 199.60.103.29:443 | mail.cascade.app | — | CA | suspicious |
3456 | iexplore.exe | 151.101.2.110:443 | fast.wistia.com | Fastly | US | suspicious |
3456 | iexplore.exe | 104.18.21.226:80 | ocsp2.globalsign.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
gcc02.safelinks.protection.outlook.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
mail.cascade.app |
| suspicious |
www.cascade.app |
| suspicious |
sdk.customfit.ai |
| malicious |
cdn2.hubspot.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |