File name: | Invoice 6469 from FourthLine.msg |
Full analysis: | https://app.any.run/tasks/3845a672-a1a5-4468-a71b-2a252c42e130 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 11:57:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | A7D12A9A851688FD322D1662E9AAFFC9 |
SHA1: | C16B8C416A7F563C288EB72263D1EAD010826AA8 |
SHA256: | D438D5F996397B74B2F12BC0B0C5893D438CE0B3830739EC087E3908CB7F2B20 |
SSDEEP: | 3072:7Hn+ZHKEfbwQUFtAMLBS2wQUFtAMJTZ9+cob:a5KK/+ |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3468 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Invoice 6469 from FourthLine.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2600 | "C:\Program Files\Internet Explorer\iexplore.exe" https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fquickbooks.hhpd.com%2Fportal%2Fapp%2FCommerceNetwork%2Fview%2F751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be&data=02%7C01%7Csteph.chapman%40drax.com%7C4b0adc7205904c773cd008d664deb8a2%7C007c146d3d97467d849f6f4fe5a6a0f3%7C0%7C1%7C636807305077798930&sdata=i3%2Bh%2F1CqapTLYBHeani8ok22uSN2OxHibfGZvLkLKwM%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3496 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2600 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2836 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3676 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x617000b0,0x617000c0,0x617000cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3060 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2840 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
2372 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=7344C6826B66CB417D4795696DB58BEA --mojo-platform-channel-handle=996 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 | ||||
3576 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --service-pipe-token=0867C2974AC856107371D5E1C5396E00 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=0867C2974AC856107371D5E1C5396E00 --renderer-client-id=5 --mojo-platform-channel-handle=1916 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2164 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --service-pipe-token=54DD64743B2EE8ECAE4B6E9227634DD0 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=54DD64743B2EE8ECAE4B6E9227634DD0 --renderer-client-id=3 --mojo-platform-channel-handle=1536 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3112 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=3351BB9FF37D67DEF1A83E17415CE9C9 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3351BB9FF37D67DEF1A83E17415CE9C9 --renderer-client-id=6 --mojo-platform-channel-handle=3004 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3468 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7BD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2600 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2600 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be[1].txt | — | |
MD5:— | SHA256:— | |||
2600 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].htm | — | |
MD5:— | SHA256:— | |||
2600 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3468 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:4D8FCF0D4B6782895A731445D5EA31F3 | SHA256:89DAAE4AD2879AC6B2CAD7A292BA50BA1D8284B918D3EA8D888E7604DECC47DF | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be[1].htm | html | |
MD5:B51BA749F9060866E40F38056E937D91 | SHA256:5F5FD05C4C971CFDBD58A9AF797B014834054FB9973091E6A7C9F802A43F0E26 | |||
3496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\icn[1].css | html | |
MD5:B51BA749F9060866E40F38056E937D91 | SHA256:5F5FD05C4C971CFDBD58A9AF797B014834054FB9973091E6A7C9F802A43F0E26 | |||
3468 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A106361D-517A-4F64-BEE0-72C65F3DF769}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3496 | iexplore.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be | FR | html | 30.6 Kb | unknown |
2836 | chrome.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be | FR | html | 30.6 Kb | unknown |
3468 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3496 | iexplore.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn-secondary.css | FR | html | 30.6 Kb | unknown |
2600 | iexplore.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/favicon.ico | FR | html | 30.6 Kb | unknown |
2836 | chrome.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn.css | FR | html | 30.6 Kb | unknown |
3496 | iexplore.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/hui.css | FR | html | 30.6 Kb | unknown |
2836 | chrome.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/hui.css | FR | html | 30.6 Kb | unknown |
3496 | iexplore.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn.css | FR | html | 30.6 Kb | unknown |
2836 | chrome.exe | GET | 200 | 91.121.222.18:80 | http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn-secondary.css | FR | html | 30.6 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3468 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2600 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3496 | iexplore.exe | 91.121.222.18:80 | quickbooks.hhpd.com | OVH SAS | FR | unknown |
3496 | iexplore.exe | 157.55.234.46:443 | emea01.safelinks.protection.outlook.com | Microsoft Corporation | IE | whitelisted |
3496 | iexplore.exe | 104.109.74.217:443 | assets.intuitcdn.net | Akamai International B.V. | NL | whitelisted |
3496 | iexplore.exe | 104.47.10.28:443 | eur03.safelinks.protection.outlook.com | Microsoft Corporation | IE | whitelisted |
2600 | iexplore.exe | 91.121.222.18:80 | quickbooks.hhpd.com | OVH SAS | FR | unknown |
2836 | chrome.exe | 216.58.215.234:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2836 | chrome.exe | 172.217.17.35:443 | www.google.de | Google Inc. | US | whitelisted |
2836 | chrome.exe | 172.217.168.35:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
emea01.safelinks.protection.outlook.com |
| whitelisted |
www.bing.com |
| whitelisted |
eur03.safelinks.protection.outlook.com |
| whitelisted |
quickbooks.hhpd.com |
| unknown |
assets.intuitcdn.net |
| unknown |
www.google.de |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |