File name: | Re statement debit time.msg |
Full analysis: | https://app.any.run/tasks/83d68735-ac9b-466a-a382-8cfa6b0ff5e4 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 17:10:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 41656130AECD17B45B7AEBC74E4999D4 |
SHA1: | A2F9FB372E36DAB22B6A6BA6897E31E6D58067ED |
SHA256: | E062069BC5B5661F75CA8F69D13F10D6F1BDF040CEE06D47303424EAD64730AD |
SSDEEP: | 3072:sATHZarceu7A5RnvWuceucZaUSRCoA5RnvTQou/Q2QtcKmVwAzORhR4m:XQ2QBAzORl |
.msg | | | Outlook Message (45.3) |
---|---|---|
.oft | | | Outlook Form Template (26.5) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2524 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Re statement debit time.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3372 | "C:\Program Files\Internet Explorer\iexplore.exe" https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fr20.rs6.net%2Ftn.jsp%3Ff%3D001MDz769INy3GRp3zx9Ift6JYA-EePTmqgWvvT-TUbzYAa-NiWCaffIqqZtal-1wlhs2crSdVTp47hsdjVIgDhhJ5yha8iSGjw8mQrB5Uwo3RnG5XjFAyxf9kC_JeqTBerME6reT9-zyPkNy-2sAY-1hMYr8Ox0T6_scDiIxJRmN5crT-kjmEgeC8insiFEhHVQOY7MZvPpvFEXvDAUvaUYpMaqci1pU-YDYPZcWjXcag%3D%26c%3DLSN4laSn-BDj7WcQoIKylsYumzcn3sCWTsY-0gGkzqj77zoDO2dCJw%3D%3D%26ch%3Drh31xiydWMNv7-I-nt6zHcacQhO446jCZv20tHFWp2HrIXWGGSDYNg%3D%3D&data=02%7C01%7Cknagy%40urmstores.com%7C85d25170c46e47ea890908d79b6cf9da%7C436bc7fbcafe43a8b503bd13c58a6faa%7C0%7C0%7C637148764671353507&sdata=DJRG40at8ALakfEeSYRdFl0TDK%2F1RSnll0UAvnLOxi8%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2108 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3372 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2524 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA89E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3372 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3372 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2524 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:F413F224B8217E9BECD4197B2A01CABB | SHA256:CFF2579A9CF08B135E6AC89C3FE6A4B0953F54E5B4FBFEEAA4AF89808E95243E | |||
2524 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:57450E6533FCE074FC50B43ABF1443EB | SHA256:C356AC50D9CB03195E0D4CFFC07406A2085FD46AE05E4DB8E7CFDAF04AC86E55 | |||
2108 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QWTDIRR4\dnserror[1] | html | |
MD5:68E03ED57EC741A4AFBBCD11FAB1BDBE | SHA256:1FF3334C3EB27033F8F37029FD72F648EDD4551FCE85FC1F5159FEAEA1439630 | |||
2108 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:65D216448D2CC643C36A99BA382D27EA | SHA256:D1F20FA8D5C95BA9A2A6C3974F5580633058447C6FE1AEA02C6FC6B3C136707D | |||
2524 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_5C09F2CC5B437949912040B4AA43E88B.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 | |||
2524 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_FEC6987CA125A1429FD5FB83532D4BDE.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 | |||
3372 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png | image | |
MD5:9FB559A691078558E77D6848202F6541 | SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2524 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3372 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2108 | iexplore.exe | 23.43.115.188:443 | files.constantcontact.com | Akamai International B.V. | NL | unknown |
2108 | iexplore.exe | 104.47.48.28:443 | nam05.safelinks.protection.outlook.com | Microsoft Corporation | US | whitelisted |
2108 | iexplore.exe | 208.75.122.11:80 | r20.rs6.net | Constant Contact, Inc | US | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
nam05.safelinks.protection.outlook.com |
| whitelisted |
www.bing.com |
| whitelisted |
r20.rs6.net |
| whitelisted |
files.constantcontact.com |
| whitelisted |