File name: | FW RV Se le ha otorgado acceso a los servicios de Oracle Cloud.msg |
Full analysis: | https://app.any.run/tasks/4fd92c4a-e207-4f56-837b-b8b0652bd515 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 16:44:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 1BD48FF4B7714D31E4C9209372A6EFEA |
SHA1: | B9DFE98871F096D23C9446358CEFFBD0957932CB |
SHA256: | 1FE571AC9F966AB07DD850EC2E69880FF10280A0DCCE2F9E3F181E4C43C751D2 |
SSDEEP: | 3072:oYSykxYkxRAkZfy+4iImVqKlRRuCTS2tT2pMavC70npyXiy:oYSykxYkximNbqidTScMC4npK |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2604 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW RV Se le ha otorgado acceso a los servicios de Oracle Cloud.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3056 | "C:\Program Files\Internet Explorer\iexplore.exe" https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyservices-cacct-6eed1b361a834d1089e00c9996e0d304.console.oraclecloud.com%2Fmycloud%2Fcloudportal%2FgettingStarted&data=05%7C01%7Cclaudio.ramos%40gruporoble.com%7C80d5a354f88742dcedd708da3a7f909d%7Ccb388aaebefa48faa09d2e43af392906%7C0%7C0%7C637886616824932167%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Wd6PEkaQqYUX02gHqURYTtONCgvzxloBZW4T%2Fv6obJ0%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3404 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3056 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off | |||
(PID) Process: | (2604) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2604 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR46FE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2604 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2604 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D894847.dat | image | |
MD5:D02AE4484498764459B15FBA4C2F36FA | SHA256:4B8B04F15258A989C2BD1BAF085754F7D004AC39E1061266663732EA8C9A4964 | |||
2604 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:130D423447C0910EF5A1D5F95C2347D4 | SHA256:3DCEC1A71F9E048C4444EF419E50199B4C940B4ADA9D25EC5F3D37ECC1DB1B12 | |||
3404 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:86FFCE92CEA2C1B22D717F8C012B359B | SHA256:4CBE50DE2260DDDE44A740E001CE588167BF33D13A75EC598920696CDB2D3757 | |||
3404 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | binary | |
MD5:7AD30F020FF7BFAAEDA3C36DE257A01A | SHA256:A00974C51FD50E86324D26F7EA7EA6FA4051C192C4EE189EF9E9FE32C1566DAA | |||
2604 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:D902DC53C237BC67381D0F8F6F703350 | SHA256:D64DFEF065F73A06C89E73004916AC1AE253B5D1447F8FFC20DF95E78387BB9B | |||
2604 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81B3F59C.dat | image | |
MD5:A1009065E030E52632F99D238A407AE5 | SHA256:DF059E9303B19FF509EBA74C46ADF8E2D92B6B68DBD8944C54D3419C13F7F34C | |||
3056 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:AD9D4AEE11700C6C279CBC61CE22D75F | SHA256:6D5BECC6952B1A79F595AF19264873851C3AB2D21ACD79DC2BFCDB2E507A2080 | |||
3404 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | der | |
MD5:4D52FA4E01ABAB869E4F70DFD07C5BE9 | SHA256:4EE9F3FA56602F2ADFA302A893D5DCA6871A6EEBD53B41F43598CC98DC02E92D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D | US | der | 471 b | whitelisted |
2604 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAP7kGKR3NlYtF7LQ7y8XnM%3D | US | der | 313 b | whitelisted |
3404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | US | der | 471 b | whitelisted |
3056 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAIecmfGeVA8KKXFtswdUeU%3D | US | der | 471 b | whitelisted |
3404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA9C%2F8%2B%2Bz8JG5F%2F5nyKl%2B%2FU%3D | US | der | 471 b | whitelisted |
3404 | iexplore.exe | GET | 200 | 8.250.203.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d7b7508d8af20564 | US | compressed | 4.70 Kb | whitelisted |
3404 | iexplore.exe | GET | 200 | 8.250.203.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?efc0de40b35727df | US | compressed | 4.70 Kb | whitelisted |
3404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2604 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3404 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3404 | iexplore.exe | 129.191.5.99:443 | myservices-cacct-6eed1b361a834d1089e00c9996e0d304.console.oraclecloud.com | Oracle Corporation | US | unknown |
3056 | iexplore.exe | 13.107.21.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3404 | iexplore.exe | 104.47.66.28:443 | nam12.safelinks.protection.outlook.com | Microsoft Corporation | US | suspicious |
3404 | iexplore.exe | 8.250.203.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | unknown |
3056 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3404 | iexplore.exe | 147.154.119.52:443 | idcs-1731b5d5e6c24abf955216847dc59980.identity.oraclecloud.com | — | US | unknown |
3056 | iexplore.exe | 147.154.119.52:443 | idcs-1731b5d5e6c24abf955216847dc59980.identity.oraclecloud.com | — | US | unknown |
— | — | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
nam12.safelinks.protection.outlook.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
myservices-cacct-6eed1b361a834d1089e00c9996e0d304.console.oraclecloud.com |
| unknown |
idcs-1731b5d5e6c24abf955216847dc59980.identity.oraclecloud.com |
| unknown |
consent.truste.com |
| whitelisted |
oracle.112.2o7.net |
| whitelisted |