File name: | FW RV Se le ha otorgado acceso a los servicios de Oracle Cloud.msg |
Full analysis: | https://app.any.run/tasks/9d3638eb-620e-4158-b016-2769f363f2a3 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 16:46:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 1BD48FF4B7714D31E4C9209372A6EFEA |
SHA1: | B9DFE98871F096D23C9446358CEFFBD0957932CB |
SHA256: | 1FE571AC9F966AB07DD850EC2E69880FF10280A0DCCE2F9E3F181E4C43C751D2 |
SSDEEP: | 3072:oYSykxYkxRAkZfy+4iImVqKlRRuCTS2tT2pMavC70npyXiy:oYSykxYkximNbqidTScMC4npK |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW RV Se le ha otorgado acceso a los servicios de Oracle Cloud.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3056 | "C:\Program Files\Internet Explorer\iexplore.exe" https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyservices-cacct-6eed1b361a834d1089e00c9996e0d304.console.oraclecloud.com%2Fmycloud%2Fcloudportal%2FgettingStarted&data=05%7C01%7Cclaudio.ramos%40gruporoble.com%7C80d5a354f88742dcedd708da3a7f909d%7Ccb388aaebefa48faa09d2e43af392906%7C0%7C0%7C637886616824932167%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Wd6PEkaQqYUX02gHqURYTtONCgvzxloBZW4T%2Fv6obJ0%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
364 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3056 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR4538.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2948 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
364 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | der | |
MD5:4D52FA4E01ABAB869E4F70DFD07C5BE9 | SHA256:4EE9F3FA56602F2ADFA302A893D5DCA6871A6EEBD53B41F43598CC98DC02E92D | |||
364 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49 | binary | |
MD5:810A11B4DB5524F549FA00C02F6F2CB5 | SHA256:8FD7A35E470E0744ACCFBDBCD68E6875F219D639165F3ED549A7C801B0510678 | |||
3056 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1 | SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05 | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:B1A1A7505262111CA5FC5EDD81B9F7C4 | SHA256:E2C9F77DCA2BF4A377AAD27EFF3EA0AB46D317844B01C7D546D574F2C0809EDD | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:834C2B7A12415B1E1071144AF55E8223 | SHA256:D8DF87BB8C6D0599100D324608821BF7B6A5F7C2B3D8945FBF6D8F5368139072 | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91BCD2F4.dat | image | |
MD5:A1009065E030E52632F99D238A407AE5 | SHA256:DF059E9303B19FF509EBA74C46ADF8E2D92B6B68DBD8944C54D3419C13F7F34C | |||
2948 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD71DCFF.dat | image | |
MD5:D02AE4484498764459B15FBA4C2F36FA | SHA256:4B8B04F15258A989C2BD1BAF085754F7D004AC39E1061266663732EA8C9A4964 | |||
3056 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:82316A442FDFD020BD7336F807AB908A | SHA256:4530544B6E161CE6DDA5225E582F8B57B8F90C36131D7914DE59E27788904899 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2948 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3056 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
364 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA9C%2F8%2B%2Bz8JG5F%2F5nyKl%2B%2FU%3D | US | der | 471 b | whitelisted |
364 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D | US | der | 471 b | whitelisted |
364 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | US | der | 471 b | whitelisted |
364 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAIecmfGeVA8KKXFtswdUeU%3D | US | der | 471 b | whitelisted |
3056 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
364 | iexplore.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e8d9c63c881de742 | US | compressed | 4.70 Kb | whitelisted |
364 | iexplore.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?301b69c08c6fac02 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
364 | iexplore.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
2948 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
364 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
364 | iexplore.exe | 129.191.5.99:443 | myservices-cacct-6eed1b361a834d1089e00c9996e0d304.console.oraclecloud.com | Oracle Corporation | US | unknown |
3056 | iexplore.exe | 147.154.119.52:443 | idcs-1731b5d5e6c24abf955216847dc59980.identity.oraclecloud.com | — | US | unknown |
3056 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3056 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
364 | iexplore.exe | 104.47.59.156:443 | nam12.safelinks.protection.outlook.com | Microsoft Corporation | US | suspicious |
364 | iexplore.exe | 147.154.119.52:443 | idcs-1731b5d5e6c24abf955216847dc59980.identity.oraclecloud.com | — | US | unknown |
3056 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
nam12.safelinks.protection.outlook.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
myservices-cacct-6eed1b361a834d1089e00c9996e0d304.console.oraclecloud.com |
| unknown |
idcs-1731b5d5e6c24abf955216847dc59980.identity.oraclecloud.com |
| unknown |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |