File name: | Alerta _ correo sospechoso- .msg |
Full analysis: | https://app.any.run/tasks/d3401dd4-aac0-4c44-8d28-4402d6ec27fb |
Verdict: | Malicious activity |
Analysis date: | March 31, 2023, 22:20:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 2D2ABA48D03B5BA0F18E7ED28A58B4C1 |
SHA1: | D82B45582CF6C8292F9F8607821C22D7FD34280C |
SHA256: | 316DFAD597A764B5A6348A150A18B309E125A90A8F81D7BF1CEF6EE712DB53B0 |
SSDEEP: | 6144:3emO88cYhmZ/ddeI4c8Q50PMyqnCyUeP3RzeeuziBijB9TU:7X8dhmZWI4cppChePReeuaiP4 |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2696 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Alerta _ correo sospechoso- .msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 Modules
| |||||||||||||||
3688 | "C:\Windows\system32\rmactivate.exe" | C:\Windows\System32\rmactivate.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Rights Management Services Activation for Desktop Security Processor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: On | |||
(PID) Process: | (2696) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: On |
PID | Process | Filename | Type | |
---|---|---|---|---|
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRF463.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3688 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:D9C894A6C6F7BED57B26FC8E852A7CCE | SHA256:62245E94C3F77B5074065259D81A0DC2E68F54DB4D55389E5129148EC816E0C7 | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4JNI4J8S\message.rpmsg | rpmsg | |
MD5:32D051CD69DC349E694CA75CB6736FBC | SHA256:BCEBCAA3690299247CC4A7C15216119CF22433BE77EC2787D4D32EFD00DCBBE4 | |||
3688 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CD1F910DD5DC23C234E99A91DE345C0 | binary | |
MD5:FAE8D2CED10EED9F824B47FE60FDFB13 | SHA256:7BF357931826637070803C3458EDF465B46FEB90D0EA690B9AFA3C6B5BAE0D05 | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:6B08D765EAC9F3E841F46E099F45A8AF | SHA256:E540C074BEF566C76BE85DF03458D0C437E1C10BE7CF25627D24A2297D470CC4 | |||
3688 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850 | binary | |
MD5:EAC3627DB6F5C44A7DF2A990B786D066 | SHA256:DC30EA23AA1A5D5DBABB7FC68266FD91E85234BF6236ED78A187B37CF350BD51 | |||
3688 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9E | binary | |
MD5:39698D0627E23AEAEFA1EAF2F88CF907 | SHA256:73BF4632FA6F75A8850C7CF5A6B559AF438F47C8507A31711DA5CFD0CF0FD27E | |||
3688 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD | binary | |
MD5:670B06360CFF8994DD8FE4FA31FF431C | SHA256:FA1EB88C2B30559D39DBF15967D27298D0ED98C77E5260C77A2B9EA41006195D | |||
2696 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4JNI4J8S\message.rpmsg:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
3688 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850 | der | |
MD5:8A7E8247E7A27711CCA54EC99EA6184E | SHA256:943A5F17BE705226E3671E4C93815EFA97DEE463E64DE4132CA2868970D76FA5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2696 | OUTLOOK.EXE | GET | 302 | 95.100.53.90:80 | http://go.microsoft.com/fwlink/?LinkId=5998&LANGID=1033 | CH | — | — | whitelisted |
3688 | rmactivate.exe | GET | 200 | 2.21.20.137:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | DE | der | 519 b | whitelisted |
3688 | rmactivate.exe | GET | 200 | 2.21.20.137:80 | http://crl.microsoft.com/pki/crl/products/WinPCA.crl | DE | der | 530 b | whitelisted |
3688 | rmactivate.exe | GET | 200 | 67.27.233.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a6d436515f926847 | US | compressed | 4.70 Kb | whitelisted |
3688 | rmactivate.exe | GET | 200 | 2.21.20.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | DE | der | 824 b | whitelisted |
3688 | rmactivate.exe | GET | 200 | 2.21.20.137:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | DE | der | 767 b | whitelisted |
3688 | rmactivate.exe | GET | 200 | 2.21.20.137:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | DE | der | 555 b | whitelisted |
3688 | rmactivate.exe | GET | 200 | 2.18.233.62:80 | http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl | unknown | der | 564 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2696 | OUTLOOK.EXE | 95.100.53.90:80 | go.microsoft.com | AKAMAI-AS | CH | suspicious |
3688 | rmactivate.exe | 67.27.233.126:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
2696 | OUTLOOK.EXE | 65.55.61.29:443 | certification.drm.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3688 | rmactivate.exe | 2.18.233.62:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3688 | rmactivate.exe | 2.21.20.137:80 | crl.microsoft.com | Akamai International B.V. | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
certification.drm.microsoft.com |
| whitelisted |