File name: | Facturacion Electronica 9292020 125212 PM.msg |
Full analysis: | https://app.any.run/tasks/130ea58b-c38a-4925-8313-e6fae3713d68 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 11:14:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 4D598FBDAE3F34B342D59BEAFA073687 |
SHA1: | D629478F4FFFAD9E36924C819AB388DEA892CFBC |
SHA256: | 57A393C547B48A022BBE1E0348A1033922B124D8E6871069FDCBF1C77C48D2E3 |
SSDEEP: | 768:6wVC5kaC/qXvqe2DCyIX5xx0E7W9pujbl8xLJHzPSNWBRpOx9Ea8yj9rW4zo4kNk:TW672JxVYCkRMLEs9+i |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Facturacion Electronica 9292020 125212 PM.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
572 | "C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3javKzM | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1020 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:572 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2856 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA4BC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1020 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab58BB.tmp | — | |
MD5:— | SHA256:— | |||
1020 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar58BC.tmp | — | |
MD5:— | SHA256:— | |||
2856 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:DCA93E2EE3BB856FBDA6EE7049DBD50C | SHA256:3E747D28BD342A06A0C9A50222329A73B791D2DCDBB7597F72945D7425ECF938 | |||
2856 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:AD4EF1993FA42393D49ED210B46FCE35 | SHA256:8BB7DD255FB8DD755B1DD999DF945C3BE345A87F84DC46680AB8F8DBDD41B363 | |||
1020 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 | der | |
MD5:8376CAEE9EABB8F82F26769CFA00735D | SHA256:0C4E0B87F84B1665D15754DDF1A31CFDC1DD8B2E3DF7922D1E55B0F2AE2928F5 | |||
1020 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\6U9QTRFW.txt | text | |
MD5:EFABE9461C99B8751CA96A09F776D8B4 | SHA256:12643D5DD7690580FE9B046EF5F2369CB25BDC711C738050BF3EDFE25F86BD95 | |||
1020 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\3javKzM[1].htm | html | |
MD5:44EED753E4EA0A790756DBACAC81F73C | SHA256:F64A2EF1D2106BC0E54FFE167208B4CBFC388565693841A10F5744DF2B247A3F | |||
1020 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5887976EDAA817EEF5159B09F6FCD000_35673150FB44DAA99337A19E2291E035 | binary | |
MD5:3D294B36CEDAFB9D0DF7761785079E58 | SHA256:28DBBD7719BD51FB69DED5A647D1BFABD124AA2D08A807E15B73208840290AC3 | |||
1020 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5887976EDAA817EEF5159B09F6FCD000_35673150FB44DAA99337A19E2291E035 | der | |
MD5:FB9A8742100B80C179CE27CB0524CDBE | SHA256:2E8A85C9F71B0E3C1306D71C370161EB03D729059B600291C470FF950DB711C4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1020 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 471 b | whitelisted |
1020 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEAkS%2FrZUbGbdLUctX3HacDI%3D | US | der | 471 b | whitelisted |
1020 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEAkS%2FrZUbGbdLUctX3HacDI%3D | US | der | 471 b | whitelisted |
1020 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
2856 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1020 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAqN7HPiQ2%2F4c3rdXE3uHG8%3D | US | der | 471 b | whitelisted |
1020 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
1056 | svchost.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | der | 781 b | whitelisted |
1020 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
1056 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAKXB1YM1Knrv%2BJy8eCW2II%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
572 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2856 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
1020 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1020 | iexplore.exe | 67.199.248.11:443 | bit.ly | Bitly Inc | US | shared |
1020 | iexplore.exe | 54.39.1.36:443 | tit-mexico.com.mx | OVH SAS | FR | suspicious |
1020 | iexplore.exe | 151.139.128.14:80 | ocsp.comodoca.com | Highwinds Network Group, Inc. | US | suspicious |
1020 | iexplore.exe | 199.188.206.67:443 | mauioos3.live | Namecheap, Inc. | US | malicious |
— | — | 54.39.1.36:443 | tit-mexico.com.mx | OVH SAS | FR | suspicious |
1056 | svchost.exe | 8.253.95.120:80 | www.download.windowsupdate.com | Global Crossing | US | suspicious |
1056 | svchost.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
bit.ly |
| shared |
ocsp.digicert.com |
| whitelisted |
mauioos3.live |
| malicious |
www.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
tit-mexico.com.mx |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1020 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
1020 | iexplore.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1020 | iexplore.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1020 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
1020 | iexplore.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1020 | iexplore.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1020 | iexplore.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1020 | iexplore.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |