File name: | Re___Ticket#2022062713003684__RV__Auditoría_de_equipo_y_activos.eml |
Full analysis: | https://app.any.run/tasks/6d0abc23-4af2-40fe-a092-d242973115f4 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 11:30:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with CRLF, LF line terminators |
MD5: | C6449551845E718307AF813E5A5FCB3F |
SHA1: | 42FBB6F909FB97882F70CB9DEC00C2AC4B995D7A |
SHA256: | 5FDCE09A85B91EEB38699F7B3B49011B67B6BA80D4A86D872C861EF31885444F |
SSDEEP: | 384:QwQK51+s5NHkNImJfvk5CtrmUXVjlOpnmSoD3l+fm39XUir045Iqv9b83nOF5wea:QrF7IErDv+CZ045IA1bq23NQtBme |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2844 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Re___Ticket#2022062713003684__RV__Auditoría_de_equipo_y_activos.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
1596 | "C:\Program Files\Internet Explorer\iexplore.exe" http://updates.internalitsupport.net/34c8908e83116188?l=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
4064 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1596 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR4A2A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2844 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:EF1B8BD176C159B38DE38E58A568B5D3 | SHA256:087851B07093E3134357D59042A91CAA1E1BEC53236C8761A5D749A88AAE8870 | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:BA623E5DFCE079B113EE22F956BCBC42 | SHA256:3B473218A86848A893274602F70F9C9983F9EDBE20DAE7874732C7B6EAFFA86D | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39CD1B94.dat | image | |
MD5:CA8DA7C3D1A483FCDB853F291E97772B | SHA256:D50E7C74A0E7B3EE309D8706B1F392D30D2462CD42DE415F02593ED2D11782A5 | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_1890D0119A34834C94A1864BC9739D94.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\34c8908e83116188[1].htm | html | |
MD5:C2F52C95EE6255CAF4ABFDFF8C38C907 | SHA256:0C7FE4C6EC7BA8D3A3510D88763EA1D12926F983989FC8A974EE7FF9BE7D744F | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6F0C01F.dat | image | |
MD5:ED793F6996938F74976E83B2A2A4682F | SHA256:54186CF198930C0284B3E95E9D8F241540845856332F91591AFDDC14A63DEB80 | |||
2844 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_F6A9FFB8D7B51E49B2E68D5D8E21145B.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2844 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
4064 | iexplore.exe | GET | 200 | 63.35.253.65:80 | http://updates.internalitsupport.net/34c8908e83116188?l=0 | US | html | 12.6 Kb | suspicious |
4064 | iexplore.exe | GET | 200 | 18.66.242.45:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
4064 | iexplore.exe | GET | 200 | 63.35.253.65:80 | http://updates.internalitsupport.net/assets/all.js?g=c890831161 | US | text | 7.02 Kb | suspicious |
4064 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ee1140b86a05eb2b | US | compressed | 4.70 Kb | whitelisted |
4064 | iexplore.exe | GET | 200 | 108.138.2.173:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
4064 | iexplore.exe | GET | 200 | 63.35.253.65:80 | http://updates.internalitsupport.net/assets/ajax/libs/jquery/1.9.1/jquery.min.js | US | text | 32.0 Kb | suspicious |
4064 | iexplore.exe | GET | 200 | 18.66.242.58:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
4064 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3511c25da718de1c | US | compressed | 4.70 Kb | whitelisted |
4064 | iexplore.exe | GET | 200 | 143.204.101.63:80 | http://d2wy8f7a9ursnm.cloudfront.net/bugsnag-2.min.js | US | text | 2.89 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2844 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
4064 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4064 | iexplore.exe | 63.35.253.65:80 | updates.internalitsupport.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
4064 | iexplore.exe | 63.35.253.65:49153 | updates.internalitsupport.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
4064 | iexplore.exe | 143.204.101.63:80 | d2wy8f7a9ursnm.cloudfront.net | — | US | unknown |
4064 | iexplore.exe | 52.216.82.200:443 | tslp.s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
4064 | iexplore.exe | 52.216.82.200:80 | tslp.s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
4064 | iexplore.exe | 108.138.2.173:80 | o.ss2.us | BellSouth.net Inc. | US | unknown |
1596 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4064 | iexplore.exe | 18.66.242.58:80 | ocsp.rootg2.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
updates.internalitsupport.net |
| suspicious |
tslp.s3.amazonaws.com |
| shared |
d2wy8f7a9ursnm.cloudfront.net |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
ocsp.sca1b.amazontrust.com |
| whitelisted |
api.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4064 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL |