File name: | Remito Digital.msg |
Full analysis: | https://app.any.run/tasks/6ec1cbd3-3c78-4947-b46c-f16b7522c416 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 16:16:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | FE8FB9526B01FAEA50228604E036DA29 |
SHA1: | 5E983F46842C562F6B792FE3E1C0635B33CBA37F |
SHA256: | 71BA187920B4D5F853C84A774CDFC8137A522130F1D4E51884A17860119C9A29 |
SSDEEP: | 6144:tLG/v0tv0TI6FoAzH8VuXRpv7RMOEeTP5ywKL3T9XR6TejiiyhvZ4eIHQbP:tyPzH6cnTP5ywKL3BAajiiyHRIHQD |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2936 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Remito Digital.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2344 | "C:\Program Files\Internet Explorer\iexplore.exe" https://ccclinde.smtp-messaging.com/tracking/1/click/FvtvPWxF | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3840 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2344 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2184 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3656 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2344 CREDAT:1119493 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2936 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR960D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2936 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2936 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:7FCCFB41E9FB072F74BD312AB90BC571 | SHA256:B44F944931C5D9539D4417D57FEA599808E4A78816021F12026E317EB204E3DB | |||
2936 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\AE1WAFTC\Remito Digital Arg PLC (2).png | image | |
MD5:D701F98FF1DE8A352D3766A0D5502C29 | SHA256:5589419B99B3D50F72F7B36AA979EF9A56E24A2E21A89372293A80004A54EAF6 | |||
2936 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_8CE49AAE30C3044F80E0E1A789CD3244.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
2936 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:E41D9B96AD4E0356A0DF117867991A92 | SHA256:554A166C5F0C6A224D14299AFDCCB5932E46831BE64BD2038E8FD7E1C23B3B5A | |||
3840 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:8F970407F871D174B4F6B534C91E0357 | SHA256:CDCEC8F5841375A238E832A62C566EAB89E3DF2C10D7DA1890EA8E76809B2925 | |||
3840 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:80DBCBB57F5070F629D9CAC33C35CD77 | SHA256:6457F65848049A8A63564D85EA90CABE2D00B7E7339E4402F2FD0EC133AC2B3C | |||
2936 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\AE1WAFTC\Remito Digital Arg PLC.png | image | |
MD5:D701F98FF1DE8A352D3766A0D5502C29 | SHA256:5589419B99B3D50F72F7B36AA979EF9A56E24A2E21A89372293A80004A54EAF6 | |||
2936 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2936 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3840 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
3840 | iexplore.exe | GET | 200 | 92.123.194.121:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ff6a84d0911c8365 | unknown | compressed | 60.0 Kb | whitelisted |
3840 | iexplore.exe | GET | 200 | 104.89.32.83:80 | http://x1.c.lencr.org/ | NL | der | 717 b | whitelisted |
2344 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
3840 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
3840 | iexplore.exe | GET | 200 | 142.250.185.227:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
3840 | iexplore.exe | GET | 200 | 92.123.194.121:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?31253be6f8446dce | unknown | compressed | 4.70 Kb | whitelisted |
2344 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3840 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2936 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3840 | iexplore.exe | 18.198.163.56:443 | ccclinde.smtp-messaging.com | Massachusetts Institute of Technology | US | suspicious |
3840 | iexplore.exe | 92.123.194.121:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | malicious |
2344 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 18.198.163.56:443 | ccclinde.smtp-messaging.com | Massachusetts Institute of Technology | US | suspicious |
3840 | iexplore.exe | 104.89.32.83:80 | x1.c.lencr.org | Akamai Technologies, Inc. | NL | suspicious |
3656 | iexplore.exe | 18.198.163.56:443 | ccclinde.smtp-messaging.com | Massachusetts Institute of Technology | US | suspicious |
2344 | iexplore.exe | 18.198.163.56:443 | ccclinde.smtp-messaging.com | Massachusetts Institute of Technology | US | suspicious |
2344 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3840 | iexplore.exe | 188.114.97.10:443 | remitodigital.com | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
ccclinde.smtp-messaging.com |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
remitodigital.com |
| malicious |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |