File name: | Conéctate con un nuevo capítulo de Dilemas.msg |
Full analysis: | https://app.any.run/tasks/1ba4f60b-1a21-441c-9acb-ed633f43e805 |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 20:46:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 19DB2D8E08A1E5CB2AE915EC376D8F8B |
SHA1: | 2406F2461F81A6F185B424CD2344BAA7DED4978D |
SHA256: | BDD1626C4C7E14BEC3D8C3D0BE7042FE464363B9575DAC44609B9C321C73F006 |
SSDEEP: | 384:VnOMxcw3GagSm1oN9N7E4HdEx0wvjktUN2q3byFTmhMaeEaiNP0D3yP:VnH3WF1o3N7E4a5AUoVBmhMaeNihP |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
304 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Conéctate con un nuevo capítulo de Dilemas.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
576 | "C:\Program Files\Internet Explorer\iexplore.exe" http://arusmailings.musvc5.net/e/r?q=R4%3d95R5_Ib1e_Tl_Pfta_Zu_Ib1e_Sq9H4CFI.6x9xC4N.rFx_Pfta_Zu7_3yhq_CD7Ew.98G9_Pfta_Zu_Ib1e_TqDu6_3yhq_DB9_K6X_7rdx_GW9_Pfta_asG7_Pfta_ZKavF_7rdx_H5yX.t_Ib1e_SGV_7rdx_H51T_7rdx_GW_3yhq_DB8J5XK6Eg_7rdx_GW9_Pfta_asG7_Pfta_ZK_Ib1e_ToJK2r.9GUIDIXlZz_Ib1e_SGV_7rdx_H51N_7rdx_GW5UH6rIHTm.YO49_Pfta_ZKWp_Pfta_asL5SCoNtb%264%3d9p2lBaHSIb%26s%3dD6QA4F.LtK%26tQ%3dFUIg%261%3dR%26y%3daKV%26z%3ddLUI%26R%3dIWBfKaHd | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
536 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:576 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
304 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A99.tmp.cvr | — | |
MD5:— | SHA256:— | |||
304 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:7DAC0AECC50FF44C172E11877AF44114 | SHA256:8259C2C85AF2521B42705288EE1A8EDB65621BE11B20157F89D4F92613B3BA83 | |||
304 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:3822E25F1BE139CB4DC55E8E23D0D6A5 | SHA256:F0EB4BFB391484236F4EF55E8B74E233F346692E8FA5C473A9BE15BAE49B35C9 | |||
304 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\FIRMA%20CORREO%20COMUNICACIONES-05[1].png | image | |
MD5:332CE7F10BCC5FABC7ADFDB2F1A2D651 | SHA256:E2571D1EDC7443768BE1E2D9A0A18BE3A4C4D6506A291370CC7722B1A4BE4E97 | |||
536 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | binary | |
MD5:61E8EBE720EBA8CD488194329603CBC3 | SHA256:4A0FDB7385B549A4EFE8678F13C9F898651A55926656959407CBB65A3B463B2B | |||
536 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | der | |
MD5:43AC500D589FCFAF053FB988CDC3B1C9 | SHA256:8839AC6BF994C13BF6102DE97F2023983DECF556104DD4602D77D4798B94A26D | |||
304 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ECARD%204[1].png | image | |
MD5:9048D1AF9A2EF73B09EA1F07B9AAD64A | SHA256:9C455E410E15AEABC46E00E021E60A4668662F25A8A1F737A0C1550C1946553C | |||
536 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | binary | |
MD5:3DEB75AA69D06DD8F9E681796DC3328E | SHA256:9FD569414E8DE4B2C071CC7F6CD163783BAF66F8DF85762E646197104963E79F | |||
536 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | der | |
MD5:09631FF0C2F31AA07F21DD04689B1EFC | SHA256:8214E64354888C2F3C333378AFB0D1D8C7BBC9562F004DF7CA8BE20C534A8B83 | |||
536 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabF84.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
304 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
304 | OUTLOOK.EXE | GET | 200 | 13.35.254.170:80 | http://arusmailings.img.musvc5.net/static/133284/assets/1/Firmas-Footers/FIRMA%20CORREO%20COMUNICACIONES-05.png | US | image | 32.7 Kb | malicious |
536 | iexplore.exe | GET | 200 | 143.204.208.90:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
536 | iexplore.exe | GET | 200 | 143.204.208.127:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
536 | iexplore.exe | GET | 200 | 143.204.208.192:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
536 | iexplore.exe | GET | 200 | 143.204.208.173:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEARq5WwZwVqCT%2F%2FblJ5ZEs8%3D | US | der | 471 b | whitelisted |
536 | iexplore.exe | GET | 302 | 34.250.108.164:80 | http://arusmailings.musvc5.net/e/r?q=R4%3d95R5_Ib1e_Tl_Pfta_Zu_Ib1e_Sq9H4CFI.6x9xC4N.rFx_Pfta_Zu7_3yhq_CD7Ew.98G9_Pfta_Zu_Ib1e_TqDu6_3yhq_DB9_K6X_7rdx_GW9_Pfta_asG7_Pfta_ZKavF_7rdx_H5yX.t_Ib1e_SGV_7rdx_H51T_7rdx_GW_3yhq_DB8J5XK6Eg_7rdx_GW9_Pfta_asG7_Pfta_ZK_Ib1e_ToJK2r.9GUIDIXlZz_Ib1e_SGV_7rdx_H51N_7rdx_GW5UH6rIHTm.YO49_Pfta_ZKWp_Pfta_asL5SCoNtb%264%3d9p2lBaHSIb%26s%3dD6QA4F.LtK%26tQ%3dFUIg%261%3dR%26y%3daKV%26z%3ddLUI%26R%3dIWBfKaHd | IE | html | 283 b | suspicious |
576 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
304 | OUTLOOK.EXE | GET | 200 | 54.194.151.121:80 | http://arusmailings.musvc5.net/e/c?q=4%3d8SLSET%265%3dR%26u%3dSOV%26v%3dVPUE%268%3dO2h1t5CUNU85-N7kT-MSFX-t2lS-QZiYt60XLUGX%262J%3d8TQZ%26k%3dCDJ33N.ElJ%26C%3dU8TPUDTKX | IE | image | 158 b | suspicious |
536 | iexplore.exe | GET | 200 | 34.250.108.164:80 | http://arusmailings.musvc5.net/e/c?q=6%3d1ULU8V%265%3dT%26n%3dUOX%26o%3dXPW8%260%3dO4a3t76WNW17-N9dV-MU9Z-t4eU-Qbbat83ZLW0Z%262L%3d1VQb%26d%3dEDLv5N.GeL%26C%3dW1VPW7VKZ | IE | image | 158 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
304 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
536 | iexplore.exe | 143.204.208.127:80 | o.ss2.us | — | US | malicious |
576 | iexplore.exe | 13.35.253.115:443 | a3c2h4.emailsp.com | — | US | suspicious |
576 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
304 | OUTLOOK.EXE | 13.35.254.170:80 | arusmailings.img.musvc5.net | — | US | suspicious |
536 | iexplore.exe | 13.35.253.115:80 | a3c2h4.emailsp.com | — | US | suspicious |
304 | OUTLOOK.EXE | 54.194.151.121:80 | arusmailings.musvc5.net | Amazon.com, Inc. | IE | unknown |
536 | iexplore.exe | 143.204.208.90:80 | ocsp.rootg2.amazontrust.com | — | US | whitelisted |
576 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
304 | OUTLOOK.EXE | 34.250.108.164:80 | arusmailings.musvc5.net | Amazon.com, Inc. | IE | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
arusmailings.musvc5.net |
| suspicious |
arusmailings.img.musvc5.net |
| malicious |
a3c2h4.emailsp.com |
| suspicious |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
ocsp.sca1b.amazontrust.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |