File name: | EC BU Jun'22 Contract Rev_FC_V2.pptx |
Full analysis: | https://app.any.run/tasks/0038e92a-041f-4b29-a2d6-6a2b7b699546 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 09:18:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 0A105F8BB9D20EE945D358699461390F |
SHA1: | C6AF5235DC97B078EA154E33B1C1B9B4145F41E0 |
SHA256: | D53B7B870ECA49D8C3B9346EAD5680EBDEBBF503824C757C2A44CA4E3DD00465 |
SSDEEP: | 49152:BbkXdEsrwLBUid/B81gfQ1TtQV2zPDedcz/NsnG:Bbkt36Ui8H1G2mwsn |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2848 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\EC BU Jun'22 Contract Rev_FC_V2.pptx" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Version: 14.0.6009.1000 Modules
| |||||||||||||||
1384 | "C:\Windows\system32\rmactivate.exe" | C:\Windows\system32\rmactivate.exe | POWERPNT.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Rights Management Services Activation for Desktop Security Processor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems |
Operation: | write | Name: | $#; |
Value: 24233B00200B0000010000000000000000000000 | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2848) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2848 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVR5390.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9E | binary | |
MD5:CAA49EAB68DE3916AD6366483512348B | SHA256:D4BA9C5A15D02343C386BDF374CAFB4EFABCB19E267463F9C8DDA941F6DE39AF | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:5B23A5FDA49D08D9F3B6A69C734BA5A2 | SHA256:C7CDE3475D76692C059B3993E62FBD94E5E64526B90206FBF2AF31D06CE85EFF | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 | binary | |
MD5:8C9B7B52F7CCAC02DC10D92095C45C0B | SHA256:04D1F46FA297551FE33CB6B249DF5A7B7F32DF4C9B640F7F702D0FBBBCB5FACA | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD | binary | |
MD5:04C8AAC555B303931CCCD4C5BFD3FA75 | SHA256:734F2946CBCAD49A80B1F518AD1FE39CCACAB9976E7601392630248EE3B8B0DE | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\Local\Microsoft\DRM\CERT-Machine-2048.drm | binary | |
MD5:A98AB998738DE0BB20A4B167297534D1 | SHA256:2721C85321141B4E83EAA85A628A4A613A7597F950DE845321CDA60436DBD34A | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CD1F910DD5DC23C234E99A91DE345C0 | binary | |
MD5:B4F1BF1A778282FBE08DE0745106449A | SHA256:E2DC6463F33DB08113CB530874A3163016BBCB8763D137653C7F8C994DCF0733 | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CD1F910DD5DC23C234E99A91DE345C0 | der | |
MD5:7DD7388341F20DF046C23DA98D1CACE2 | SHA256:963B8594567547826B5676E2C4698754C1372FD1A8F36AEE88503F7D527CAD78 | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm | binary | |
MD5:DF693DE20A4E61A9071E18313E52B4AC | SHA256:50297AC89F97591913283DD5C8ABF25A2A0B365A60A137801B6DCF0D0CE2AD85 | |||
1384 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9E | der | |
MD5:AF975386A51554DEEF34DCE71F828A3A | SHA256:C4C8ABD14E4C5F061B7D5DDA76BFB037957FD87AD1B1BA67F4EDEF1C87C8B05F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1384 | rmactivate.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | US | der | 824 b | whitelisted |
1384 | rmactivate.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl | US | der | 564 b | whitelisted |
1384 | rmactivate.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | US | der | 555 b | whitelisted |
2848 | POWERPNT.EXE | GET | 302 | 104.89.38.104:80 | http://go.microsoft.com/fwlink/?LinkId=5998&LANGID=1033 | NL | — | — | whitelisted |
1384 | rmactivate.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?deb7c9b9cac21aae | US | compressed | 4.70 Kb | whitelisted |
1384 | rmactivate.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | US | der | 767 b | whitelisted |
1384 | rmactivate.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/WinPCA.crl | US | der | 530 b | whitelisted |
1384 | rmactivate.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | US | der | 519 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1384 | rmactivate.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
1384 | rmactivate.exe | 23.35.229.160:80 | www.microsoft.com | Zayo Bandwidth Inc | US | whitelisted |
— | — | 104.89.38.104:80 | go.microsoft.com | Akamai Technologies, Inc. | NL | malicious |
2848 | POWERPNT.EXE | 65.55.61.29:443 | certification.drm.microsoft.com | Microsoft Corporation | US | whitelisted |
— | — | 65.55.61.29:443 | certification.drm.microsoft.com | Microsoft Corporation | US | whitelisted |
1384 | rmactivate.exe | 23.216.77.28:80 | crl.microsoft.com | NTT DOCOMO, INC. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
certification.drm.microsoft.com |
| whitelisted |