File name: | EC BU Jun'22 Contract Rev_FC_V2.pptx |
Full analysis: | https://app.any.run/tasks/2f3caac0-94c0-4907-8d01-cb9a89badc7e |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 10:11:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 0A105F8BB9D20EE945D358699461390F |
SHA1: | C6AF5235DC97B078EA154E33B1C1B9B4145F41E0 |
SHA256: | D53B7B870ECA49D8C3B9346EAD5680EBDEBBF503824C757C2A44CA4E3DD00465 |
SSDEEP: | 49152:BbkXdEsrwLBUid/B81gfQ1TtQV2zPDedcz/NsnG:Bbkt36Ui8H1G2mwsn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\EC BU Jun'22 Contract Rev_FC_V2.pptx" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Version: 14.0.6009.1000 | ||||
4076 | "C:\Windows\system32\rmactivate.exe" | C:\Windows\system32\rmactivate.exe | POWERPNT.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Rights Management Services Activation for Desktop Security Processor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems |
Operation: | write | Name: | ux; |
Value: 75783B007C0B0000010000000000000000000000 | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2940) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVRD8C3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850 | der | |
MD5:018339BF087DE11EDDE3B6A101F730C4 | SHA256:F288B1EC7C4B934C31E6B8F757C432DC67C50181F004A498498BA0A13AC4B9A5 | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9E | binary | |
MD5:3D98B2DEAEED3DF6EB7967F2D7167762 | SHA256:907CF17F6F479943467471CE6BC4BA80F242311222B43312BF59FDB65B8B1D6B | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9E | der | |
MD5:AF975386A51554DEEF34DCE71F828A3A | SHA256:C4C8ABD14E4C5F061B7D5DDA76BFB037957FD87AD1B1BA67F4EDEF1C87C8B05F | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6 | binary | |
MD5:5215A6595D35C7276156AE71C1158C25 | SHA256:DF8E418B3EEF059318145843FB066FE4090349DAB4BF2F1426DB9F5B166F59FB | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CD1F910DD5DC23C234E99A91DE345C0 | der | |
MD5:7DD7388341F20DF046C23DA98D1CACE2 | SHA256:963B8594567547826B5676E2C4698754C1372FD1A8F36AEE88503F7D527CAD78 | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm | binary | |
MD5:53D3D2BD7C126A70A8A630B9987E12AD | SHA256:424AC810669F4F4AC269FEE92F2B4A91E55CDA92266C5730BEC8F060EE1AFE2C | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\Local\Microsoft\DRM\CERT-Machine-2048.drm | binary | |
MD5:02123E0E2154042D5D7322DA685FB429 | SHA256:A4CB7B4B7E2B4EED88B4A818AF5C95236D943C17F5C445DA3594364B7EF5246C | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850 | binary | |
MD5:9CF0FA7CB1D01C84970482DE7F1CB59E | SHA256:09741D70BA4DADA112A6EBF7A71EA41E37CBD677B5089134F2677624A46EA015 | |||
4076 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:A624D65E3F07003B1D7F136B188F3AB0 | SHA256:83D75620A1041B76536000163A8CA9D838E4B6C3A510E0A4471B0B0EE07A03F6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4076 | rmactivate.exe | GET | 200 | 104.90.105.246:80 | http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl | NL | der | 564 b | whitelisted |
4076 | rmactivate.exe | GET | 200 | 92.123.194.163:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | der | 555 b | whitelisted |
4076 | rmactivate.exe | GET | 200 | 92.123.194.163:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | der | 767 b | whitelisted |
4076 | rmactivate.exe | GET | 200 | 92.123.194.163:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | der | 824 b | whitelisted |
4076 | rmactivate.exe | GET | 200 | 8.252.41.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2fe46bbbfb5c8a90 | US | compressed | 4.70 Kb | whitelisted |
4076 | rmactivate.exe | GET | 200 | 92.123.194.163:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown | der | 519 b | whitelisted |
4076 | rmactivate.exe | GET | 200 | 92.123.194.163:80 | http://crl.microsoft.com/pki/crl/products/WinPCA.crl | unknown | der | 530 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4076 | rmactivate.exe | 92.123.194.163:80 | crl.microsoft.com | Akamai International B.V. | — | suspicious |
4076 | rmactivate.exe | 8.252.41.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
4076 | rmactivate.exe | 104.90.105.246:80 | www.microsoft.com | Akamai Technologies, Inc. | NL | suspicious |
2940 | POWERPNT.EXE | 104.89.38.104:80 | go.microsoft.com | Akamai Technologies, Inc. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |