URL: | https://c2rsetup.officeapps.live.com/c2r/download.aspx?productreleaseid=skypeforbusinessentryretail&platform=x86&language=es-es&source=o16o365&version=o16ga |
Full analysis: | https://app.any.run/tasks/90267235-aec9-43c6-a470-69c69d52133f |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 07:17:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 2E434CCE2CE73AF7BC8CAC8F3D798F9C |
SHA1: | 39E08D35FEEB478F4755FD76D02AB2E327169A0D |
SHA256: | DFEC1E2EA4F93229C03BD53EF74B65B33DA47357295537E01DA02A080289F607 |
SSDEEP: | 3:N8M4uMM8uT3q8ElfIadXHuSHzyWBPafxGEC9uN6UGByWLsK6:2M4u4c3q3fIad3uuVapGshGByF |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3252 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2244 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Version: 16.0.11029.20064 | ||||
2820 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe" ELEVATED | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe | download[1].exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Version: 16.0.11029.20064 | ||||
3924 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -WindowStyle Hidden -Command "& { $isOfficeInstalled = Get-AppxPackage Microsoft.Office.Desktop -allusers; if ($isOfficeInstalled -eq $null) { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '0' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '1' -Encoding ascii } }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | download[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2436 | forcecentcheck= deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 productreleaseid=SkypeforBusinessEntryRetail platform=x86 culture=es-es defaultplatform=False lcid=3082 b= prereleasebuild=4419 storeid= tx= totalclientcabsize=20812258 productstoadd=SkypeforBusinessEntryRetail.16_es-es_x-none scenario=unknown mediatype.16=CDN SkypeforBusinessEntryRetail.excludedapps.16=groove updatesenabled.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.11029.20079 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 sourcetype.16=CDN flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | — | download[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Click-to-Run (SxS) Version: 16.0.11029.20079 | ||||
3084 | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Click-to-Run (SxS) Version: 16.0.11029.20079 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2856 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF812FCEA904287765.TMP | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFE01783410B5D7EEE.TMP | — | |
MD5:— | SHA256:— | |||
2856 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0E704B65-F927-11E8-BAD8-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
2820 | download[1].exe | C:\Users\admin\AppData\Local\Temp\CabF013.tmp | — | |
MD5:— | SHA256:— | |||
2820 | download[1].exe | C:\Users\admin\AppData\Local\Temp\TarF014.tmp | — | |
MD5:— | SHA256:— | |||
2820 | download[1].exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RFFF641DA-ED0D-4DC3-AFFE-734878431F68OfficeC2RA2ADB74C-2A70-4BD0-B907-FEF8A7FF81A5\v32.hash | — | |
MD5:— | SHA256:— | |||
2820 | download[1].exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RFFF641DA-ED0D-4DC3-AFFE-734878431F68OfficeC2RA2ADB74C-2A70-4BD0-B907-FEF8A7FF81A5\VersionDescriptor.xml | — | |
MD5:— | SHA256:— | |||
2820 | download[1].exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RFFF641DA-ED0D-4DC3-AFFE-734878431F68\v32.hash | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2820 | download[1].exe | HEAD | 301 | 2.18.232.120:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | GET | 301 | 2.18.232.120:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i320.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | HEAD | 301 | 2.18.232.120:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | HEAD | 301 | 2.18.232.120:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i323082.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | HEAD | 200 | 2.16.186.83:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | GET | 301 | 2.18.232.120:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i323082.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | GET | 301 | 2.18.232.120:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | HEAD | 301 | 2.18.232.120:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i320.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | HEAD | 200 | 2.16.186.83:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab | unknown | — | — | whitelisted |
2820 | download[1].exe | HEAD | 200 | 2.16.186.83:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i320.cab | unknown | compressed | 83.7 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3252 | iexplore.exe | 52.109.20.8:443 | c2rsetup.officeapps.live.com | Microsoft Corporation | US | unknown |
2856 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2820 | download[1].exe | 2.16.186.74:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
3084 | OfficeClickToRun.exe | 2.16.186.74:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
2820 | download[1].exe | 52.109.76.40:443 | mrodevicemgr.officeapps.live.com | Microsoft Corporation | IE | suspicious |
3084 | OfficeClickToRun.exe | 2.21.41.70:80 | www.microsoft.com | GTT Communications Inc. | FR | malicious |
2244 | download[1].exe | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
3084 | OfficeClickToRun.exe | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
2244 | download[1].exe | 52.232.69.150:443 | client-office365-tas.msedge.net | Microsoft Corporation | NL | whitelisted |
2820 | download[1].exe | 2.18.232.120:80 | officecdn.microsoft.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
c2rsetup.officeapps.live.com |
| whitelisted |
client-office365-tas.msedge.net |
| whitelisted |
config.edge.skype.com |
| whitelisted |
mrodevicemgr.officeapps.live.com |
| whitelisted |
officecdn.microsoft.com |
| whitelisted |
officecdn.microsoft.com.edgesuite.net |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |