File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/5b6726ff-0dfe-4bbd-82be-788b1da36e97
Verdict: Malicious activity
Analysis date: December 05, 2022, 18:53:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

29E14C4B290F30E782B89B0A1E80035E

SHA1:

036699C90027DC1DF22195862A10A66C7C2DADE4

SHA256:

03923613C4AE0B41DF3AF6C00624DB24AA0CD95D5362E10B0B47DE5465D68221

SSDEEP:

384:uXSqa6NPs039gZG9IMtQKAwmbCy4SEP75G+fYanfY4mLYNG:uXXa6NPs0tgZettQ7blgUSQ4nNG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • OUTLOOK.EXE (PID: 1580)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2356"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\1UM87HQZ\EFT_90811 pdf.htmC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2884"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2356 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
15 216
Read events
14 517
Write events
678
Delete events
21

Modification events

(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(1580) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
9
Text files
17
Unknown types
5

Dropped files

PID
Process
Filename
Type
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF794.tmp.cvr
MD5:
SHA256:
1580OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_1036A74FC4D8EF4AA8B4DB8E5C375233.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:7DAA73AF3037AE10F3F995DBA0FC4F49
SHA256:17DC26D586A746933E5EE44CC9C47DA5FB0B5DD740756D193EE7EAD941903C64
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FB31437B-44A9-4028-9F24-738E3B2D46E2}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_ADEF715D3E73D047B1134D14701E9774.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_D46E0D224FDAC84DACE01D8A34C26904.datxml
MD5:BBCF400BD7AE536EB03054021D6A6398
SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD
1580OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:C3D9558A4A9AEFC2BC0F6B8D79E49321
SHA256:3BE575BA262F0EDECEE41323C68B58EC5C5586754AA85F2425165989700F90DE
1580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_F024CE012444244BA81604051E53AB5D.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
iexplore.exe
GET
200
8.241.123.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ec40350b83aaa5da
US
compressed
4.70 Kb
whitelisted
2884
iexplore.exe
GET
200
8.241.123.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a42edfe762310248
US
compressed
61.4 Kb
whitelisted
2884
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2356
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2356
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1580
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
13.107.22.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2884
iexplore.exe
162.222.227.178:443
aadicorporation.in
UNIFIEDLAYER-AS-1
US
suspicious
2356
iexplore.exe
13.107.22.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2884
iexplore.exe
23.45.105.185:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2884
iexplore.exe
8.241.123.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
2356
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
2356
iexplore.exe
131.253.33.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2884
iexplore.exe
2.16.107.43:80
r3.o.lencr.org
Akamai International B.V.
DE
suspicious
2356
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
aadicorporation.in
  • 162.222.227.178
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.22.200
  • 131.253.33.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
ctldl.windowsupdate.com
  • 8.241.123.126
  • 8.238.29.254
  • 8.238.28.126
  • 8.253.207.121
  • 8.248.143.254
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 2.16.107.43
  • 2.16.107.115
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info