analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Purchase Order 003263 Karl Crowell Insurance.eml

Full analysis: https://app.any.run/tasks/c5867549-18c1-4169-a90b-2e3a47356f64
Verdict: Malicious activity
Analysis date: October 04, 2022, 22:36:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: news or mail, ASCII text, with CRLF line terminators
MD5:

6AA549BF17A0594D4ADDD85DED9ACBF1

SHA1:

E13514FEC9DFA4CC04F24E1FDFE4095AF6004BF2

SHA256:

05C369E9647D0552BDF05C9E17752FE8E067F233C615A7F119FD4B40029DEDFF

SSDEEP:

3072:lrxMA2CgPb1zDHz2NOOHftzbCZ3DHvcx7ZLW:i3Pdf2NO8fBCxr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3160)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 3160)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 3160)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3160)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3160)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3272)
      • iexplore.exe (PID: 1928)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 4084)
      • iexplore.exe (PID: 3272)
      • iexplore.exe (PID: 1928)
    • Reads the computer name

      • iexplore.exe (PID: 4084)
      • iexplore.exe (PID: 3272)
      • iexplore.exe (PID: 1928)
    • Changes internet zones settings

      • iexplore.exe (PID: 4084)
    • Application launched itself

      • iexplore.exe (PID: 4084)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3272)
      • iexplore.exe (PID: 4084)
      • iexplore.exe (PID: 1928)
    • Creates files in the user directory

      • iexplore.exe (PID: 3272)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 4084)
      • iexplore.exe (PID: 3272)
      • iexplore.exe (PID: 1928)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3272)
      • iexplore.exe (PID: 1928)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 2) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3160"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Purchase Order 003263 Karl Crowell Insurance.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4084"C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.com/v3/__https:/jorneysemola.app.box.com/notes/1031367226161?s=kr2viuy0unaqvdxa2nncfcw3ivn3wb5b__;!!LkjWUF49MRd51_ry!ZJ6tegCkfNrweOoWwqAwxyFO1z0c-ATFllwGZMjBxfDmWf2iZHw8s59j8uM6aiTlYxB3qjf44y6ETetSAV1byne8b6qHbz4MSUZxux-P$C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3272"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4084 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4084 CREDAT:3413263 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
21 791
Read events
21 002
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
18
Text files
59
Unknown types
21

Dropped files

PID
Process
Filename
Type
3160OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE106.tmp.cvr
MD5:
SHA256:
3160OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3272iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:5F65A4C3A9178D93E52F484ECE7058F4
SHA256:1391A35C5C77DBCCFF0CEF9ECC7B325E453EBF043691FA83824A60684741E14B
3160OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB95F372.datimage
MD5:0C47CB7390112A8F964E1A4591B4F163
SHA256:D166FF3514D92B82244E44A5D94C83732AEEF0363FB217CD80DDEAA21ABDFEFC
3272iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:463F3CE3C73858FD04A2FF68B8B6ADE2
SHA256:CF62F3A6E61409881E9EBE17A27248EAD36A8655E7B23118D6AFEF38CF870EB2
3272iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:B6F52795B677B4E2AD47736FFE3704A5
SHA256:C8AFF1F15506340E6ABD76C8A8382E9CAEBA4FA8E8483254CF7AB9D22C2A57FE
3160OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:3B79C5EE1C3AFB2A1D0C1E0738177622
SHA256:ADFD0B577904003A7A021F045922D98B5E2F9FC95AE48EDC5E9D2006681C1372
4084iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:B8BDA0B382A7D056A4241B388338B778
SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2
3160OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:F54C1DD9CF62E207FFC26EC2EF197AF4
SHA256:F9B75AF59F684CDDD23005B05922F67ECBFDE31CB1672E371844D1FEDC124FAA
3160OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
62
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3160
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3272
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
3272
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA7ze%2BiSFHmYKH4I97FkjrU%3D
US
der
471 b
whitelisted
4084
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
1928
iexplore.exe
GET
200
172.217.20.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3272
iexplore.exe
GET
200
67.26.137.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?65420842d452265b
US
compressed
4.70 Kb
whitelisted
3272
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
US
der
2.18 Kb
whitelisted
3272
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEA2KFitLH9n0LY9WTWFSpcE%3D
US
der
471 b
whitelisted
1928
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
2.18 Kb
whitelisted
4084
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4084
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3272
iexplore.exe
67.26.137.254:80
ctldl.windowsupdate.com
LEVEL3
US
malicious
3272
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
CLOUDFLARENET
suspicious
4084
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3272
iexplore.exe
52.204.90.22:443
urldefense.com
AMAZON-AES
US
suspicious
3160
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3272
iexplore.exe
74.112.186.144:443
jorneysemola.app.box.com
GOOGLE-CLOUD-PLATFORM
US
suspicious
3272
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
CLOUDFLARENET
US
suspicious
3272
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
1928
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
urldefense.com
  • 52.71.28.102
  • 52.204.90.22
  • 52.6.56.188
shared
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 67.26.137.254
  • 8.248.135.254
  • 8.253.204.121
  • 8.238.189.126
  • 67.27.157.254
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.sectigo.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
jorneysemola.app.box.com
  • 74.112.186.144
suspicious

Threats

No threats detected
No debug info