analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Administrator has responded to your request for 'Standard Contact Block'.msg

Full analysis: https://app.any.run/tasks/02ed0cdf-c8ca-4b8f-835b-bdce5a7a9f39
Verdict: Malicious activity
Analysis date: July 11, 2019, 13:07:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

C5B839127BFECD4FA86145C04E7BE7CF

SHA1:

C5ABEB7E958EA6DAE27DC6E240E7094998D6F394

SHA256:

05D4A55A48541F6B3B2B5F271D3F670C9DFF15B9B68FA69C6060E0CC2AE3A50C

SSDEEP:

768:UKdndmd9EP50k5sRk7O0O47WsK3WsK4pqb9HoSzWsKg5N67rdD67O/SVof6iDNhg:1dM9EPDWfWg8vW4eJPfyHW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3140)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3140)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3140)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3140)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2832)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3140)
    • Application launched itself

      • iexplore.exe (PID: 2832)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3120)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2832)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2832)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3120)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2832)
    • Creates files in the user directory

      • iexplore.exe (PID: 3120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator has responded to your request for 'Standard Contact Block'.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2832"C:\Program Files\Internet Explorer\iexplore.exe" https://nam04.safelinks.protection.outlook.com/ap/w-59584e83/?url=https%3A%2F%2Fepicor.sharepoint.com%2Fsites%2FHorizonContent%2FShared%2520Documents%2FGeneral%2FStandard%2520Contact%2520Block.docx%3Fd%3Dw3aef17d0280142c19f3c4ce263903f79&data=02%7C01%7CECain%40epicor.com%7C6440d7ee283b4470873508d6f65bcced%7C4f4f4c56a772461a967e7890c3960b3a%7C1%7C1%7C636967271478427240&sdata=WL3nATb0x0TSUsSNq11sT7OSreQJQBWQ53nEnCMzXCc%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3120"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 666
Read events
1 189
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
42
Unknown types
5

Dropped files

PID
Process
Filename
Type
3140OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRDB23.tmp.cvr
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3120iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
MD5:
SHA256:
3120iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
MD5:
SHA256:
3120iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\authorize[1].txt
MD5:
SHA256:
3140OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:10CDFD9A8CCAFC71AF5C9BE05ABF3A8C
SHA256:55D60942D13652D6BB4419415ADA6781B4278668E219ECA0C11CBCFFFD8B06BF
3120iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:84F1BD6D3C9FCED7157D67F4E2A43338
SHA256:D6B17434640C4B2E476A35751B04645FA4C3210D38B1F23BC82F22567DC2BEF5
3140OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_74811D62C2E9A647ACD6D0429BCB990E.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
3120iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\converged.v2.login.min_bxeixgi3llnj-nuc4-xqwa2[1].csstext
MD5:6F11225E02372CB349FA7B9CE3E5EAC0
SHA256:21CC48423EE47207382CC9C1C3885913079BE17805E6FF81E76E0E7165CA32CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2832
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3120
iexplore.exe
20.190.137.98:443
login.windows.net
Microsoft Corporation
US
suspicious
3120
iexplore.exe
13.107.136.9:443
epicor.sharepoint.com
Microsoft Corporation
US
whitelisted
2832
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3120
iexplore.exe
104.47.46.28:443
nam04.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
3140
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3120
iexplore.exe
40.126.9.66:443
login.microsoftonline.com
Microsoft Corporation
US
unknown
3120
iexplore.exe
152.199.23.37:443
aadcdn.msftauth.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
2832
iexplore.exe
152.199.23.37:443
aadcdn.msftauth.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
3120
iexplore.exe
184.31.91.84:443
secure.aadcdn.microsoftonline-p.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
nam04.safelinks.protection.outlook.com
  • 104.47.46.28
  • 104.47.45.28
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
epicor.sharepoint.com
  • 13.107.136.9
suspicious
login.windows.net
  • 20.190.137.98
  • 40.126.9.8
  • 20.190.137.96
  • 40.126.9.6
whitelisted
login.microsoftonline.com
  • 40.126.9.66
  • 40.126.9.8
  • 20.190.137.98
  • 40.126.9.6
  • 20.190.137.96
whitelisted
aadcdn.msftauth.net
  • 152.199.23.37
whitelisted
secure.aadcdn.microsoftonline-p.com
  • 184.31.91.84
whitelisted

Threats

No threats detected
No debug info