analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0 - 2022-10-05T034921.093.eml

Full analysis: https://app.any.run/tasks/730eb0cd-effc-435a-8433-41ef71294bb7
Verdict: Malicious activity
Analysis date: October 04, 2022, 22:20:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

681C5CA4FA7C7346A0D213EE33018C50

SHA1:

74469114B2AEF8FC6776B2158C67834A0476025A

SHA256:

064F4FEA106C86DB9D98D1C28B649F565B9A53DEC76B4B1666EA8B9C71C0CA91

SSDEEP:

1536:s2qbJbf+sZIXq2dmMwvZYufjEOA9qbOtQ0Eb9bf+s+:8bNFOX9mM+uOAwKQ0MpF+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3560)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 3560)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3560)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3252)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3560)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3560)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3252)
      • iexplore.exe (PID: 3356)
    • Checks supported languages

      • iexplore.exe (PID: 3252)
      • iexplore.exe (PID: 3356)
    • Changes internet zones settings

      • iexplore.exe (PID: 3356)
    • Application launched itself

      • iexplore.exe (PID: 3356)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3252)
      • iexplore.exe (PID: 3356)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3252)
      • iexplore.exe (PID: 3356)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3356)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3252)
    • Creates files in the user directory

      • iexplore.exe (PID: 3356)
      • iexplore.exe (PID: 3252)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3356)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3356)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3560"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0 - 2022-10-05T034921.093.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3356"C:\Program Files\Internet Explorer\iexplore.exe" https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcovanta-my.sharepoint.com%2Fpersonal%2Fmleys_covanta_com%2F_layouts%2F15%2Fonedrive.aspx%3Fview%3D5%26activityId%3Dcc3db85d-be96-487a-b2fb-a6a216a15fc8&data=05%7C01%7CMLeys%40covanta.com%7Cfa927b0ebab7444cf11308daa64a837d%7C4aabd90b7a094a17b04d52f3f6a8fab0%7C0%7C0%7C638005136558339905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=NO0pqk9GCnSPzI5sRjbxAXF4NIBX0Ewgc9hFW2uMsbI%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3252"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3356 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
18 117
Read events
17 406
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
12
Text files
53
Unknown types
9

Dropped files

PID
Process
Filename
Type
3560OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD7B8.tmp.cvr
MD5:
SHA256:
3560OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49binary
MD5:D461C404D3A4811A1E71DDFD1A4681DA
SHA256:FBA156570CAEBAB292DD9BE8544B34DB666F33B378A171FEAA3236FDB7CFA8E4
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:FC3590371542781688A0E00B5633FB09
SHA256:9A3B60E421D01707341754521C847E2BFE5FC7D9032A8AA23435713052D86BB5
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:7070A7727DC452E911A1C101BB2665EF
SHA256:2B4A687216178B89FD9CD28303C5E3EE277B2298DB9C55E6C7C4040B2797272F
3560OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:84F46CD8A09D99DA0F44FABB5389E825
SHA256:0FBF9D00C290BABF2FCC07CB4482C4D57F04009BCC2EEAAF48862F9DA9340470
3560OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:5B37A540A39E68772C1BA3FF9840803D
SHA256:0FFC7F4A72CEA569D7CAAF8F99513FC77D82016B53E4BC995B37F34728F8E33C
3356iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:B8BDA0B382A7D056A4241B388338B778
SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2
3356iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:9240FA6835BD9EB88EE0A9AE74B218ED
SHA256:62ED827D4472E66CB70DDBD11C82BBC25D5C1DC02AB7FA5C07C3DED772158586
3252iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
37
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3560
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3252
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D
US
der
471 b
whitelisted
3252
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3252
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D
US
der
1.47 Kb
whitelisted
3356
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
3356
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
3356
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3252
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8XGkjG8iOAkhjNLtbdwOg%3D
US
der
471 b
whitelisted
3252
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3252
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bc5fe67645ad4e00
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3356
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3252
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3252
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
3356
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3560
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3252
iexplore.exe
13.107.246.44:443
aadcdn.msauth.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
3252
iexplore.exe
20.190.159.64:443
login.microsoftonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3252
iexplore.exe
13.107.136.9:443
covanta-my.sharepoint.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3356
iexplore.exe
13.107.246.44:443
aadcdn.msauth.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
3252
iexplore.exe
20.190.159.75:443
login.microsoftonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
nam12.safelinks.protection.outlook.com
  • 104.47.66.28
  • 104.47.55.156
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
covanta-my.sharepoint.com
  • 13.107.136.9
  • 13.107.138.9
suspicious
login.microsoftonline.com
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.71
whitelisted
aadcdn.msauth.net
  • 13.107.246.44
  • 13.107.213.44
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.75
whitelisted

Threats

No threats detected
No debug info