analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Recent Activity Report 9302020.msg

Full analysis: https://app.any.run/tasks/8c410dc9-2e11-48fd-9a48-ba09f5223e4f
Verdict: Malicious activity
Analysis date: September 30, 2020, 10:47:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

F8E1E620DCB6B6224A86C0B59443BE6C

SHA1:

1DF4D0224ED79EE590BE22DAEC5880F46EF007E0

SHA256:

06BBD3174987EA043EC903FBAE8182AB8B2EEC22F99BF818B6D495D0BB6B3D3C

SSDEEP:

768:mPYGN2Yo5Zv9stxcTbdKUEqjFUQNx/k5fQGiraN/vE5BMzSLa96WxuugbdLF3p6/:DtXlsZmFraN/vE5BM0a96XfSpJKi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 960)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 960)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 960)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 940)
      • iexplore.exe (PID: 1500)
      • OUTLOOK.EXE (PID: 960)
    • Application launched itself

      • iexplore.exe (PID: 1500)
      • chrome.exe (PID: 2148)
    • Reads internet explorer settings

      • iexplore.exe (PID: 940)
    • Changes internet zones settings

      • iexplore.exe (PID: 1500)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 960)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1500)
      • chrome.exe (PID: 2592)
    • Manual execution by user

      • chrome.exe (PID: 2148)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1500)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1500)
    • Reads the hosts file

      • chrome.exe (PID: 2148)
      • chrome.exe (PID: 2592)
    • Creates files in the user directory

      • iexplore.exe (PID: 940)
      • iexplore.exe (PID: 1500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
26
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
960"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Recent Activity Report 9302020.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1500"C:\Program Files\Internet Explorer\iexplore.exe" http://www.afmgm.ltd.uk.yangkuasa.com/?tty=([email protected])C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
940"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1500 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2148"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3036"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x600ca9d0,0x600ca9e0,0x600ca9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2536"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1836 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2608"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,7936987246236938889,11145270654089331336,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1334330939363729503 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=992,7936987246236938889,11145270654089331336,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=2025563416972576234 --mojo-platform-channel-handle=1616 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1736"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,7936987246236938889,11145270654089331336,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=855827569085708734 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3024"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,7936987246236938889,11145270654089331336,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11294315702368238078 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 085
Read events
1 960
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
69
Text files
122
Unknown types
4

Dropped files

PID
Process
Filename
Type
960OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR79DD.tmp.cvr
MD5:
SHA256:
1500iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
940iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\SNA8PJBX.txt
MD5:
SHA256:
940iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\QOZPBZCS.txt
MD5:
SHA256:
960OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:DF1B060D4CB1045B7ADF808BFE1B3145
SHA256:C1F0443164C57E13AC2B071BE6B28B20045F6C1016EFA1DB06755B0B6E07952D
960OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:CFBCCAA6280EA5341901BCA0579182C8
SHA256:918A1EB558BD9D5DB038D00260A8FC4E523C13FF478F4D71408ACA7A2749D498
940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
960OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6662258.datimage
MD5:A89E31BE50A1B9A1221B00D22CE94D38
SHA256:7DE6BCFE419B58BB38F3B9A8251BC89A56FC5C4D872DCEAD9AF2D496D7F4B06F
940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\qsml[1].htm
MD5:
SHA256:
1500iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:6A6A42FC350835C34A0ED8F2A6481F02
SHA256:8DF43FA2A534E75D6107397BA31D1EAF20C4E2B76E2A7ABB248DB6F77CF272A7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
82
DNS requests
48
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
960
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
940
iexplore.exe
GET
13.107.13.80:80
http://api.bing.com/qsml.aspx?query=http%3A%2F%2Fwww.afmgm.ltd.uk.yangkuasa.c&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
940
iexplore.exe
GET
200
13.107.13.80:80
http://api.bing.com/qsml.aspx?query=http%3A%2F%2Fwww.afmgm.ltd.uk.yangkuasa.com&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
187 b
whitelisted
1500
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1500
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
940
iexplore.exe
GET
200
13.107.13.80:80
http://api.bing.com/qsml.aspx?query=http%3A%2F%2Fwww.afmgm.ltd.uk.yangkuasa.&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
186 b
whitelisted
2592
chrome.exe
GET
302
162.241.125.236:80
http://www.afmgm.ltd.uk.yangkuasa.com/
US
binary
20 b
suspicious
940
iexplore.exe
GET
302
162.241.125.236:80
http://www.afmgm.ltd.uk.yangkuasa.com/
US
binary
20 b
suspicious
1500
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1500
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
940
iexplore.exe
162.241.125.236:80
www.afmgm.ltd.uk.yangkuasa.com
CyrusOne LLC
US
suspicious
2592
chrome.exe
172.217.22.67:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
940
iexplore.exe
162.241.125.236:443
www.afmgm.ltd.uk.yangkuasa.com
CyrusOne LLC
US
suspicious
940
iexplore.exe
13.107.13.80:80
api.bing.com
Microsoft Corporation
US
whitelisted
2592
chrome.exe
162.241.125.236:443
www.afmgm.ltd.uk.yangkuasa.com
CyrusOne LLC
US
suspicious
2592
chrome.exe
172.217.23.138:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2592
chrome.exe
162.241.125.236:80
www.afmgm.ltd.uk.yangkuasa.com
CyrusOne LLC
US
suspicious
2592
chrome.exe
216.58.207.36:443
www.google.com
Google Inc.
US
whitelisted
1500
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.afmgm.ltd.uk.yangkuasa.com
  • 162.241.125.236
suspicious
biarorang.com
  • 162.241.125.236
suspicious
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
clientservices.googleapis.com
  • 172.217.22.67
whitelisted
accounts.google.com
  • 172.217.16.141
shared
www.google.com
  • 216.58.207.36
whitelisted
fonts.gstatic.com
  • 172.217.18.99
whitelisted
fonts.googleapis.com
  • 172.217.23.138
whitelisted

Threats

PID
Process
Class
Message
940
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
940
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
940
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
940
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info