File name:

Re Prueba de_transferenci#.msg

Full analysis: https://app.any.run/tasks/5ec24d5a-39e2-4517-b97a-1ab41ef5a713
Verdict: Malicious activity
Analysis date: August 13, 2019, 16:43:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

5EBBC5F1A7D7645FEB993C81B0503EDE

SHA1:

3FEDD2BB6A14FB9FE1D94ADE03537E52CBA2C8E6

SHA256:

0F16962295BE80A44ECF3BAE30781ECFE6B4C31EF8191E19A57155F85FD25D65

SSDEEP:

768:pUj/QN+EuHtxIHWGHwT8c9j/AHWm6cvm5Y1NrvH+OSHtZTS8WhX1glHKBo99d995:ewc9u9vmxWhX1G6y1eT8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3568)

    • Application was dropped or rewritten from another process

      • Prueba de_transferenci#.exe (PID: 1840)
      • Prueba de_transferenci#.exe (PID: 2320)
      • Host.exe (PID: 4072)
      • Host.exe (PID: 3708)

    • Changes the autorun value in the registry

      • Host.exe (PID: 3708)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3568)
      • Prueba de_transferenci#.exe (PID: 2320)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3568)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3568)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3988)
      • Prueba de_transferenci#.exe (PID: 2320)

    • Application launched itself

      • Prueba de_transferenci#.exe (PID: 1840)
      • Host.exe (PID: 4072)

    • Starts itself from another location

      • Prueba de_transferenci#.exe (PID: 2320)

    • Connects to unusual port

      • Host.exe (PID: 3708)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 2748)
      • iexplore.exe (PID: 2652)

    • Changes internet zones settings

      • iexplore.exe (PID: 2652)

    • Creates files in the user directory

      • firefox.exe (PID: 2748)
      • iexplore.exe (PID: 3020)

    • Reads CPU info

      • firefox.exe (PID: 2748)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3020)

    • Manual execution by user

      • firefox.exe (PID: 2708)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
15
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start outlook.exe iexplore.exe iexplore.exe notepad.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winrar.exe prueba de_transferenci#.exe no specs prueba de_transferenci#.exe host.exe no specs host.exe

Process information

PID
CMD
Path
Indicators
Parent process
1496"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9G2J0V6E\email.txtC:\Windows\system32\NOTEPAD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1668"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2748.0.1726002836\6824568" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2748 "\\.\pipe\gecko-crash-server-pipe.2748" 1156 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1840"C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.16419\Prueba de_transferenci#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.16419\Prueba de_transferenci#.exeWinRAR.exe
User:
admin
Company:
CalligolasMERRELL9
Integrity Level:
MEDIUM
Description:
CalligolasREJECTMENT5
Exit code:
0
Version:
1.07.0005
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3988.16419\prueba de_transferenci#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2152"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2748.3.982795264\1133250306" -childID 1 -isForBrowser -prefsHandle 1688 -prefMapHandle 1684 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2748 "\\.\pipe\gecko-crash-server-pipe.2748" 1708 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2320"C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.16419\Prueba de_transferenci#.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3988.16419\Prueba de_transferenci#.exe
Prueba de_transferenci#.exe
User:
admin
Company:
CalligolasMERRELL9
Integrity Level:
MEDIUM
Description:
CalligolasREJECTMENT5
Exit code:
0
Version:
1.07.0005
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3988.16419\prueba de_transferenci#.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2484"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2748.13.1183948380\1232973805" -childID 2 -isForBrowser -prefsHandle 2828 -prefMapHandle 2832 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2748 "\\.\pipe\gecko-crash-server-pipe.2748" 2844 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2652"C:\Program Files\Internet Explorer\iexplore.exe" http://www.mediafire.com/file/21eqbfydl6nyx1g/Prueba_de_transferenci%2523.7z/fileC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2708"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2748"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3020"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2652 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 786
Read events
3 286
Write events
479
Delete events
21

Modification events

(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
Operation:writeName:+2f
Value:
2B326600F00D0000010000000000000000000000
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
Operation:writeName:MTTT
Value:
F00D00004C3BD13CF651D50100000000
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
Operation:writeName:SQMSessionNumber
Value:
0
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
Operation:writeName:SQMSessionDate
Value:
220168800
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\0a0d020000000000c000000000000046
Operation:writeName:00030429
Value:
03000000
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
Operation:writeName:{ED475418-B0D6-11D2-8C3B-00104B2A6676}
Value:
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
Operation:writeName:LastChangeVer
Value:
1200000000000000
(PID) Process:(3568) OUTLOOK.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400000000000F01FEC\Usage
Operation:writeName:OutlookMAPI2Intl_1033
Value:
1326252053
Executable files
2
Suspicious files
62
Text files
58
Unknown types
42

Dropped files

PID
Process
Filename
Type
3568OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR8E0B.tmp.cvr
MD5:
SHA256:
2652iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2652iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3020iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@mediafire[1].txt
MD5:
SHA256:
3568OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3722E2B3.datimage
MD5:
SHA256:
2652iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF375CCA4D0448C6A5.TMP
MD5:
SHA256:
3568OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:
SHA256:
3020iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
3020iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:
SHA256:
2652iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE031B5E8CD9CB623.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
24
DNS requests
75
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3568
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3020
iexplore.exe
GET
302
104.19.195.29:80
http://www.mediafire.com/file/21eqbfydl6nyx1g/Prueba_de_transferenci%2523.7z/file
US
shared
2748
firefox.exe
GET
302
104.19.195.29:80
http://www.mediafire.com/file/21eqbfydl6nyx1g/Prueba_de_transferencia2523.7z/file
US
shared
2748
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3020
iexplore.exe
GET
200
205.196.123.183:80
http://download1495.mediafire.com/m4lkducj1dgg/21eqbfydl6nyx1g/Prueba+de_transferenci%23.7z
US
compressed
247 Kb
malicious
2748
firefox.exe
GET
200
205.196.120.116:80
http://download668.mediafire.com/g8gxu7g7tq3g/21eqbfydl6nyx1g/Prueba+de_transferenci%23.7z
US
compressed
247 Kb
unknown
2748
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2748
firefox.exe
POST
200
172.217.18.3:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2652
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2748
firefox.exe
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3568
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2652
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3020
iexplore.exe
104.19.195.29:80
www.mediafire.com
Cloudflare Inc
US
shared
3020
iexplore.exe
205.196.123.183:80
download1495.mediafire.com
MediaFire, LLC
US
suspicious
2748
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2748
firefox.exe
34.211.94.5:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2748
firefox.exe
216.58.207.42:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2748
firefox.exe
13.35.253.117:443
firefox.settings.services.mozilla.com
US
suspicious
2748
firefox.exe
104.19.195.29:80
www.mediafire.com
Cloudflare Inc
US
shared
2748
firefox.exe
205.196.120.116:80
download668.mediafire.com
MediaFire, LLC
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.mediafire.com
  • 104.19.195.29
  • 104.19.194.29
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
download1495.mediafire.com
  • 205.196.123.183
malicious
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 34.211.94.5
  • 52.43.169.220
  • 52.88.112.58
whitelisted
search.r53-2.services.mozilla.com
  • 52.88.112.58
  • 52.43.169.220
  • 34.211.94.5
whitelisted
push.services.mozilla.com
  • 34.210.237.184
whitelisted
autopush.prod.mozaws.net
  • 34.210.237.184
whitelisted

Threats

PID
Process
Class
Message
1064
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Re Prueba de_transferenci#.msg