File name:

message (1).eml

Full analysis: https://app.any.run/tasks/c765c26c-2013-489a-9f55-173f775af357
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:58:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

DB324C7684BF97942B9D5C3FCF0A9C3B

SHA1:

18DDD579320CB8FBA2E9F880ED9CAA240E476308

SHA256:

10148F2C0EF78F589D0A753C5218EAB04B6BE9BBA280988A68AAFCF0C693E6F7

SSDEEP:

3072:PMLOM6JE4Ml7CSPr6NHHv2OG3qwLmXhYI/8eY1fm:PMCCD6FU3qwshV/J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the computer name

      • OUTLOOK.EXE (PID: 1332)

    • Checks supported languages

      • OUTLOOK.EXE (PID: 1332)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 1332)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2896)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1332)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1332)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2784)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2784)
      • iexplore.exe (PID: 2896)

    • Creates files in the user directory

      • iexplore.exe (PID: 2896)
      • iexplore.exe (PID: 2784)

    • Checks supported languages

      • iexplore.exe (PID: 2784)
      • iexplore.exe (PID: 2896)

    • Reads the computer name

      • iexplore.exe (PID: 2784)
      • iexplore.exe (PID: 2896)

    • Changes internet zones settings

      • iexplore.exe (PID: 2784)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2896)
      • iexplore.exe (PID: 2784)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2896)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1332"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\message (1).eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\rpcrt4.dll
2784"C:\Program Files\Internet Explorer\iexplore.exe" https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fzach-lin-994600153%2F&data=05%7C01%7Cvaishali.gangoli%40tollgroup.com%7Cdf28a31339bf42912b8d08da5439a588%7C0f004b2efb0745e7a568caf4905b0339%7C0%7C0%7C637914903819834356%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UwcixRm6Eo0SKBWd0L3IlWRuxTv9CSxFza1LXzhIP38%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2896"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2784 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
Total events
19 936
Read events
19 243
Write events
673
Delete events
20

Modification events

(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(1332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
6
Text files
29
Unknown types
3

Dropped files

PID
Process
Filename
Type
1332OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4A49.tmp.cvr
MD5:
SHA256:
1332OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1332OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:
SHA256:
1332OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:
SHA256:
1332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FAB8E553.datimage
MD5:
SHA256:
2896iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
1332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_1890D0119A34834C94A1864BC9739D94.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
1332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_C33B698DB498FE4BA02BD23BF1E3BDCA.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
1332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_616B4BD7995F854E8103CD31334B9706.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
2784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
35
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2896
iexplore.exe
GET
200
92.123.195.57:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?efc0de40b35727df
unknown
compressed
4.70 Kb
whitelisted
2896
iexplore.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertGlobalRootCA.crl
US
der
631 b
whitelisted
2784
iexplore.exe
GET
200
92.123.195.57:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c202ad4669163871
unknown
compressed
4.70 Kb
whitelisted
2896
iexplore.exe
GET
200
92.123.195.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60d83ac592dac562
unknown
compressed
4.70 Kb
whitelisted
2784
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2784
iexplore.exe
GET
200
92.123.195.57:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e0d8cca8683757bc
unknown
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2784
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2784
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2896
iexplore.exe
152.199.21.118:443
static-exp1.licdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
1332
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2896
iexplore.exe
104.47.71.156:443
aus01.safelinks.protection.outlook.com
Microsoft Corporation
US
unknown
2784
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2896
iexplore.exe
92.123.195.57:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2784
iexplore.exe
92.123.195.57:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2896
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2896
iexplore.exe
92.123.195.41:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
aus01.safelinks.protection.outlook.com
  • 104.47.71.156
  • 104.47.71.220
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.22.200
  • 131.253.33.200
whitelisted
ctldl.windowsupdate.com
  • 92.123.195.57
  • 92.123.195.41
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
www.linkedin.com
  • 13.107.43.14
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
message (1).eml