analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RE Nasdaq IR Intelligence team visiting Saudi Arabia.msg

Full analysis: https://app.any.run/tasks/9c636ba9-1794-47bd-a92f-9da4691acfc1
Verdict: Malicious activity
Analysis date: March 30, 2020, 19:27:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

593764E2563DEC4479D40B5912CCBB55

SHA1:

2A4AA6EF576B464140C077220F94F3E1801E28C8

SHA256:

10425195221F4CA35C6C26968BBA2088137AB29E604A9EAB56954ECBA557075C

SSDEEP:

24576:90VqVT0oZQppQA+xSCPZZsoIP6lecfMQB7K5gmcZRmevgvyclFfx:Yq5tZUQ0lXClec0rgHrmevp0Ff

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1852)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1852)

    • Changes IE settings (feature browser emulation)

      • AcroRd32.exe (PID: 3340)

  • INFO

    • Drops Coronavirus (possible) decoy

      • OUTLOOK.EXE (PID: 1852)
      • OUTLOOK.EXE (PID: 2664)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1852)
      • OUTLOOK.EXE (PID: 2664)

    • Reads the hosts file

      • RdrCEF.exe (PID: 2676)
      • RdrCEF.exe (PID: 2244)
      • RdrCEF.exe (PID: 2952)

    • Application launched itself

      • RdrCEF.exe (PID: 2676)
      • RdrCEF.exe (PID: 2244)
      • RdrCEF.exe (PID: 2952)

    • Manual execution by user

      • OUTLOOK.EXE (PID: 2664)
      • AcroRd32.exe (PID: 4064)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1852)
      • OUTLOOK.EXE (PID: 2664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (50.8)
.oft | Outlook Form Template (29.7)
.doc | Microsoft Word document (old ver.) (13.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
18
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs notepad.exe no specs outlook.exe acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1852"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\RE Nasdaq IR Intelligence team visiting Saudi Arabia.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
3340"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5XYW0EI8\IR Intelligence - COVID-19 Buy-Side Pulse on Investor Issue Engagement.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeOUTLOOK.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3188"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5XYW0EI8\IR Intelligence - COVID-19 Buy-Side Pulse on Investor Issue Engagement.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2676"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3221225547
Version:
15.23.20053.211670
3468"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2676.0.1256808269\611098601" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
2192"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2676.1.1639335682\332173678" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
2336"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5XYW0EI8\Coronavirus market sell-off report - 19 03 20.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeOUTLOOK.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3252"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5XYW0EI8\Coronavirus market sell-off report - 19 03 20.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2244"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
3040"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2244.0.316440497\2087281907" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
Total events
4 182
Read events
2 857
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
52
Unknown types
19

Dropped files

PID
Process
Filename
Type
1852OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR7046.tmp.cvr
MD5:
SHA256:
1852OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5XYW0EI8\IR Intelligence - COVID-19 Buy-Side Pulse on Investor Issue Engagement (2).pdf\:Zone.Identifier:$DATA
MD5:
SHA256:
3188AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3188AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3188
MD5:
SHA256:
3188AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3188
MD5:
SHA256:
1852OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:4C60C9F654883DE05E29A4BF7CCD931C
SHA256:E35C089A432C9122205EEE0CD1C13558A16DF6A941F41B89E1133338E07250DB
1852OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:97E40CB4DDC6603E52C19A3A46033AE0
SHA256:45D1A4160B2634D2E77A23DC5F73729F74FAE8B1357DD8277687F42B17698C5C
3340AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lstps
MD5:76C993D6E29FBE12DA4525151364653B
SHA256:F1CBECC2D9952366CE231E4B651EC8354C17288AEB1908B4A01B6E5A29F6270E
1852OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\5XYW0EI8\IR Intelligence - COVID-19 Buy-Side Pulse on Investor Issue Engagement.pdfpdf
MD5:8E2BF0B955DA99860AEB6B2D21264B07
SHA256:14D3CC3722C82FDF0F4DB9AB4A1F07CA452C9FDA477621005E09B06C0BA9E9DB
3340AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lstps
MD5:3A9453CC2C495F23ECDB3E5D39795FE8
SHA256:ECFDAA4E922FF49CAC2A8A970DBFEAFA59382297680ED167B436186810BFC82A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2664
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1852
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1852
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2664
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RE Nasdaq IR Intelligence team visiting Saudi Arabia.msg