analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | PINEDA Juan Camilo has sent you a message via Zoom Message Portal.msg |
| Full analysis: | https://app.any.run/tasks/ef052e61-3104-4e01-8921-290ef48860ac |
| Verdict: | Malicious activity |
| Analysis date: | December 05, 2022, 20:20:19 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/vnd.ms-outlook |
| File info: | CDFV2 Microsoft Outlook Message |
| MD5: | 26860DC6B83F7A7D437A5323F497534C |
| SHA1: | 273D74965797838DCB1BE1058B3C9AC123D53505 |
| SHA256: | 131A53B724870F1D46E8C6819B539A4A26BC650A86FB27EF337B11180C4790DD |
| SSDEEP: | 1536:RGiPFkuK7sYc0IPEdHvsKhgmuK+WhWpWUPMafnOBeo08+I1szfq/1:RPiuKJfIPsH/imuK0PMafnWebdI1sO |
MALICIOUS
No malicious indicators.SUSPICIOUS
No suspicious indicators.INFO
Application launched itself
- iexplore.exe (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msg | | | Outlook Message (58.9) |
|---|---|---|
| .oft | | | Outlook Form Template (34.4) |
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 856 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\PINEDA Juan Camilo has sent you a message via Zoom Message Portal.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
| 1972 | "C:\Program Files\Internet Explorer\iexplore.exe" https://en-eu.secureconnection.moneytransaction.kb4.io/XUTA1V1ZXeHpNV1pHZGxNdk1ITk1NekpVVXpoWUwxSkNVbUlyUTNCVWFUSlRURloxYzJSUE4ycFNNVUZyVTFWaE16UnhkVXRVZFVkSlREWnRlazFHTUVKd1IyaEpUVEZQUzBoaFNYQjVRM0JzTWpSQlJWQmxWR3hVVFcxemRFVnJTWGR1WmpCaVFsRjJNSEJXYVVaak1GSkNRbms1WWxCaGEwVTVSSEUxZEZwWlprRmhSR041ZG5aMWNFWkdjazAwV210WllrcE5VVGxPVkVGNVpVZ3liazltVjBsSE5uZFZaREJOUFMwdFNHRkRUVGhpWlZSU2JscGpkRU4zUlVjM05FcDFVVDA5LS1mYjkzMzM2MzBjYjYxMjVkNzI1NmQyNTM3YTdlMzY0NmMyMWI1NTA1?cid=142216677 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2688 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1972 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
Total events
23 729
Read events
23 004
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
19
Text files
34
Unknown types
18
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRFA0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:EE8073C844B170926383D375713EB104 | SHA256:DC110E72B24CC1A966F8788191C3D64222E1EB35F320BE0B725F28830E291E78 | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:AA23B10BB5CF5380ED3662EC30B00879 | SHA256:E3C07A8F7C611CD1739B7E624B4330D9D898F0DDCA43E13FE054C720A2FA01C0 | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | binary | |
MD5:2D65A5C3ABE5D337902EC13332C97FA2 | SHA256:A08D69EBD4912F427D3073E5ABF74F324E992DF96F2DE173C2B0C6D802402112 | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | binary | |
MD5:2FFA1755EE39C5CF4E6A1F3631F97781 | SHA256:D7D3CA259B64CAE5833A60A0B343A88FA353CDF5613CF571D72B94CFEC854D9E | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:D0D95F61AF1ED74C389CA95A73404A21 | SHA256:011A2EF5C4C0E3F8841030BD329695891AC34028B98AAECE7CB840BCC8228DC4 | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | binary | |
MD5:656785110B81C03827DB4E2237BE0975 | SHA256:80CD2BA5C24E4FFF0693D328D49F0A4C926AC20F63E091CE7C7DA4BF6F93E9B4 | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6DC41020-8B22-4553-BC85-2BA4C46EF07D}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
| 856 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_69F314190EC06F4184D7E93708118DD5.dat | xml | |
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2 | SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
43
DNS requests
24
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
856 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
856 | OUTLOOK.EXE | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
856 | OUTLOOK.EXE | GET | 200 | 13.225.84.68:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
2688 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
856 | OUTLOOK.EXE | GET | 200 | 13.225.84.49:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
1972 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
856 | OUTLOOK.EXE | GET | 200 | 13.225.84.145:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
2688 | iexplore.exe | GET | 200 | 13.225.84.104:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEARvjI07tlNggB%2FjBJupetY%3D | US | der | 471 b | whitelisted |
2688 | iexplore.exe | GET | 200 | 13.225.84.104:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAQV72KtapPgP6bJk%2FZI%2FPk%3D | US | der | 471 b | whitelisted |
2688 | iexplore.exe | GET | 200 | 142.250.186.67:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
856 | OUTLOOK.EXE | 52.214.123.172:443 | en-eu.secureconnection.moneytransaction.kb4.io | AMAZON-02 | IE | unknown |
856 | OUTLOOK.EXE | 138.92.8.27:443 | blogs.canisius.edu | CANISIUS-COLLEGE | US | unknown |
856 | OUTLOOK.EXE | 13.225.84.49:80 | ocsp.rootg2.amazontrust.com | AMAZON-02 | US | whitelisted |
856 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
856 | OUTLOOK.EXE | 192.124.249.24:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
856 | OUTLOOK.EXE | 95.140.236.0:80 | ctldl.windowsupdate.com | LLNW | US | whitelisted |
856 | OUTLOOK.EXE | 13.225.84.68:80 | o.ss2.us | AMAZON-02 | US | unknown |
2688 | iexplore.exe | 13.225.84.104:80 | ocsp.sca1b.amazontrust.com | AMAZON-02 | US | whitelisted |
2688 | iexplore.exe | 3.248.132.51:443 | en-eu.secureconnection.moneytransaction.kb4.io | AMAZON-02 | IE | unknown |
856 | OUTLOOK.EXE | 13.225.84.145:80 | ocsp.rootg2.amazontrust.com | AMAZON-02 | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
en-eu.secureconnection.moneytransaction.kb4.io |
| malicious |
blogs.canisius.edu |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
config.messenger.msn.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
ocsp.sca1b.amazontrust.com |
| whitelisted |
eu-secured.com |
| suspicious |