analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

malicous_email.msg

Full analysis: https://app.any.run/tasks/3d687e2a-d1ae-4349-af06-29af78bc99a4
Verdict: Malicious activity
Analysis date: January 24, 2022, 18:22:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

73AFA476920CE270F3A884C3924783E6

SHA1:

CE5658C6D409EEBF27743EF69FE5970F1D2A5F91

SHA256:

1412D2E328C8D9A01D47EBDDD2E98257DB59E3817FDC7BF238AAAD017A658E2E

SSDEEP:

6144:cLc4kvX5sBoQGoNQJTVErdgwSJh0mn4QuOd8MVzEcfacTObj:cWoiJBs/SwpQF1Qcffs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1704)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • OUTLOOK.EXE (PID: 1704)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1704)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1000)
  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 1704)
      • rundll32.exe (PID: 3976)
      • iexplore.exe (PID: 2220)
      • iexplore.exe (PID: 1000)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 1704)
      • iexplore.exe (PID: 2220)
      • iexplore.exe (PID: 1000)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 1704)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1704)
      • iexplore.exe (PID: 1000)
    • Changes internet zones settings

      • iexplore.exe (PID: 2220)
    • Application launched itself

      • iexplore.exe (PID: 2220)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2220)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2220)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1000)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2220)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe rundll32.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1704"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\malicous_email.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3976"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J9XXVPLB\message_v2.rpmsgC:\Windows\system32\rundll32.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2220"C:\Program Files\Internet Explorer\iexplore.exe" https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cVI1PR0402MB284748D4BD5B6375756BBCA2E75A9%40VI1PR0402MB2847.eurprd04.prod.outlook.com%3eC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1000"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2220 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
17 605
Read events
16 921
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
40
Unknown types
9

Dropped files

PID
Process
Filename
Type
1704OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE6BA.tmp.cvr
MD5:
SHA256:
1704OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1binary
MD5:01F02CAF4AE5AEDA2630BA49FCD0FF16
SHA256:89826C7B2BE9292752CB0AAD43B760C767DC8FAD55ED71A2FB57F83820094AF6
1704OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:BB2500835907EF5FF5A98B9E80834520
SHA256:1C16CDC759E62AE73FDEDB61635D46B888270338523A65335BA265B85B17C4F6
1704OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:E893C4604D91DC332A912A1D46A600CC
SHA256:11563AB2B3D5192EE7A63D22B6E1D33C72DCF7751EBA55DF15E99B68F46D0C3E
1704OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_DFAD1754B8544E49AC640544C6D1A926.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
1000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:39A53BA63266042D4121FBBD18A2FEA7
SHA256:02EA814E1957A14F1F3ECBB7B1DD17E9AF491E29F6B28EE77BC4855E1ABEF2DC
1704OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J9XXVPLB\message_v2 (2).rpmsgrpmsg
MD5:002886FB8293716BBA3022873C51BE1E
SHA256:CCB9CE180602DEAC1FAD538ABA0C527A1A6B02985F5CEAC8FB286AC51EEF552F
1704OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\J9XXVPLB\message_v2.rpmsgrpmsg
MD5:002886FB8293716BBA3022873C51BE1E
SHA256:CCB9CE180602DEAC1FAD538ABA0C527A1A6B02985F5CEAC8FB286AC51EEF552F
1000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1der
MD5:E801D1A2D51ABEC12AA55BC30483F34D
SHA256:D7B952A955D4089706D9D5E3A8036B950F8B9D52B24A20100016B359EA06A27E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1000
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1000
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.68 Kb
whitelisted
1000
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8XGkjG8iOAkhjNLtbdwOg%3D
US
der
471 b
whitelisted
1000
iexplore.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSjA8CoiHvUecQnjrXXWH08EsBNpAQU%2Fy9%2F4Qb0OPMt7SWNmML%2BDvZs%2FPoCE38AIDfLvRE4agVL6JIAAAAgN8s%3D
US
der
1.70 Kb
whitelisted
1000
iexplore.exe
GET
200
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?abf27f95aec7368b
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1704
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1000
iexplore.exe
52.97.137.82:443
outlook.office365.com
Microsoft Corporation
US
unknown
1000
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1000
iexplore.exe
23.32.238.201:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
2220
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2220
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1000
iexplore.exe
20.190.159.132:443
login.microsoftonline.com
Microsoft Corporation
US
suspicious
2220
iexplore.exe
152.199.23.37:443
aadcdn.msftauth.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
1000
iexplore.exe
152.199.23.37:443
aadcdn.msftauth.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
outlook.office365.com
  • 52.97.137.82
  • 52.97.137.146
  • 52.98.208.50
  • 52.97.151.66
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.201
  • 23.32.238.178
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
login.microsoftonline.com
  • 20.190.159.132
  • 40.126.31.137
  • 40.126.31.6
  • 40.126.31.1
  • 40.126.31.143
  • 20.190.159.136
  • 40.126.31.8
  • 20.190.159.134
whitelisted
aadcdn.msftauth.net
  • 152.199.23.37
whitelisted
login.live.com
  • 40.126.31.8
  • 40.126.31.4
  • 40.126.31.1
  • 40.126.31.139
  • 40.126.31.135
  • 20.190.159.138
  • 20.190.159.134
  • 20.190.159.132
whitelisted

Threats

No threats detected
No debug info