analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/4f16712e-7edf-4eb9-a965-f3ca37acbe12
Verdict: Malicious activity
Analysis date: September 30, 2020, 09:58:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

29E6C98EDE89CE2EAE67226B1E40E852

SHA1:

FBB160090F36D344142E870FB632A4A7629A00CD

SHA256:

17DB4BE7DBDAB21E7E91E4DFF8A82DC37E85CAADBC8373ED3259E49078C744C4

SSDEEP:

192:rf4/oVOVxsQlOfZzrpXRhsi/LcEf8l3lyEapxyDFcyrSyS1yOOOOOOOOOKvOaRz:r4/2+wPzsijmjaxIZSuJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2696)

    • Reads internet explorer settings

      • prevhost.exe (PID: 944)

    • Executed via COM

      • prevhost.exe (PID: 944)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2696)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2696)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1960)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1960)
      • iexplore.exe (PID: 1896)

    • Changes internet zones settings

      • iexplore.exe (PID: 1896)

    • Application launched itself

      • iexplore.exe (PID: 1896)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1960)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe prevhost.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2696"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
944C:\Windows\system32\prevhost.exe {F8B8412B-DEA3-4130-B36C-5E8BE73106AC} -EmbeddingC:\Windows\system32\prevhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Preview Handler Surrogate Host
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1896"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002.htmC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1960"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1896 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 338
Read events
1 713
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
15
Text files
35
Unknown types
12

Dropped files

PID
Process
Filename
Type
2696OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR75C7.tmp.cvr
MD5:
SHA256:
2696OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002 (2).htm\:Zone.Identifier:$DATA
MD5:
SHA256:
2696OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:1BFC690AD72BB54098A404E3CB9A3625
SHA256:B7B60E4F2D6690CCA16718B9BE38248C31044A44D2501E6AD54F649C012E2CD4
2696OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:DE96D5BC07E5F83DEC3419FEB0AF5299
SHA256:2C1AE9F807B08663FF25E52FC48A6929DFAEC6285C07E83E4394C33160C9B286
1960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\LQYVYAD4.htmhtml
MD5:71C280988FD3ED776BF96B4AAF1220EB
SHA256:CA9134D0C03434CE56C14B022B8CBC795839245EEA98C3416BA6549A97FB9A22
1960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:1C400D233070530C717A810D7F9BC99E
SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0
2696OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002 (2).htmhtml
MD5:71849EB39AF98ED43DA0E7BC364A9483
SHA256:E5680FE71091EB973AB1AF50C4807D96826A2E7C799E0E4A15214E760E272E9B
2696OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZI8LKVAJ\Untitled attachment 00002.htmhtml
MD5:71849EB39AF98ED43DA0E7BC364A9483
SHA256:E5680FE71091EB973AB1AF50C4807D96826A2E7C799E0E4A15214E760E272E9B
944prevhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\wbkD637.tmphtml
MD5:71849EB39AF98ED43DA0E7BC364A9483
SHA256:E5680FE71091EB973AB1AF50C4807D96826A2E7C799E0E4A15214E760E272E9B
1960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:B4BB3B0A8F626DE77B627BCD7B191A23
SHA256:78C174B799E77387163555B9F86A5307E7E7D33BEF6B326EE379D628007938B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
16
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2696
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1960
iexplore.exe
GET
301
102.130.115.49:80
http://redirects.sendgrid11092.cloud/?alt=media&token=91dc9f62-ce50-48b8-9084-ae0b5cd949da
unknown
html
351 b
suspicious
1960
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
1960
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
1960
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDqXuNQ97mPtAIAAAAAektt
US
der
472 b
whitelisted
1960
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
US
der
471 b
whitelisted
1960
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
1960
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDqXuNQ97mPtAIAAAAAektt
US
der
472 b
whitelisted
1960
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDM8p7YwCDvUCAAAAABXoPk%3D
US
der
471 b
whitelisted
1960
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDM8p7YwCDvUCAAAAABXoPk%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1960
iexplore.exe
142.250.74.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2696
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1960
iexplore.exe
172.217.22.42:443
firebasestorage.googleapis.com
Google Inc.
US
whitelisted
172.217.22.42:443
firebasestorage.googleapis.com
Google Inc.
US
whitelisted
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
1960
iexplore.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
172.217.23.163:443
fonts.gstatic.com
Google Inc.
US
whitelisted
1960
iexplore.exe
102.130.115.49:443
redirects.sendgrid11092.cloud
suspicious
1960
iexplore.exe
102.130.115.49:80
redirects.sendgrid11092.cloud
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
redirects.sendgrid11092.cloud
  • 102.130.115.49
suspicious
firebasestorage.googleapis.com
  • 172.217.22.42
whitelisted
ocsp.pki.goog
  • 142.250.74.195
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
read110298.buzz
  • 102.130.115.49
suspicious
fonts.gstatic.com
  • 172.217.23.163
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
1960
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.cloud Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
phish_alert_sp2_2.0.0.0.eml