analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

#UPDATE.msg

Full analysis: https://app.any.run/tasks/eff03321-2278-49c3-b8d2-1e570619926a
Verdict: Malicious activity
Analysis date: January 14, 2022, 21:45:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

CCAC87FC385B89A56B310ACE320DACCF

SHA1:

9961C6EEA2D9FA55A0D6902B51AA929BAA9D79D3

SHA256:

1B01746827388EB3041AF1AABC722E97C235A6169378EDAAB7D08293E0AAACAC

SSDEEP:

6144:2vU1SBaPhuj05ICtIDUV+QZUd52mXQDRd6R:PPhujrCiIhUfQNd6R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2232)

  • SUSPICIOUS

    • Executed via COM

      • prevhost.exe (PID: 2072)

  • INFO

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2232)
      • prevhost.exe (PID: 2072)
      • AcroRd32.exe (PID: 908)
      • AcroRd32.exe (PID: 1148)
      • AcroRd32.exe (PID: 748)
      • RdrCEF.exe (PID: 3748)
      • AcroRd32.exe (PID: 3664)

    • Checks supported languages

      • AcroRd32.exe (PID: 908)
      • prevhost.exe (PID: 2072)
      • OUTLOOK.EXE (PID: 2232)
      • AcroRd32.exe (PID: 1148)
      • AcroRd32.exe (PID: 748)
      • AcroRd32.exe (PID: 3664)
      • RdrCEF.exe (PID: 3748)
      • RdrCEF.exe (PID: 2388)
      • RdrCEF.exe (PID: 3784)
      • RdrCEF.exe (PID: 3112)
      • RdrCEF.exe (PID: 3864)
      • RdrCEF.exe (PID: 2504)
      • RdrCEF.exe (PID: 3024)
      • RdrCEF.exe (PID: 468)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2232)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 2232)
      • AcroRd32.exe (PID: 908)
      • AcroRd32.exe (PID: 1148)
      • AcroRd32.exe (PID: 748)
      • AcroRd32.exe (PID: 3664)

    • Application launched itself

      • AcroRd32.exe (PID: 908)
      • AcroRd32.exe (PID: 748)
      • RdrCEF.exe (PID: 3748)

    • Reads CPU info

      • AcroRd32.exe (PID: 1148)
      • AcroRd32.exe (PID: 3664)

    • Reads the hosts file

      • RdrCEF.exe (PID: 3748)

    • Reads Microsoft Office registry keys

      • AcroRd32.exe (PID: 3664)
      • OUTLOOK.EXE (PID: 2232)

    • Reads settings of System Certificates

      • AcroRd32.exe (PID: 748)
      • RdrCEF.exe (PID: 3748)

    • Checks Windows Trust Settings

      • AcroRd32.exe (PID: 748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
14
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe prevhost.exe no specs acrord32.exe no specs acrord32.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\#UPDATE.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2072C:\Windows\system32\prevhost.exe {DC6EFB56-9CFA-464D-8880-44885D7DC193} -EmbeddingC:\Windows\system32\prevhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Preview Handler Surrogate Host
Version:
6.1.7601.17562 (win7sp1_gdr.110217-1504)
908"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /b /id 2072_247777937 /if pdfshell_prevcdc9bfea-e66b-4878-98c7-851a7609e2bbC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeprevhost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
1148"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /b /id 2072_247777937 /if pdfshell_prevcdc9bfea-e66b-4878-98c7-851a7609e2bbC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
748"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\627J4CTB\KlA-2OS-K9P.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
OUTLOOK.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
3664"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\627J4CTB\KlA-2OS-K9P.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
3748"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
2504"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1184,6985375345383896744,15091629170285998387,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17395228790034680474 --renderer-client-id=2 --mojo-platform-channel-handle=1192 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
2388"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1184,6985375345383896744,15091629170285998387,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=11638508861357280397 --mojo-platform-channel-handle=1220 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
3864"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1184,6985375345383896744,15091629170285998387,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=9402537960284619867 --mojo-platform-channel-handle=1388 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Total events
15 925
Read events
15 242
Write events
661
Delete events
22

Modification events

(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2232) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
125
Text files
16
Unknown types
4

Dropped files

PID
Process
Filename
Type
2232OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR2DE2.tmp.cvr
MD5:
SHA256:
2232OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2232OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:A9E01356FC65B8C0D83339F19EA88F52
SHA256:A5FD929D661BBEAC917C68E46D00AC711D65690EBF2B31DDDB26F213C1C149AA
2232OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:0647C3827970ADBBD28DFE63D3BF45EE
SHA256:97460CC465F1D59AEEA5FBE8DF93EB7CCA8F81E2AEF2AC8670F691F619C1A589
2232OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\627J4CTB\KlA-2OS-K9P (2).pdfpdf
MD5:E8CAA3EC20C24B23825ABA682143A205
SHA256:3351EFF4B49AE061253413F6D248900CA88956AEDC23180A0A8F19B4ADF52B51
3748RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0binary
MD5:231914CED0763F752140A9BF730EC2BF
SHA256:2AFE4D1D59B77C8B0FA2369D7F82AC1B2996D96D365D39C398BC5FFB3936DBF6
3748RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0binary
MD5:D0C9A97B833047BF2DBD4C1D265E2834
SHA256:27FB3668E7FC2EB283337A5BAF71A7D3520366CD95A5289541C6966232953961
3748RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0binary
MD5:18C22E3FEB67D24FBB9F14DF953B7F39
SHA256:1A5F123AE4DEE2B80D5F0E58286A420E641C32C960690289F45B658FC807A7CD
2232OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\627J4CTB\KlA-2OS-K9P.pdfpdf
MD5:E8CAA3EC20C24B23825ABA682143A205
SHA256:3351EFF4B49AE061253413F6D248900CA88956AEDC23180A0A8F19B4ADF52B51
3748RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0binary
MD5:F36DE981C58D8B8C85724A64F64F6136
SHA256:487B0C57327300CDF194CFE26A36D9800600338F9B358FA58F4607A4D3BA1ABD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2232
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
748
AcroRd32.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
748
AcroRd32.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c2f81670bc4bd6c0
US
compressed
4.70 Kb
whitelisted
748
AcroRd32.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c7626950d1d9c8aa
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
748
AcroRd32.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3748
RdrCEF.exe
52.6.155.20:443
p13n.adobe.io
Amazon.com, Inc.
US
unknown
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
748
AcroRd32.exe
104.109.143.11:443
acroipm2.adobe.com
Akamai Technologies, Inc.
US
suspicious
3748
RdrCEF.exe
104.85.0.137:443
armmf.adobe.com
Time Warner Cable Internet LLC
US
suspicious
2232
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3748
RdrCEF.exe
104.80.224.135:443
geo2.adobe.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
geo2.adobe.com
  • 104.80.224.135
whitelisted
p13n.adobe.io
  • 52.6.155.20
whitelisted
armmf.adobe.com
  • 104.85.0.137
whitelisted
acroipm2.adobe.com
  • 104.109.143.11
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
#UPDATE.msg