analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INV-12920 past due FOR SHIPMENT.msg

Full analysis: https://app.any.run/tasks/b7edad44-9bb6-4d64-bc2e-98b1cb080586
Verdict: Malicious activity
Analysis date: October 19, 2020, 20:07:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

D647724104948AD49DA85922C086937D

SHA1:

B4B45AF26CE39BEF0DAAE9EB1D395C452116FF2E

SHA256:

1F281B38379407D47E1DAC239A79001C597574C92CF5CBBCD84B0605D2FFB335

SSDEEP:

3072:Mf1YcxvriqhLk2rYIejImytYocLkxxR3UiOxAunGsOs8Wi8zgnP5OyckBYvv:oxv59cIC+zmqPOxJnNHJ8nBcs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2728)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2728)

  • INFO

    • Reads settings of System Certificates

      • chrome.exe (PID: 3876)
      • iexplore.exe (PID: 4076)
      • iexplore.exe (PID: 1204)
      • iexplore.exe (PID: 2268)
      • iexplore.exe (PID: 1748)

    • Reads the hosts file

      • chrome.exe (PID: 1516)
      • chrome.exe (PID: 3876)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4076)
      • iexplore.exe (PID: 1204)
      • iexplore.exe (PID: 2268)
      • iexplore.exe (PID: 1748)

    • Manual execution by user

      • chrome.exe (PID: 1516)
      • wmplayer.exe (PID: 2836)

    • Changes internet zones settings

      • iexplore.exe (PID: 1204)

    • Reads internet explorer settings

      • OUTLOOK.EXE (PID: 2728)
      • iexplore.exe (PID: 4076)
      • iexplore.exe (PID: 2268)
      • iexplore.exe (PID: 1748)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2728)
      • iexplore.exe (PID: 1204)

    • Application launched itself

      • iexplore.exe (PID: 1204)
      • chrome.exe (PID: 1516)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2728)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1204)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
25
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs wmplayer.exe no specs setup_wm.exe no specs chrome.exe no specs iexplore.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2728"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\INV-12920 past due FOR SHIPMENT.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1204"C:\Program Files\Internet Explorer\iexplore.exe" https://secure-web.cisco.com/1XgA1XJrTMtJLshYtgg4PZ6bdYtHHXVbtZnnLDqUhybkuCySRNTkT_o8_i8THkbC4FK3dJaBwGuyiI2-MfMdj5PuPYvudf2Cz4iRl7pc9vSSRrrvV8-ZWj7SP45hST-TS_5nZAepSeFIZFjvZacM7DhzdzEJ3ORxtTQJnsxopiXObaUH_9M1LHZoFzoEfB0joGNeuxDFHALd1TvwHFss2FYfhYzFhCfDDhZJ8k1XhaIQWcYgwvb5ILJgYiCIUl_Zbg-SOwWtzXpZtjtu9diJe5kLdxUpR3uTloeFB5fXShmSK14IKq6rtJOO-cFFotukn/https%3A%2F%2Ftowertheatrefoundation-my.sharepoint.com%2F%3Ao%3A%2Fg%2Fpersonal%2Fray_towertheatre_org%2FEp71axP8naVBvQyMekDmTrkBM4fIMfkwaICaRt4dAHBwhw%3Fe%3DBaMFMuC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4076"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1204 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2268"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1204 CREDAT:2757897 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1516"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3380"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6c84a9d0,0x6c84a9e0,0x6c84a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2564"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=776 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1968"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,10180684765480355529,7699959464398542706,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=8942338265935283261 --mojo-platform-channel-handle=1012 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3876"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,10180684765480355529,7699959464398542706,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=2769390168735229732 --mojo-platform-channel-handle=1628 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1964"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,10180684765480355529,7699959464398542706,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1053994552630558704 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 739
Read events
2 943
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
63
Text files
118
Unknown types
13

Dropped files

PID
Process
Filename
Type
2728OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR421E.tmp.cvr
MD5:
SHA256:
1204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
4076iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab767D.tmp
MD5:
SHA256:
4076iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar767E.tmp
MD5:
SHA256:
2728OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:897A17802B1D3E6991B7A284C8426774
SHA256:4639EDDC6E78B9A6601C8482451671122FF9E8EDF53E5B1F43D1FCC973FC1822
2728OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:22357CE63EA57B1832D13E13611BD8B2
SHA256:5497868E4748CB90AC1255F169E8169F59239E2081A60539B905348F1E512181
2728OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB948400.datimage
MD5:A4E86B6C436B4ED37F9225EFE8432F11
SHA256:8769AB54288491F682F626EA6AD9D78911F44225CCDEC3CBB8F4E6CC0948F875
4076iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2EE749B7E1A15635422518BB5EBFD338_2BE9BBF30BBE030BE7B79471EABFE00Abinary
MD5:4978CA2CFC893265FBE8C74255945E0C
SHA256:3416B83E195DC0105F042C5985B07B53AF3AEDE6EACBEF878BD4F68BD8DF0F76
4076iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2EE749B7E1A15635422518BB5EBFD338_2BE9BBF30BBE030BE7B79471EABFE00Ader
MD5:4185298FF9973F37007CB31AAC8F91FD
SHA256:A43F6374E91AF19F8259E219D71D3DE128F9C999C94170E5657D1409930185DF
2728OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
64
DNS requests
33
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4076
iexplore.exe
GET
200
52.210.26.218:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFHUXFneD0EN%2BtVbDV5RuRWO469Os
IE
der
1.78 Kb
whitelisted
4076
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
1204
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
4076
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBRPT4HWWg2N6N2sdizmyiRTaupwfgQUmGq2LS6%2Fp6qf9vfWCa%2FVi1f5ircCFAJ6LdwhHmBeL%2BjGokwlqon6ciFk
DE
der
1.81 Kb
whitelisted
4076
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFHUXFneD0EN%2BtVbDV5RuRWO469Os
DE
der
1.78 Kb
whitelisted
4076
iexplore.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertGlobalRootCA.crl
US
der
631 b
whitelisted
1204
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1204
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
4076
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBRPT4HWWg2N6N2sdizmyiRTaupwfgQUmGq2LS6%2Fp6qf9vfWCa%2FVi1f5ircCFAJ6LdwhHmBeL%2BjGokwlqon6ciFk
DE
der
1.81 Kb
whitelisted
4076
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3876
chrome.exe
216.58.212.173:443
accounts.google.com
Google Inc.
US
whitelisted
1204
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4076
iexplore.exe
13.107.136.9:443
towertheatrefoundation-my.sharepoint.com
Microsoft Corporation
US
whitelisted
4076
iexplore.exe
208.90.58.178:443
secure-web.cisco.com
Cisco Systems Ironport Division
US
suspicious
1204
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4076
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4076
iexplore.exe
35.158.10.169:80
ocsp.quovadisglobal.com
Amazon.com, Inc.
DE
whitelisted
2728
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3876
chrome.exe
172.217.23.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3876
chrome.exe
172.217.23.100:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
secure-web.cisco.com
  • 208.90.58.178
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.quovadisglobal.com
  • 35.158.10.169
  • 52.210.26.218
whitelisted
towertheatrefoundation-my.sharepoint.com
  • 13.107.136.9
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clientservices.googleapis.com
  • 172.217.23.99
whitelisted
accounts.google.com
  • 216.58.212.173
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INV-12920 past due FOR SHIPMENT.msg