analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Re%3a Automatic reply%3a OneNote access.eml

Full analysis: https://app.any.run/tasks/e37f271a-4aac-4d7b-909c-2f181ea081f4
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: December 06, 2019, 19:04:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

491E407FA6CED8F93CA8EBAC060D160A

SHA1:

6259590FB824B02CAA0589560F85D594417AA1A5

SHA256:

20BBB503092FE1C569E1E624E3E30510B29D5B545F585B547A6B347BC08BD9A4

SSDEEP:

96:d5XRl+uRUvT2IRB9++a+V7AMpJq0mMdhoIZLWqnAZeLqosXdbBa1IhOW20b:kl5HiMQACqPGNOe28

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • iexplore.exe (PID: 2440)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3340)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3340)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3340)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3688)
      • iexplore.exe (PID: 584)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3884)
      • iexplore.exe (PID: 2440)
    • Creates files in the user directory

      • iexplore.exe (PID: 3884)
      • iexplore.exe (PID: 2440)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3340"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\c2edc80f-177b-4705-960d-cf07d2a4b381.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
584"C:\Program Files\Internet Explorer\iexplore.exe" http://cetpro.harvar.edu.pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3884"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:584 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3688"C:\Program Files\Internet Explorer\iexplore.exe" http://cetpro.harvar.edu.pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/C:\Program Files\Internet Explorer\iexplore.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2440"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3688 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 111
Read events
1 474
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
34
Unknown types
4

Dropped files

PID
Process
Filename
Type
3340OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE01E.tmp.cvr
MD5:
SHA256:
584iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
584iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
584iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF956FD4E30BD84FB0.TMP
MD5:
SHA256:
3340OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:834E06CE4DAE1F24EF7E1DBC67503384
SHA256:82BCEE06E9CCF03260029F24A176CD179AEEA81CFA2A246D92ED416C23D82906
3688iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3340OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:85E6C30CF2F3795FC549263D3788C76C
SHA256:40ED0BF53B53616D2DD8A5C6B14B328497BE167E99846484650365F062EDE115
3688iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFEC47A92354284DE7.TMP
MD5:
SHA256:
3884iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:F8697C1ADB2F5CE3A11AD6F588860AAD
SHA256:603E330E0165C7306940EED42F39EDF5237386515110545CD77D2543D2ED3F04
3884iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txttext
MD5:9A08EBA8D4CC5763BDD73D65545BBE3B
SHA256:A099EC29E246ED767484FDE1E9437533C710F82754A03E54C57197C45EDB45C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2440
iexplore.exe
GET
200
190.117.128.134:80
http://cetpro.harvar.edu.pe/dup-installer/2i5i_r76gl3x5v6vge_disk/individual_profile/NrWPp5_3Hj0zszymw/
PE
document
88.7 Kb
suspicious
584
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3340
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
584
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3884
iexplore.exe
190.117.128.134:80
cetpro.harvar.edu.pe
America Movil Peru S.A.C.
PE
suspicious
2440
iexplore.exe
190.117.128.134:80
cetpro.harvar.edu.pe
America Movil Peru S.A.C.
PE
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
cetpro.harvar.edu.pe
  • 190.117.128.134
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
3884
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
3884
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
2440
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
2440
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
No debug info