analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Re .msg

Full analysis: https://app.any.run/tasks/2fc99390-836e-4d8e-b57a-cc846214ba1a
Verdict: Malicious activity
Analysis date: June 27, 2022, 09:52:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

938B533D36B39FF670CF8AB8FB50B8EE

SHA1:

9B7342DE1919EEBB301CB577861CF6B668784CE0

SHA256:

2707D91CFA7FE8CE1FF3B5152861FBEBE75655C439E9832F73D1A3F42E659CD1

SSDEEP:

1536:fztTh6qqiKF6rjQuwqHqT02JO8oR1DSlaa44xArOOA7a:fzSZ8jQuVHqROHDSsoxArIa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2952)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2952)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2020)
  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2952)
      • iexplore.exe (PID: 3644)
      • iexplore.exe (PID: 2020)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 2952)
      • iexplore.exe (PID: 3644)
      • iexplore.exe (PID: 2020)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2952)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2952)
      • iexplore.exe (PID: 2020)
    • Application launched itself

      • iexplore.exe (PID: 3644)
    • Changes internet zones settings

      • iexplore.exe (PID: 3644)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2020)
      • iexplore.exe (PID: 3644)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2020)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3644)
      • iexplore.exe (PID: 2020)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Re .msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3644"C:\Program Files\Internet Explorer\iexplore.exe" http://dlf-bruxelles.eu/wpC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2020"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3644 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
Total events
25 663
Read events
24 943
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
31
Unknown types
7

Dropped files

PID
Process
Filename
Type
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD72D.tmp.cvr
MD5:
SHA256:
2952OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2952OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:47D30926EEC19102AA941FA1D00B2029
SHA256:470DB1872D5C7A81381B842BE10A69B0661599D8C237498804212D436CFA12AF
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:FDB827B14547735A28462FF7E93BC183
SHA256:3C507E516C7163D8716EC98D452CEB3F70F590C2667BF7C8BDEFC92B5DE93022
3644iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
2020iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\wp[1].htmhtml
MD5:21ACDC841A2541D935FA09558E3388CA
SHA256:1AEB5B63A34BD5DADD86DEFA6DC8FD27983243012E253D9B8948E3E0B3A6891E
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{80B784FA-0FCF-4969-8804-B99AAF76D216}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
3644iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:A5A4DF0AEDA89C43503F81E5CEDACA3A
SHA256:1BBA2B9EA2E9B51DF80B369A551D9196FAC0772EB6B1D0140C8B51E6C4FABAF3
2020iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\wp[1].htmtext
MD5:B7AE41042BF29C9F8F962978DA937B62
SHA256:13A02431E2F28F82D2430836D9CF5AE0179C35CFBC245C728FB274E739B3DAFD
3644iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:82E1A2C6DBF370AC8884452F29E8C6A2
SHA256:DB3636BA68C8AE42DBDA35498F5D5B88A33376DB704EC71DE16D38ABCFF315C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
39
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3644
iexplore.exe
GET
200
213.186.33.104:80
http://dlf-bruxelles.eu/favicon.ico
FR
malicious
2020
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a76d960653ef79d7
US
compressed
60.0 Kb
whitelisted
2020
iexplore.exe
GET
200
213.186.33.104:80
http://dlf-bruxelles.eu/wp/
FR
compressed
117 b
malicious
3644
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?acf1241ee0c35d04
US
compressed
4.70 Kb
whitelisted
2020
iexplore.exe
GET
301
213.186.33.104:80
http://dlf-bruxelles.eu/wp
FR
html
235 b
malicious
3644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2020
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ecf5ab286cfbb656
US
compressed
60.0 Kb
whitelisted
2020
iexplore.exe
GET
200
184.24.77.79:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTkbK%2BKAcZJlIUV2DqZLKtMww%3D%3D
US
der
503 b
shared
2020
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6e730929e6b31ef1
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3644
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2020
iexplore.exe
51.210.234.124:443
www.mamaelba.com
GB
unknown
213.186.33.104:80
dlf-bruxelles.eu
OVH SAS
FR
malicious
2020
iexplore.exe
213.186.33.104:80
dlf-bruxelles.eu
OVH SAS
FR
malicious
3644
iexplore.exe
213.186.33.104:80
dlf-bruxelles.eu
OVH SAS
FR
malicious
3644
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2020
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
2020
iexplore.exe
96.16.145.230:80
x1.c.lencr.org
Akamai Technologies, Inc.
US
suspicious
3644
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
dlf-bruxelles.eu
  • 213.186.33.104
unknown
www.mamaelba.com
  • 51.210.234.124
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
x1.c.lencr.org
  • 96.16.145.230
whitelisted
r3.o.lencr.org
  • 184.24.77.79
  • 184.24.77.54
shared
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info