analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Welcome to MyAnalytics.msg

Full analysis: https://app.any.run/tasks/51e2f1e5-0380-461b-93f4-0999f82be816
Verdict: Malicious activity
Analysis date: October 14, 2019, 08:46:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

5BBD1247165850F49CEC81D963A4C90B

SHA1:

DE65CEBC827F576300BA22DA1C9DDAD04D98B02E

SHA256:

2A9BC801559A9C3F879293925C99D6B292719B2A043B34E853E4B751C5BC49D9

SSDEEP:

3072:dfVB6gN94xRnAxykadFQcUGaa8r6yQKFsla53T/mqpYC/S:XB6gV8X4G/HXe37mORS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2384)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2384)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2384)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2384)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3848)
      • iexplore.exe (PID: 3028)
    • Changes internet zones settings

      • iexplore.exe (PID: 944)
    • Application launched itself

      • iexplore.exe (PID: 944)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3848)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2384"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Welcome to MyAnalytics.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
944"C:\Program Files\Internet Explorer\iexplore.exe" https://myanalytics.microsoft.com/?v=home&w=showfre&s=Welcome_e61a6db4-0f90-468a-8cf5-7c3f107e37bfC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3848"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:944 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3028"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:944 CREDAT:6403C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 076
Read events
1 449
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
65
Unknown types
3

Dropped files

PID
Process
Filename
Type
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA89E.tmp.cvr
MD5:
SHA256:
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:AF57BB14144C217767FD9F682364BBA1
SHA256:BD33CD088682EA28F4A995ECB0472BE882DC7430904BD5BD7B41AAF0383DF2BC
2384OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:BD789AF0CABC64128BEAD28026128A43
SHA256:5BAB4B742ABCD99F3C348DA6EFFC991456881EAD07EB4CF349C6D65C4149CE9A
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59CD48A6.datimage
MD5:099A4EE058ABA840274ADCE07F2D18CD
SHA256:E672BCE95758914822B3C64AEE7EA01C4341BEAC921579079C89CF7588123388
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7294D46F.datimage
MD5:F32883C33166977C59CF27D618B1E2CE
SHA256:BC6B6A5A9C350E1AD65F9F2747A78586EBC8FF0A6B91013B77F338B5FE8D8E50
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\480E492B.datimage
MD5:752755D9541CBB4ECE6F74DF664D2ECE
SHA256:EBECF5EC9B6CB5CE402E0B48742E101AB2319A2015715DF89204D80DFB0F0C1C
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE167CBA.datimage
MD5:01C2DAAA1E1A817AEE1511ED3FBCDA8D
SHA256:F14BCB229C4AD54414030EAC4D841AB5BE149021384972C9445412522C96D848
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\520D925D.datimage
MD5:8DB6F62816FD0C94C288F93224BC803A
SHA256:B87974726F8B720D48A32F3C95E8D1C742A9B32AE146611006352526C22B597E
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\923B2771.datimage
MD5:9451572A6EEC66EDE571C13ADD250D88
SHA256:F18BDA162C12EC867DFF1064C84594A0ED5FC40B8FE12B574E60F23F47D858A4
2384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD0A03A4.datimage
MD5:959AAAAE545A756A0B708BF6DB81D88C
SHA256:B29ADEACD7BE785E467E82F288710B511212FEF68157E5CC7BB9532B128B7230
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2384
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
944
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
944
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2384
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3028
iexplore.exe
40.86.224.81:443
myanalytics.microsoft.com
Microsoft Corporation
CA
unknown
3848
iexplore.exe
40.86.224.81:443
myanalytics.microsoft.com
Microsoft Corporation
CA
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
myanalytics.microsoft.com
  • 40.86.224.81
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info