analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Pavón Molina Rosa María le invita a colaborar en Factura 41742.msg

Full analysis: https://app.any.run/tasks/a6846ced-76ba-4363-b073-4af85b633889
Verdict: Malicious activity
Analysis date: February 22, 2020, 06:58:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

379159D79F59B3BDB4D7BD0D3C0FBE92

SHA1:

6975467A27763ACF3B8B2CAA8B2A98A74BBF5B57

SHA256:

2BF3F64FF6E2A8823E6C88BE114E73631BDA72ED9CEF9F195A9223DB8AB4D6D0

SSDEEP:

1536:fwxeK/LU5c5dAektHfyqMbr+xAduektHfCWUW2WKW3A9qoaPCufW0sW/xq3DZ3on:adCd/M/ZdEdqgovcxqTZ3BRIvvfIS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2884)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2884)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2884)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2884)

  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2884)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 3508)
      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 2500)
      • iexplore.exe (PID: 2052)

    • Changes internet zones settings

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 2500)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3508)
      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 2052)

    • Creates files in the user directory

      • iexplore.exe (PID: 3508)
      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 2052)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 2052)

    • Application launched itself

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 2500)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2520)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2520)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Pavón Molina Rosa María le invita a colaborar en Factura 41742.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2520"C:\Program Files\Internet Explorer\iexplore.exe" https://grupoclh-my.sharepoint.com/personal/rosapavon_grupoclh_com/Documents/Factura%2041742.pdf?e=4%3a5728317c019242e09e6f23d7dbd80bf7&at=9C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3508"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3148"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:3347732 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2500"C:\Program Files\Internet Explorer\iexplore.exe" https://northeuroper-notifyp.svc.ms/api/v2/tracking/method/Click?mi=sUjRorkAaUOsXZTBBtSudA&tc=Link&cs=f16e319d61103eb76cc09d1639b21a31&ru=https%3a%2f%2fgrupoclh-my.sharepoint.com%2fpersonal%2frosapavon_grupoclh_com%2fDocuments%2fFactura%252041742.pdf%3fe%3d4%253A5728317c019242e09e6f23d7dbd80bf7C:\Program Files\Internet Explorer\iexplore.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2052"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2500 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
9 037
Read events
3 209
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
34
Text files
58
Unknown types
11

Dropped files

PID
Process
Filename
Type
2884OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5EC2.tmp.cvr
MD5:
SHA256:
3508iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab9449.tmp
MD5:
SHA256:
3508iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar944A.tmp
MD5:
SHA256:
2884OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:5BF3C03DF1FF920E51EC2A71D4AB99B5
SHA256:BE916807209DCF2293F4F987390EA7E7EF2AC83D9085AD47426D19496561D2EE
2884OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:9051DDD7AD182B5BB0EF1B90BE6CAD4E
SHA256:2D5C5B485D5B9E59D5DA923A9269BBBFE3A962D9183E2D1F9B81793ACFDAEDC8
3508iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\U3LCW29U.txt
MD5:
SHA256:
3508iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\S5BJGCLW.txt
MD5:
SHA256:
3508iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:B28626950CB4F8F979BFC50AE38199A4
SHA256:2CCA4F01BB3565AEDE022494CC9E7A1631BE75B78780C8864D8ADEC8E30DEC11
2884OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
3508iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fder
MD5:0C3DF21C6DC1595DAA766F74E5513106
SHA256:08251595D9358F9A931185D05415C0816B8A98A30934862B98A35C29A149C3AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
42
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3508
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
US
der
1.47 Kb
whitelisted
3508
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
3508
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
3508
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
US
der
1.47 Kb
whitelisted
3508
iexplore.exe
GET
200
104.18.24.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAvTsRon4%2BRVzrdwAAAAC9Ow%3D
US
der
1.79 Kb
whitelisted
3508
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
US
der
1.47 Kb
whitelisted
2520
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2520
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2520
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2884
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3508
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3508
iexplore.exe
13.107.246.10:443
aadcdn.msauth.net
Microsoft Corporation
US
whitelisted
3508
iexplore.exe
40.126.1.138:443
login.windows.net
Microsoft Corporation
US
unknown
3508
iexplore.exe
20.190.129.162:443
login.windows.net
Microsoft Corporation
US
unknown
3508
iexplore.exe
104.18.24.243:80
ocsp.msocsp.com
Cloudflare Inc
US
shared
3508
iexplore.exe
13.107.136.9:443
grupoclh-my.sharepoint.com
Microsoft Corporation
US
whitelisted
2520
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3148
iexplore.exe
40.126.1.136:443
login.windows.net
Microsoft Corporation
US
unknown
3148
iexplore.exe
20.190.129.162:443
login.windows.net
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
grupoclh-my.sharepoint.com
  • 13.107.136.9
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
login.windows.net
  • 20.190.129.162
  • 40.126.1.138
  • 40.126.1.137
  • 40.126.1.136
  • 40.126.1.141
whitelisted
login.microsoftonline.com
  • 40.126.1.138
  • 40.126.1.141
  • 20.190.129.162
  • 40.126.1.137
  • 40.126.1.136
whitelisted
ocsp.msocsp.com
  • 104.18.24.243
  • 104.18.25.243
whitelisted
aadcdn.msauth.net
  • 13.107.246.10
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
northeuroper-notifyp.svc.ms
  • 13.107.136.13
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Pavón Molina Rosa María le invita a colaborar en Factura 41742.msg