analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Cotizacion Febrero.msg

Full analysis: https://app.any.run/tasks/d1dd2763-ec87-4d32-9f98-ea21634e2272
Verdict: Malicious activity
Analysis date: March 14, 2019, 15:49:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

17D16A8A752E1A3B888E3FCEE60F41CD

SHA1:

7CD33009603AF12942C3023A7CADCA6F398C36F4

SHA256:

2C47B86516C1C705250CDEE98BF368D9966C3589F0984F8E6FDE3283CCEE50BE

SSDEEP:

768:9aJWb5sKC/zpIuUGwpIRnmuivCPsKSsKsh60:6KgAGwyRnm+6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2988)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2988)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2988)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2988)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3424)
      • iexplore.exe (PID: 2804)
      • iexplore.exe (PID: 2656)

    • Changes internet zones settings

      • iexplore.exe (PID: 3936)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2804)
      • iexplore.exe (PID: 3936)
      • iexplore.exe (PID: 2656)
      • iexplore.exe (PID: 3424)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2804)
      • iexplore.exe (PID: 3936)

    • Application launched itself

      • iexplore.exe (PID: 3936)

    • Creates files in the user directory

      • iexplore.exe (PID: 2804)
      • iexplore.exe (PID: 2656)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Cotizacion Febrero.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3936"C:\Program Files\Internet Explorer\iexplore.exe" https://gentsilen.com.mx/AS/[email protected]C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2656"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3936 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3424"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3936 CREDAT:6404C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2804"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3936 CREDAT:6414C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 151
Read events
1 605
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
57
Unknown types
3

Dropped files

PID
Process
Filename
Type
2988OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE246.tmp.cvr
MD5:
SHA256:
3936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2656iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\adjunto[1].htm
MD5:
SHA256:
2988OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E84753367EF41DA5D35672E1EB235FE8
SHA256:A5B1B6837631B0CC84DC054178D2063D829291A54A4EEBDC0599EA8FFA040645
2656iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019031420190315\index.datdat
MD5:D923EC35E5C0F2CF06AB5ECF49BCF005
SHA256:D34795437BE9C62E8CA205CBF85ABA0295E14CC0B06826C55A64B6D145709886
2988OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_743E0C39BA06224EA57B0B09353685FA.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
2988OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A3F04996-1B90-41C1-B7F2-6BC3A3A23CB1}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
3936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.datdat
MD5:A8DE8F42F3954D1DFB6FD4396CB2EEDC
SHA256:32116FB1FEBA85B90AC520D963FC7AF64AAF5BF874B5FA0DA06375DA972A7D1B
2988OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_4F808FD46D25994DA743BF92609BC49E.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
14
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2988
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/3R/ic/61505d92/25ddf288.png?bu=At4u4S4
US
image
190 b
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/2Z/1X/cj,nj/4c7364c5/40e1b425.js
US
text
816 b
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/5f/2s/cj,nj/bab57e12/ea8fe300.js
US
text
2.75 Kb
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rms/BingCore.Bundle/cj,nj/3e6a7d75/9a358300.js?bu=rms+answers+Shared+BingCore%24ClientInstV2%24DuplicateXlsDefaultConfig*BingCore%24ClientInstV2%24SharedLocalStorageConfigDefault*BingCore%24shared*BingCore%24env.override*Empty*BingCore%24event.custom.fix*BingCore%24event.native*BingCore%24onHTML*BingCore%24dom*BingCore%24cookies*BingCore%24rmsajax*BingCore%24ClientInstV2%24LogUploadCapFeatureDisabled*BingCore%24ClientInstV2%24ClientInstConfigSeparateOfflineQueue*BingCore%24clientinst*BingCore%24replay*BingCore%24Animation*BingCore%24fadeAnimation*BingCore%24framework
US
text
4.95 Kb
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/6q/4T/cj,nj/347afee2/33036ea1.js
US
text
1.77 Kb
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/15/cj,nj/1b7dfb88/cc8437ad.js?bu=DikuXGxwdGhgZKwBsAEuoAEu
US
text
7.54 Kb
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/fd/ls/l?IG=DFE0FF1AC9F54D87AFB157B976574D45&CID=2C19B8FB2D6C6E9F3469B5E42C9D6FDA&Type=Event.CPT&DATA={"pp":{"S":"L","FC":125,"BC":140,"SE":-1,"TC":-1,"H":172,"BP":297,"CT":312,"IL":9},"ad":[-1,-1,772,444,1089,498,0]}&P=SERP&DA=DUB02
US
compressed
49.3 Kb
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/search?q=google&src=IE-SearchBox&FORM=IE8SRC
US
html
49.3 Kb
whitelisted
2804
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/sa/simg/SharedSpriteDesktopRewards_022118.png
US
image
5.73 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2804
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2804
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3936
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3936
iexplore.exe
185.35.137.85:443
gentsilen.com.mx
Zyztm Research Division 10 B.V.
NL
suspicious
2656
iexplore.exe
185.35.137.85:443
gentsilen.com.mx
Zyztm Research Division 10 B.V.
NL
suspicious
3424
iexplore.exe
185.35.137.85:443
gentsilen.com.mx
Zyztm Research Division 10 B.V.
NL
suspicious
2804
iexplore.exe
157.55.135.132:443
login.live.com
Microsoft Corporation
US
whitelisted
2988
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
gentsilen.com.mx
  • 185.35.137.85
  • 185.35.137.86
  • 185.35.137.87
  • 185.35.137.88
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
login.live.com
  • 157.55.135.132
  • 157.55.134.138
  • 157.55.135.134
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Cotizacion Febrero.msg