analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Alan Neethling sent you a message.msg

Full analysis: https://app.any.run/tasks/5a13a6c8-13a1-4039-bf81-b45c263311c8
Verdict: Malicious activity
Analysis date: April 25, 2019, 12:39:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

73B9E15C089E4675100413E456207BFA

SHA1:

CD174962571D45BCD564D788A24361F608C30394

SHA256:

2CD6514147D29E2451A049A4841E69B45016D766B2D13008879AC4C38F5F2FB9

SSDEEP:

1536:j/8G95EUdwLQcKGPd9h4mml20/InufcWUW6mFYII9UB6ZTri/Kdb8WrTU7RfW3Jv:j795IBz9ufCmFlI9w6ZTri/Kd5U7pW3J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3204)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2816)
  • INFO

    • Application launched itself

      • chrome.exe (PID: 3204)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
17
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe explorer.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2816"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Alan Neethling sent you a message.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3336"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3204"C:\Program Files\Google\Chrome\Application\chrome.exe" -- "C:\Users\admin\Documents\sales.html"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2352"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x65b70f18,0x65b70f28,0x65b70f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3800"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3212 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3116"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=952,3010804116933612527,2363855186072398930,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7261725669967708805 --mojo-platform-channel-handle=900 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
3244"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=952,3010804116933612527,2363855186072398930,131072 --enable-features=PasswordImport --service-pipe-token=1111829972315021846 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1111829972315021846 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
328"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=952,3010804116933612527,2363855186072398930,131072 --enable-features=PasswordImport --service-pipe-token=18300856812455308551 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18300856812455308551 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3428"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=952,3010804116933612527,2363855186072398930,131072 --enable-features=PasswordImport --service-pipe-token=12202723371785777706 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12202723371785777706 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2596"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=952,3010804116933612527,2363855186072398930,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=413476000324640130 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=413476000324640130 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
Total events
1 871
Read events
1 341
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
142
Unknown types
3

Dropped files

PID
Process
Filename
Type
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF97B.tmp.cvr
MD5:
SHA256:
2816OUTLOOK.EXEC:\Users\admin\Documents\sales.html\:Zone.Identifier:$DATA
MD5:
SHA256:
3204chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
3204chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
3204chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
3204chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
3204chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
2816OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:352B8C449187E3E59A5AA9F7967783E7
SHA256:0538D5C2B1184F57A34E3DB1A6513831EA5CD73CD35CEE7E970F0357FE853130
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_F45365F7A8EFDE47A30CDF742519E912.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2816OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
17
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3204
chrome.exe
GET
302
157.7.107.140:80
http://www.ange21.com/DHL/[email protected]
JP
suspicious
3204
chrome.exe
GET
301
104.109.54.128:80
http://www.dhl.com/img/favicon.gif
NL
whitelisted
3204
chrome.exe
GET
200
157.7.107.140:80
http://www.ange21.com/DHL/images/horde.png
JP
image
4.93 Kb
suspicious
3204
chrome.exe
GET
200
87.245.198.16:80
http://r5---sn-gxuog0-axqe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.117.118.92&mm=28&mn=sn-gxuog0-axqe&ms=nvh&mt=1556195975&mv=m&pl=25&shardbypass=yes
RU
crx
842 Kb
whitelisted
3204
chrome.exe
GET
200
157.7.107.140:80
http://www.ange21.com/DHL/images/roundcube.png
JP
image
28.3 Kb
suspicious
3204
chrome.exe
GET
302
216.58.207.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
511 b
whitelisted
3204
chrome.exe
GET
200
157.7.107.140:80
http://www.ange21.com/DHL/dltmy6pjbabelghdbtyrsiti27524e5d5582cfb0ee5b91de81c038c5.php?email=sales@pacificozone.com
JP
html
1.31 Kb
suspicious
3204
chrome.exe
GET
200
157.7.107.140:80
http://www.ange21.com/DHL/images/netease_png.png
JP
image
1015 b
suspicious
3204
chrome.exe
GET
200
157.7.107.140:80
http://www.ange21.com/DHL/images/alert-icon-red-md.png
JP
image
38.1 Kb
suspicious
3204
chrome.exe
GET
200
157.7.107.140:80
http://www.ange21.com/DHL/images/yahoo.jpg
JP
image
15.4 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3204
chrome.exe
172.217.21.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2816
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3204
chrome.exe
172.217.18.110:443
clients2.google.com
Google Inc.
US
whitelisted
3204
chrome.exe
157.7.107.140:80
www.ange21.com
GMO Internet,Inc
JP
suspicious
216.58.207.78:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3204
chrome.exe
216.58.210.13:443
accounts.google.com
Google Inc.
US
whitelisted
3204
chrome.exe
172.217.16.132:443
www.google.com
Google Inc.
US
whitelisted
3204
chrome.exe
87.245.198.16:80
r5---sn-gxuog0-axqe.gvt1.com
RETN Limited
RU
whitelisted
3204
chrome.exe
104.109.54.128:80
www.dhl.com
Akamai International B.V.
NL
whitelisted
3204
chrome.exe
172.217.22.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
clientservices.googleapis.com
  • 172.217.21.195
whitelisted
accounts.google.com
  • 216.58.210.13
shared
clients2.google.com
  • 172.217.18.110
whitelisted
www.ange21.com
  • 157.7.107.140
suspicious
redirector.gvt1.com
  • 216.58.207.78
whitelisted
r5---sn-gxuog0-axqe.gvt1.com
  • 87.245.198.16
whitelisted
www.google.com
  • 172.217.16.132
whitelisted
clients1.google.com
  • 172.217.18.110
whitelisted
www.dhl.com
  • 104.109.54.128
whitelisted

Threats

PID
Process
Class
Message
3204
chrome.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible DHL Phishing Landing - Title over non SSL
3204
chrome.exe
A Network Trojan was detected
ET CURRENT_EVENTS Successful Fedex/DHL Phish (set) 2018-10-22
3204
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Http Client Body contains pass= in cleartext
3204
chrome.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible DHL Phishing Landing - Title over non SSL
3204
chrome.exe
A Network Trojan was detected
ET CURRENT_EVENTS Successful Fedex/DHL Phish (set) 2018-10-22
3204
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Http Client Body contains pass= in cleartext
3204
chrome.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible DHL Phishing Landing - Title over non SSL
9 ETPRO signatures available at the full report
No debug info