analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Fwd_CuentaRUT-Bloqueada_.msg

Full analysis: https://app.any.run/tasks/3eee25f2-6b8b-4791-bbbc-9cac3ae4e665
Verdict: Malicious activity
Analysis date: October 20, 2020, 13:33:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

1A81723BCD30CBAD21B7814D6D57B29E

SHA1:

2D47D60C0099C04FCFCCD5C2B97B594DFDA3095B

SHA256:

2CE3AE38F507E3A0E71211546537D477B763082EA891525226CDA6FD093A75C9

SSDEEP:

384:69KPKtKj8AVAU2bKFKYJNG8O2GO74z56c9QYcW7t8Zu80K:69KPKtKj8O2bWlJk2GO74VXDzH80K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2428)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2428)

  • INFO

    • Reads settings of System Certificates

      • OUTLOOK.EXE (PID: 2428)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2428)
      • iexplore.exe (PID: 2696)
      • iexplore.exe (PID: 3864)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2428)
      • iexplore.exe (PID: 3864)

    • Application launched itself

      • iexplore.exe (PID: 2696)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2428)

    • Changes internet zones settings

      • iexplore.exe (PID: 2696)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Fwd_CuentaRUT-Bloqueada_.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2696"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/2S6mvVk?l=www.bancoestado.clC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3864"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2696 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 827
Read events
1 204
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
32
Unknown types
6

Dropped files

PID
Process
Filename
Type
2428OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4079.tmp.cvr
MD5:
SHA256:
2428OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\Cab7C3A.tmp
MD5:
SHA256:
2428OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\Tar7C3B.tmp
MD5:
SHA256:
2696iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2428OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:3ADE936B42221B6A52D6917FCCB68C1C
SHA256:7C876F4EC1982F91C75BC377AA735BABB6A340E9C8E5BF5EC5A6EFDAB0E83E23
2428OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:136FEA93D6D9369D201BE11AED3E60E6
SHA256:72F527B532A61A3E216CBBFCC2B0DF96BA846065A1F9A0AFD06C43ED6867ED5E
2428OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86Cbinary
MD5:531306CF34E6E08821F034AEFF3B62C9
SHA256:2B8B1A5D06263125765EB35D84CF4036D11B8EC6C8C41F4623F3684CAF173473
2428OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_5FDD03068CBBD8A96F3AB9595BA10093der
MD5:E90CD336C920CB9CAEC8C3F139063C8B
SHA256:A1874942639CD9150FA4093D2B080C31243BEB13F147BFC866233ED279A2E27B
2428OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_5FDD03068CBBD8A96F3AB9595BA10093binary
MD5:DD35C0EB39873CCA0179ED51112F58AF
SHA256:6BA3367001117286CCA61BFBB20F9B014A9665A9298C4EE687216FFF983C2F93
2428OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\sp_banner_app_login_web_generica[1].jpgimage
MD5:79F3CC050E8062498BFF7D497A3C1310
SHA256:B8982C0CE0A0181F9C42C69E97BC147A40093659CA4A03D7D0DE2D6EC8225CF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
32
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2428
OUTLOOK.EXE
GET
301
104.111.237.76:80
http://www.bancoestado.cl/imagenes/cartola/img_cartola_mut/img_mut_02.jpg
NL
suspicious
2428
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
GET
200
216.58.207.35:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEB3oRgfjsJWUCAAAAABbLrQ%3D
US
der
471 b
whitelisted
2428
OUTLOOK.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
3864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAqN7HPiQ2%2F4c3rdXE3uHG8%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
301
203.143.89.30:80
http://www.makeupcollege.com.au/js/enviar03.php?l=759472737
AU
unknown
2428
OUTLOOK.EXE
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
631 b
whitelisted
3864
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
US
der
471 b
whitelisted
GET
200
216.58.207.35:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2428
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3864
iexplore.exe
67.199.248.10:443
bit.ly
Bitly Inc
US
shared
2428
OUTLOOK.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2428
OUTLOOK.EXE
104.111.237.76:80
www.bancoestado.cl
Akamai International B.V.
NL
unknown
2428
OUTLOOK.EXE
104.111.237.76:443
www.bancoestado.cl
Akamai International B.V.
NL
unknown
67.199.248.10:443
bit.ly
Bitly Inc
US
shared
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3864
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3864
iexplore.exe
172.217.21.238:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.bancoestado.cl
  • 104.111.237.76
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
api.bing.com
  • 13.107.47.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
www.makeupcollege.com.au
  • 203.143.89.30
unknown
ocsp.comodoca.com
  • 151.139.128.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Fwd_CuentaRUT-Bloqueada_.msg