analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ReCompletion_statement.eml

Full analysis: https://app.any.run/tasks/7b087bed-202e-487e-b818-c2464ab816fd
Verdict: Malicious activity
Analysis date: January 18, 2019, 10:57:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
phish-outlook
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

60566AE0908AE5CB10B1D1966B8EC0AC

SHA1:

A3AAB48E6E3B764B59DFA9DB64A5A3A50AD13031

SHA256:

2D45EEBB786D70EFDD888917AF992D9516E25F3515AB810724C6DCC790A51DD2

SSDEEP:

192:cd8Cwg8SedZV4ws/Eb8AAegLxn3KVMYpL46aSo1IWcGiR/9PEuHApm5tiUYn:OXhgq/3JLx361totIRlkCtiPn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3004)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3004)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3004)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2304)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3004)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2304)
      • iexplore.exe (PID: 3056)
      • iexplore.exe (PID: 1972)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2304)

    • Application launched itself

      • iexplore.exe (PID: 2304)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3056)
      • iexplore.exe (PID: 1972)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3056)
      • iexplore.exe (PID: 1972)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2304)

    • Creates files in the user directory

      • iexplore.exe (PID: 3056)
      • iexplore.exe (PID: 2304)
      • iexplore.exe (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\ReCompletion_statement.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2304"C:\Program Files\Internet Explorer\iexplore.exe" https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cubelec.com.tw%2Fdownload%2Freports%2Fjs%2F909989%2FOWAnewform.html&data=01%7C01%7Ckeith.dicker%40generationim.com%7C4a5e433145f64783484708d67a5247cc%7Cbf4450a2bfcb472d8c401425eafb1a3b%7C1&sdata=S0qIxp7O%2FK%2B%2F1XkE4a1KMObkGuhCTa6%2Fe4x2giU1XPE%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3056"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2304 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1972"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2304 CREDAT:71938C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 853
Read events
1 355
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
47
Unknown types
3

Dropped files

PID
Process
Filename
Type
3004OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR8B00.tmp.cvr
MD5:
SHA256:
2304iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3056iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\eur01_safelinks_protection_outlook_com[1].txt
MD5:
SHA256:
1972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\eur01_safelinks_protection_outlook_com[1].txt
MD5:
SHA256:
3056iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab102E.tmp
MD5:
SHA256:
3056iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab103F.tmp
MD5:
SHA256:
3056iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar102F.tmp
MD5:
SHA256:
3056iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab1041.tmp
MD5:
SHA256:
3056iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar1040.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
36
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3004
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3056
iexplore.exe
GET
200
67.26.115.254:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
3056
iexplore.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
3056
iexplore.exe
GET
404
203.69.42.195:80
http://www.cubelec.com.tw/CookieAuth.dll?GetPic?formdir=1&image=lgnexlogo.gif
TW
xml
1.18 Kb
suspicious
3056
iexplore.exe
GET
200
203.69.42.195:80
http://www.cubelec.com.tw/download/reports/js/909989/OWAnewform.html
TW
html
9.32 Kb
suspicious
1972
iexplore.exe
GET
404
203.69.42.195:80
http://www.cubelec.com.tw/CookieAuth.dll?GetPic?formdir=1&image=lgnexlogo.gif
TW
xml
1.18 Kb
suspicious
2304
iexplore.exe
GET
203.69.42.195:80
http://www.cubelec.com.tw/CookieAuth.dll?GetPic?formdir=1&image=favicon.ico
TW
suspicious
1972
iexplore.exe
GET
200
203.69.42.195:80
http://www.cubelec.com.tw/download/reports/js/909989/OWAnewform.html
TW
html
9.32 Kb
suspicious
2304
iexplore.exe
GET
404
203.69.42.195:80
http://www.cubelec.com.tw/CookieAuth.dll?GetPic?formdir=1&image=favicon.ico
TW
xml
992 b
suspicious
3056
iexplore.exe
GET
200
2.16.186.56:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
55.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3056
iexplore.exe
157.56.112.46:443
emea01.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
2304
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1972
iexplore.exe
104.47.1.28:443
eur01.safelinks.protection.outlook.com
Microsoft Corporation
AT
whitelisted
2304
iexplore.exe
104.47.1.28:443
eur01.safelinks.protection.outlook.com
Microsoft Corporation
AT
whitelisted
3056
iexplore.exe
104.47.2.28:443
eur01.safelinks.protection.outlook.com
Microsoft Corporation
IE
whitelisted
3004
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3056
iexplore.exe
203.69.42.195:80
www.cubelec.com.tw
Data Communication Business Group
TW
suspicious
1972
iexplore.exe
203.69.42.195:80
www.cubelec.com.tw
Data Communication Business Group
TW
suspicious
3056
iexplore.exe
2.16.186.56:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted
3056
iexplore.exe
162.130.196.190:443
owa.marriott.com
Marriot Corporation
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
emea01.safelinks.protection.outlook.com
  • 157.56.112.46
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
eur01.safelinks.protection.outlook.com
  • 104.47.2.28
  • 104.47.0.28
  • 104.47.1.28
whitelisted
www.cubelec.com.tw
  • 203.69.42.195
suspicious
owa.marriott.com
  • 162.130.196.190
unknown
www.download.windowsupdate.com
  • 2.16.186.56
  • 2.16.186.81
  • 67.26.115.254
  • 67.27.157.254
  • 67.26.139.254
  • 67.27.159.254
  • 67.26.81.254
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
3056
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL
1972
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ReCompletion_statement.eml