analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_GA1.0.52-0 (3).eml

Full analysis: https://app.any.run/tasks/b2360b40-ad73-4091-b781-9e6e5c2f896e
Verdict: Malicious activity
Analysis date: August 12, 2022, 18:38:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: SMTP mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

8F1998BE70B19D9CDA7FE1B523C2DA6D

SHA1:

0C810609F9F4E37EA2CCB452A495A4CC9E8A5049

SHA256:

2E967B60C2F51827EC30F64C1565E51A3F1B95210377EEEA221355208F3E22CD

SSDEEP:

384:ezHVK7qwyJ7EOsbljVoTy51+HLkqD/DRKTEDxhu96P1OXrQ5OlnGdqXFz2lqjb:fK7ENlZx2LZD/Dr66PI7vlGdqXFA+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the computer name

      • OUTLOOK.EXE (PID: 3176)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 3176)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3176)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 4020)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 4020)
      • iexplore.exe (PID: 1880)
    • Reads the computer name

      • iexplore.exe (PID: 1880)
      • iexplore.exe (PID: 4020)
    • Application launched itself

      • iexplore.exe (PID: 1880)
    • Changes internet zones settings

      • iexplore.exe (PID: 1880)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 4020)
      • iexplore.exe (PID: 1880)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 4020)
      • iexplore.exe (PID: 1880)
    • Reads internet explorer settings

      • iexplore.exe (PID: 4020)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1880)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1880)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 7) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3176"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_GA1.0.52-0 (3).eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
1880"C:\Program Files\Internet Explorer\iexplore.exe" https://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2fclt936171.bmetrack.com%2fc%2fl%3fu%3dE343ADC%26e%3d14D08F1%26c%3dE48EB%26t%3d0%26l%3d8840DF18%26email%3dSk3TMbRft7YX%252BYkZeVEsOC6j1L7FShlXvkoMUP1VmwT7DsljURckizciHg%252FVbFy1%26seq%3d3&umid=8f7c097b-86db-4766-a81f-846cc7026023&auth=d7d55759d2069bb9ccd911e20db3b5b74572a8c0-9a84c1c1cc275c376514ee60d30a62c585c5edddC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
4020"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1880 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
24 582
Read events
23 867
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
33
Unknown types
14

Dropped files

PID
Process
Filename
Type
3176OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4464.tmp.cvr
MD5:
SHA256:
3176OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1880iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:EE87BB11E233C12009CC11725035DBDC
SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5
1880iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:AA45ADB7877A4E295343EA92AEC9AF93
SHA256:3F7A71E05CD4D4C8E6CA8ECB1365062F7DD0B233E2F96AD3B6162465882A2DAC
3176OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:35B3DD41A1C0386638161DB3389E8B31
SHA256:64CB4BEB893CFDA12DB4EAB86D5FEBCBF819697244F63E3B688D93FFCED182FC
1880iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:02AEE305DE693F7EEF1AC3910665A7C7
SHA256:6E5B06084E468BB5FCA86A04DE823C3B923999E8DF8E700B3F389D23E5D92A49
3176OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:CB6D9D10F8C9A8900A04A380652F1625
SHA256:696A827812508E646BE506752BB08C42F4C81420039C069A4A72CBD89BE6CC34
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3der
MD5:96DE27FBD89F2EF99EB34AD9AA9EC29D
SHA256:EBBBF18B40EF85315728C6962D99411BF4E836D8393695A4D6751243EEAA9B95
3176OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_6D782606D19C83438258CE2AE44D80B4.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
1880iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
43
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3176
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
4020
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
US
der
1.40 Kb
whitelisted
4020
iexplore.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDEW%2BmJUAT2jAp1nrDA%3D%3D
US
der
1.40 Kb
whitelisted
1880
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
4020
iexplore.exe
GET
302
44.241.57.198:80
http://clt936171.bmetrack.com/c/l?u=E343ADC&e=14D08F1&c=E48EB&t=0&l=8840DF18&email=Sk3TMbRft7YX%2BYkZeVEsOC6j1L7FShlXvkoMUP1VmwT7DsljURckizciHg%2FVbFy1&seq=3
US
html
381 b
suspicious
4020
iexplore.exe
GET
200
2.16.186.10:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQsUm8iUJy5NkAH%2BuRDE%2BoTPA%3D%3D
unknown
der
503 b
shared
4020
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
4020
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAlrgulzmZS6%2FVWwIdvHyL8%3D
US
der
278 b
whitelisted
1880
iexplore.exe
GET
200
67.27.159.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9d55989115d3dc93
US
compressed
4.70 Kb
whitelisted
4020
iexplore.exe
GET
200
67.27.159.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b6ac8d8f1e5e4ce2
US
compressed
60.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1880
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3176
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
4020
iexplore.exe
151.101.2.133:80
ocsp2.globalsign.com
Fastly
US
malicious
4020
iexplore.exe
151.101.194.133:80
ocsp2.globalsign.com
Fastly
US
suspicious
4020
iexplore.exe
44.239.135.112:443
ddec1-0-en-ctp.trendmicro.com
University of California, San Diego
US
unknown
1880
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1880
iexplore.exe
67.27.159.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
malicious
4020
iexplore.exe
96.16.145.230:80
x1.c.lencr.org
Akamai Technologies, Inc.
US
suspicious
4020
iexplore.exe
104.18.11.207:443
maxcdn.bootstrapcdn.com
Cloudflare Inc
US
suspicious
4020
iexplore.exe
2.16.186.10:80
r3.o.lencr.org
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
ddec1-0-en-ctp.trendmicro.com
  • 44.239.135.112
  • 52.11.88.249
  • 35.165.38.131
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 67.27.159.254
  • 67.27.157.254
  • 67.26.139.254
  • 8.248.145.254
  • 67.27.233.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp2.globalsign.com
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.194.133
whitelisted
ocsp.globalsign.com
  • 151.101.194.133
  • 151.101.130.133
  • 151.101.66.133
  • 151.101.2.133
whitelisted
clt936171.bmetrack.com
  • 44.241.57.198
  • 54.190.45.81
  • 52.26.61.15
  • 52.26.188.109
suspicious
technews.techreports.info
  • 64.44.139.14
unknown

Threats

No threats detected
No debug info