analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_Phish Alert_ Brandon Foster.msg

Full analysis: https://app.any.run/tasks/26e2c5f1-9f18-4769-a654-9f7fafab4fa0
Verdict: Malicious activity
Analysis date: January 18, 2020, 08:59:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

84BF36C9B5A7C72A6639CF7CE9B51D71

SHA1:

2703500EAAEA04AD7D2CF8E23CE2A5FE91D40451

SHA256:

30B60A504377DA3978289C03FF498190212E84983AB76862C9DBEF5E7DB36908

SSDEEP:

1536:kQzWtWrWHtHWbWwWSoSl+m325l+ZS3PGS4djmc4OcpSa2ccfrN:kQqt4oQ3dPDIGN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2480)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2480)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2480)
    • Starts itself from another location

      • OUTLOOK.EXE (PID: 2480)
    • Executed via COM

      • prevhost.exe (PID: 324)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2480)
      • OUTLOOK.EXE (PID: 3940)
      • OUTLOOK.EXE (PID: 2660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe notepad.exe no specs outlook.exe no specs notepad.exe no specs prevhost.exe no specs outlook.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2480"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\_Phish Alert_ Brandon Foster.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1732"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text.txtC:\Windows\system32\NOTEPAD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3940"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
3276"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (3).txtC:\Windows\system32\NOTEPAD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
324C:\Windows\system32\prevhost.exe {1531D583-8375-4D3F-B5FB-D23BBD169F22} -EmbeddingC:\Windows\system32\prevhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Preview Handler Surrogate Host
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2660"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
3972"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text.txtC:\Windows\system32\NOTEPAD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 979
Read events
1 356
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
33
Unknown types
3

Dropped files

PID
Process
Filename
Type
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA821.tmp.cvr
MD5:
SHA256:
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (2).txt\:Zone.Identifier:$DATA
MD5:
SHA256:
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source (2).eml\:Zone.Identifier:$DATA
MD5:
SHA256:
3940OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE4FB.tmp.cvr
MD5:
SHA256:
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (4).txt\:Zone.Identifier:$DATA
MD5:
SHA256:
2480OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:40046F299133446B3EEBB969A5EC0D25
SHA256:BBF1CC721F1AA30D634A41E60359387CD7C9F7CE6F22C213AAA8B680E221F430
2660OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5029.tmp.cvr
MD5:
SHA256:
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:0AA05B8AECD4103427EF825C82F48F78
SHA256:0EEDE15D984A8B061EC595F7636927C696CD26E29DBFE5329DE86F884DBF92E0
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\source.emleml
MD5:7348D819A3BE3955D85C2B9A3AF17418
SHA256:149477EBF8B3C8BC92923C96E2E9C10CA4764A62C2B8C66F9763E61B5F90AF7B
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\M9G52BA6\Malware Alert Text (3).txttext
MD5:26EBC96284BA0A02A68C9529A3A27B2E
SHA256:2E5853C1124B9E70C3F75505BA33EE804AF0C4C383E72B53BB9F07D9FE5821BE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2480
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info