analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW Diana participate in this survey for an Amazon Gift Card.msg

Full analysis: https://app.any.run/tasks/6afe8adf-0bd4-455e-91df-bcbb0a1b4e5a
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:42:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

CD5C1E9E221F9A37733565EC2EB64E49

SHA1:

F6D69DDBE78CAC4830C0D44C80287DE24D57A56C

SHA256:

3B521E6CC82CD4F8D8AB12B0F8CD3CD9DD5AA6AC152BAFA666DA3EA561E9E337

SSDEEP:

384:XYnpmP7/UwNM14JqkX8dnu2i7mi20teJZ4ZfcJvk0gdWxOJH+4ehZ8ABpBlLB:XY3JFU8Ud7N20t24BcRgdWxoEZ8AHPL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 1476)
      • firefox.exe (PID: 1984)
      • firefox.exe (PID: 2328)
      • firefox.exe (PID: 2904)
      • firefox.exe (PID: 2716)
      • firefox.exe (PID: 2068)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 1476)
      • firefox.exe (PID: 1984)
      • firefox.exe (PID: 2328)
      • firefox.exe (PID: 2716)
      • firefox.exe (PID: 2904)
      • firefox.exe (PID: 2068)

    • Manual execution by user

      • firefox.exe (PID: 1984)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 1476)

    • Reads CPU info

      • firefox.exe (PID: 1984)

    • Application launched itself

      • firefox.exe (PID: 1984)

    • Reads the date of Windows installation

      • firefox.exe (PID: 1984)

    • Creates files in the program directory

      • firefox.exe (PID: 1984)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 1984)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1476"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\FW Diana participate in this survey for an Amazon Gift Card.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.4760.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1984"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
Explorer.EXE
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2328"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.0.1099404033\1082636663" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 1176 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2904"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.3.1284808646\1661042620" -childID 1 -isForBrowser -prefsHandle 1668 -prefMapHandle 1664 -prefsLen 1 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 1336 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2716"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.13.591713497\893438393" -childID 2 -isForBrowser -prefsHandle 2728 -prefMapHandle 2824 -prefsLen 5823 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 2848 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2068"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.20.1296313839\102317956" -childID 3 -isForBrowser -prefsHandle 3384 -prefMapHandle 3436 -prefsLen 6545 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 3460 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
7 606
Read events
7 037
Write events
550
Delete events
19

Modification events

(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1476) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
80
Text files
22
Unknown types
51

Dropped files

PID
Process
Filename
Type
1476OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR98AD.tmp.cvr
MD5:
SHA256:
1476OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1984firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
1476OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:C56BDDD75480D2F6828F720234B95CE3
SHA256:FA048DE57FCBAF52F3A60891FE46D7BF7E7E50FFD696C169C99047C1DFB16CD0
1476OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:38CDB59D835CB79187E3833E7FCB65B5
SHA256:4AE5842397753D6A5D04C83117D3E375D755BBFA50FD9368D1FEBEF3551D3859
1984firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_D161B0A728E1AA47B734315768DDF8AB.datxml
MD5:EC8CA8C4D9E4B21BF1DBC33B4FD27816
SHA256:B1230E47FEE2A9F664C82C590C242F764D50C542F8F773254B6CEAC9145F50EF
1476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_2B77906F7C272043BBB5C8B40AE4B57B.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
1476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_D4BD8BBD2C39E344825392F29C7E5E40.datxml
MD5:0B5B8DC93D5CDF7CA798E0F70F9088E5
SHA256:BEC0EBA2EF9D67291F450ADA494386148A210A279927D160B50C238ADDC1DF8B
1476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DATbinary
MD5:C4643157E488AC6D771054CAD7D50D84
SHA256:D4FF48EB72AA94E3BA215C87B198733048E75105D024CCA42960EF96A8E04EA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
16
DNS requests
54
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1476
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1984
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1984
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1984
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1984
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt
US
text
8 b
whitelisted
1984
firefox.exe
POST
200
2.16.186.19:80
http://r3.o.lencr.org/
unknown
der
503 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1476
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
13.224.189.113:443
snippets.cdn.mozilla.net
US
suspicious
1984
firefox.exe
44.240.237.74:443
shavar.services.mozilla.com
University of California, San Diego
US
unknown
1984
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
34.107.221.82:80
detectportal.firefox.com
US
whitelisted
1984
firefox.exe
35.165.143.157:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
1984
firefox.exe
44.225.72.11:443
search.services.mozilla.com
University of California, San Diego
US
unknown
1984
firefox.exe
104.111.241.253:443
surveys.zoomintel.com
Akamai International B.V.
NL
unknown
1984
firefox.exe
2.16.186.19:80
r3.o.lencr.org
Akamai International B.V.
whitelisted
1984
firefox.exe
2.18.232.194:443
eu.qualtrics.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
search.services.mozilla.com
  • 44.225.72.11
  • 54.213.198.91
  • 52.35.93.250
whitelisted
search.r53-2.services.mozilla.com
  • 52.35.93.250
  • 54.213.198.91
  • 44.225.72.11
whitelisted
push.services.mozilla.com
  • 35.165.143.157
whitelisted
autopush.prod.mozaws.net
  • 35.165.143.157
whitelisted
tiles.services.mozilla.com
whitelisted
snippets.cdn.mozilla.net
  • 13.224.189.113
  • 13.224.189.19
  • 13.224.189.85
  • 13.224.189.45
whitelisted
d228z91au11ukj.cloudfront.net
  • 13.224.189.45
  • 13.224.189.85
  • 13.224.189.19
  • 13.224.189.113
whitelisted

Threats

PID
Process
Class
Message
1984
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FW Diana participate in this survey for an Amazon Gift Card.msg