analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

External Email Account Suspended.msg

Full analysis: https://app.any.run/tasks/9a4050c8-0dec-41ec-af51-2b083bab172e
Verdict: Malicious activity
Analysis date: October 19, 2020, 21:38:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

3D749FEB17B9B0B0DD9CA3D301F04A78

SHA1:

F3425696B496E467F50290DA8571EA171DA8EA23

SHA256:

41EDBF9C5C211C30E95FAE68C6BD0F321CCEE1F755F35757FC0BAE103FBCCFB7

SSDEEP:

1536:evz/MF/MswMYgNkEGWDWQ/YL9WCOQqcq3wOWbHY1:ebY9wb7ExYL21LQHY1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3068)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3068)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3180)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3068)
      • iexplore.exe (PID: 3180)

    • Changes internet zones settings

      • iexplore.exe (PID: 3488)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3068)
      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 3180)

    • Application launched itself

      • iexplore.exe (PID: 3488)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3180)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3068"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\External Email Account Suspended.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3488"C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.com/v3/__http:/login.mailcenter-alert.com/test_ffd563d352?l=64__;!!CjcC7IQ!emB6UfMrfeUvceQ4qQfp-RIwdu7MhJQLjhh-EdZEPUB5MaMrATg9WC3UIoy2_hyUlcs$C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3180"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3488 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 945
Read events
1 331
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
34
Text files
32
Unknown types
20

Dropped files

PID
Process
Filename
Type
3068OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5028.tmp.cvr
MD5:
SHA256:
3180iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9915FBCE5ECE56452A09FB65EDE2FAD2_18932885610B5B91D0B9280DC39653E2
MD5:
SHA256:
3068OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:8F7ABCFA032ED2C257E579924E605353
SHA256:7D78DD7947C7A5C473F30106693F4F13559371AFA5FA934A06527B97E4A26662
3068OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:9732BF9111D5B3CD17C340EAC7C9D540
SHA256:71FF4073BE7BA1377551EF7752A5713691456039A776FCE1AA61509810F39F64
3180iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarEC79.tmp
MD5:
SHA256:
3180iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9915FBCE5ECE56452A09FB65EDE2FAD2_18932885610B5B91D0B9280DC39653E2der
MD5:7703A942BD2368F6386EE00658BDD6E1
SHA256:A465B24E9D94B2CCC53B87273D8BAD863D5DA5B3DCA2B96F1B34BDFFB8EF32DE
3068OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
3180iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D93C575AD9E9AF9B95268A3CB953B5A1der
MD5:C2E141686C173076D591CFA9628B3E2B
SHA256:E5A0B0826CDE2AAF551F24647C0BC6638C51277FEB9B72805E56788CFE513B4E
3180iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D93C575AD9E9AF9B95268A3CB953B5A1binary
MD5:A7A4B48FAEF4CF35C05B2C0E41C11451
SHA256:1575385FE9366429AEAB20E312B72DB9BFA4024F667AB1D6433DBA415798231F
3180iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231der
MD5:E356DB3F801304807A3F406E52E876EF
SHA256:FAD64279E584B00211F710053DB32E40FE67548335F9A5FE4AAADA18EB7173ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
27
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D
US
der
471 b
whitelisted
3180
iexplore.exe
GET
200
23.37.43.27:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY%2BEA%3D
NL
der
1.71 Kb
shared
3180
iexplore.exe
GET
200
93.184.220.29:80
http://status.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFvn094QJ%2BcWGTwWWEy%2BBXPZkW8AQUo8heZVTlMHjBBeoHCmpZzLn%2B3loCEA53cAOejRmtccb8jN4MVZM%3D
US
der
471 b
whitelisted
3180
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJaiu8Zb34NbCEEshrmcCs%3D
US
der
471 b
whitelisted
3180
iexplore.exe
GET
200
23.37.43.27:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY%2BEA%3D
NL
der
1.71 Kb
shared
3180
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D
US
der
1.47 Kb
whitelisted
3180
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJaiu8Zb34NbCEEshrmcCs%3D
US
der
471 b
whitelisted
3180
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D
US
der
471 b
whitelisted
3180
iexplore.exe
GET
410
34.238.141.30:80
http://login.mailcenter-alert.com/test_ffd563d352?l=64
US
html
1.61 Kb
whitelisted
3180
iexplore.exe
GET
200
93.184.220.29:80
http://status.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFvn094QJ%2BcWGTwWWEy%2BBXPZkW8AQUo8heZVTlMHjBBeoHCmpZzLn%2B3loCEA53cAOejRmtccb8jN4MVZM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
23.37.43.27:80
s.symcd.com
Akamai Technologies, Inc.
NL
whitelisted
3180
iexplore.exe
173.194.76.157:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted
3180
iexplore.exe
13.35.253.17:443
d25q7gseii1o1q.cloudfront.net
US
suspicious
34.238.141.30:80
login.mailcenter-alert.com
Amazon.com, Inc.
US
unknown
3068
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3180
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3180
iexplore.exe
172.217.21.206:80
www.google-analytics.com
Google Inc.
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3180
iexplore.exe
216.58.210.4:443
www.google.com
Google Inc.
US
whitelisted
3180
iexplore.exe
216.58.206.3:443
www.google.fi
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
urldefense.com
  • 52.6.56.188
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
status.thawte.com
  • 93.184.220.29
whitelisted
login.mailcenter-alert.com
  • 34.238.141.30
  • 54.158.107.180
unknown
d25q7gseii1o1q.cloudfront.net
  • 13.35.253.17
  • 13.35.253.53
  • 13.35.253.223
  • 13.35.253.189
shared
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
s.symcd.com
  • 23.37.43.27
shared
www.google-analytics.com
  • 172.217.21.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
External Email Account Suspended.msg