analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW The Prestige Group Confidential.msg

Full analysis: https://app.any.run/tasks/f76eb2a2-4c05-4e89-bb8a-e9531332b10e
Verdict: Malicious activity
Analysis date: September 18, 2019, 20:13:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

9170AD14B4F7E6F37D9D2DAEE519E25D

SHA1:

B5E8329298824290031AE4505F57FFA63D4403B1

SHA256:

43E1A304B2177247F8FE682182E02FD88CD9B56F8BB45A96BB83E346CDE53236

SSDEEP:

768:2HXUIdIKknv8f7VkFwqmIBPsKQPsKjryXgRRQJ7BKEUlG/s5HiR7Mt1pL/IGlriO:Wd5Ks8+rFE5sk0nj8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3424)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3424)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3424)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3424)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 3736)

    • Executed via COM

      • sdiagnhost.exe (PID: 3736)
      • sdiagnhost.exe (PID: 2932)

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3024)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 408)

    • Application launched itself

      • iexplore.exe (PID: 408)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3424)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3360)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs sdiagnhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3424"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW The Prestige Group Confidential.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
408"C:\Program Files\Internet Explorer\iexplore.exe" https://summercrestnet-my.sharepoint.com/:o:/g/personal/sgunnerson_summercrest_net/EndLaok3Y-VFumPw7Ym4FxMB-guZ0gwy4SGsejY7GmiOqg?e=3mUITiC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3360"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:408 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3024 -modal 66108 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF1CA0.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3736C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3816"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2700"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3376"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2932C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 660
Read events
1 182
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
73
Unknown types
6

Dropped files

PID
Process
Filename
Type
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR99E3.tmp.cvr
MD5:
SHA256:
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CABEF182.datimage
MD5:2C37A3419D9623972FBD0E7778974784
SHA256:678F7F5BA99DA13066499233A268073558055E669276F9C3B70D5C833A2AB436
3424OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:EF2C8433C5C43612721B3C17473E0E5C
SHA256:8C538415BDCEBE470BBDA50EE7B8DF41F6B942A87CEC44B745992B7501F06308
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{97B32129-7266-43D1-A71F-6994C4890AC9}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:4CB1F48D32DE1930742DCC43A1AA14E0
SHA256:86DB15FAA7799D92295B9B387820B9B12D59DD7C6CE732AA5E79467911E7EE85
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F59E0F9B.datimage
MD5:D94F78B4F3DDC09E4CC7BD77459C414C
SHA256:FC4542BDD1063E2027272976D7ADEE27DB1A1121BF568B36DA87D5B7F4D3CAF9
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:55BC3ABC6BDDA3289C15E9CAF22654BA
SHA256:C8AF1122355E4C4BFD1F6701FA12B216A40F03703C74700124FBEAD7130086AC
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_8099E0CD16D4B64191B558BC0DD9A3E1.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_8906F323CE71674DA070AAA58F54D943.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
3424OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_7BCFFF113541EE49A2A179CA5BC8A617.datxml
MD5:BBCF400BD7AE536EB03054021D6A6398
SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3424
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
408
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3360
iexplore.exe
13.107.136.9:443
summercrestnet-my.sharepoint.com
Microsoft Corporation
US
whitelisted
408
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
984
svchost.exe
13.107.136.9:443
summercrestnet-my.sharepoint.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
summercrestnet-my.sharepoint.com
  • 13.107.136.9
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FW The Prestige Group Confidential.msg