analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MEJIA RODRIGUEZ ABRIL ILEANA.msg

Full analysis: https://app.any.run/tasks/0ef7f20c-7371-4979-a732-5c1dcc540e04
Verdict: Malicious activity
Analysis date: October 19, 2020, 23:21:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

8CAB8659CB10236E0B8FB417534B3D94

SHA1:

316778036534AB496ECF2B6DE8831E9E930278B5

SHA256:

44A93EFE25B300434A39F2BE94A8C1879A10B8D3DAB19496E59DAC7F400BB2B1

SSDEEP:

6144:sfGnYndrJlFOEk8e91AMxVbipEKuNP3VbipJKuNn:Cd1vOZ791AMVb2ETFVb2JT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1888)

  • SUSPICIOUS

    • Starts itself from another location

      • OUTLOOK.EXE (PID: 1888)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1888)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2516)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 2516)
      • iexplore.exe (PID: 3204)
      • AcroRd32.exe (PID: 1592)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 3124)
      • OUTLOOK.EXE (PID: 1888)
      • iexplore.exe (PID: 636)
      • iexplore.exe (PID: 2516)
      • AcroRd32.exe (PID: 1592)
      • AcroRd32.exe (PID: 1304)
      • iexplore.exe (PID: 2468)

    • Application launched itself

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2516)
      • AcroRd32.exe (PID: 1592)
      • RdrCEF.exe (PID: 2696)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1888)
      • iexplore.exe (PID: 636)
      • iexplore.exe (PID: 3124)

    • Reads internet explorer settings

      • iexplore.exe (PID: 636)
      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 2468)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1888)
      • OUTLOOK.EXE (PID: 944)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 636)
      • iexplore.exe (PID: 3124)

    • Changes IE settings (feature browser emulation)

      • AcroRd32.exe (PID: 1592)

    • Reads the hosts file

      • RdrCEF.exe (PID: 2696)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2516)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe outlook.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs msoxmled.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1888"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\MEJIA RODRIGUEZ ABRIL ILEANA.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2516"C:\Program Files\Internet Explorer\iexplore.exe" https://u940138.ct.sendgrid.net/ls/click?upn=Cg2p-2FRTq2KqTebNJNRukqaum6ju7MEhDPrKSoNU32Ek-3DY8QV_NhGQB-2BOJq-2FdB4ecq4ungPiu6zF8IIcAmBDCYdzM0IJA2sNFmaPfuFz0FyGzQspXRrJrC54fUcIr94qFU5v2783pWTMKsvmfE0vAqaM6EEoJ6uf-2BuKQc31F9tnqKnYXnpFQ8ENfaDwrYaFLtDIoW1LkyAClxsCgtyeN5v5Snux69rb44muGk-2B3tpQmzArUc2uUAF687YuXM5psJcfmyXLiA-3D-3DC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3204"C:\Program Files\Internet Explorer\iexplore.exe" https://u940138.ct.sendgrid.net/ls/click?upn=Cg2p-2FRTq2KqTebNJNRukqaum6ju7MEhDPrKSoNU32Ek-3DY8QV_NhGQB-2BOJq-2FdB4ecq4ungPiu6zF8IIcAmBDCYdzM0IJA2sNFmaPfuFz0FyGzQspXRrJrC54fUcIr94qFU5v2783pWTMKsvmfE0vAqaM6EEoJ6uf-2BuKQc31F9tnqKnYXnpFQ8ENfaDwrYaFLtDIoW1LkyAClxsCgtyeN5v5Snux69rb44muGk-2B3tpQmzArUc2uUAF687YuXM5psJcfmyXLiA-3D-3DC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3124"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2516 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
636"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3204 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
944"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
1592"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\O6145OJL\FBP021016D43_Recibo de Donativo_A_48420_48A5C5AD-DC12-41DC-8B86-84692CACB73B.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
OUTLOOK.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
1304"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\O6145OJL\FBP021016D43_Recibo de Donativo_A_48420_48A5C5AD-DC12-41DC-8B86-84692CACB73B.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2696"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2684"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2696.0.1256258825\1153884357" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
Total events
3 702
Read events
2 661
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
146
Text files
209
Unknown types
108

Dropped files

PID
Process
Filename
Type
1888OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4C53.tmp.cvr
MD5:
SHA256:
1888OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:6790E1D6CBA8C69BFE78361E98B1D4A1
SHA256:52E669C9136EC9D49197FC0CAC58A4A902C049DA035C8274EC47D661A2D18F4E
1888OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:268959F822AABC304EB35BA717858885
SHA256:8C4D5D7A86B19474C89122F3CFAE6AF901EEEA8F68796E58871299F4E35A3ED3
3124iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab8768.tmp
MD5:
SHA256:
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:447BA811A11D5C235B85B00C89D15E3C
SHA256:A578B18B1C59B6A088C9242721D9069B53A3BB830DE7D2CB7EB47C3B2CD55457
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:CB3E8C5FEBA9DE1BF25E4B9C73D00055
SHA256:FC350DA9255C7E0EBA341A9675652192ADEB8A82E885B55C7A96D6E1D2155DDB
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:36CCD4F4EB5D5CABA32FF876CCC6DD40
SHA256:430D95E78346922E2DB34A4CED430E9538F870EE54EDF6B7C97FA7BCE4B0FC5B
1888OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:F337BF38F2D2CB46C988CD837F546B4F
SHA256:E3856C1E9FEA16B977954260C5732B510FB7425FB2AD0712A641F861167CCCB9
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:87F0B9CEDEE56AF83FC99D387ABB69D8
SHA256:77C1C0C3B6AE6D17AF45C5C343EF01B3F301E5FB52217B590ECE6E024640DDE8
3124iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar8769.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
88
TCP/UDP connections
128
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3124
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAFQWPc8P68%2F
US
der
1.74 Kb
whitelisted
1888
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3124
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
636
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAFQWPc8P68%2F
US
der
1.74 Kb
whitelisted
3124
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3124
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
3124
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
3124
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
3124
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
636
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3124
iexplore.exe
192.124.249.41:80
ocsp.godaddy.com
Sucuri
US
suspicious
3124
iexplore.exe
167.89.115.54:443
u940138.ct.sendgrid.net
SendGrid, Inc.
US
suspicious
636
iexplore.exe
192.124.249.41:80
ocsp.godaddy.com
Sucuri
US
suspicious
1888
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
636
iexplore.exe
167.89.115.54:443
u940138.ct.sendgrid.net
SendGrid, Inc.
US
suspicious
3124
iexplore.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
636
iexplore.exe
201.175.24.180:443
fel.blikon.com
Sixsigma Networks Mexico, S.A. de C.V.
MX
unknown
3124
iexplore.exe
201.175.24.180:443
fel.blikon.com
Sixsigma Networks Mexico, S.A. de C.V.
MX
unknown
2516
iexplore.exe
201.175.24.180:443
fel.blikon.com
Sixsigma Networks Mexico, S.A. de C.V.
MX
unknown
3204
iexplore.exe
201.175.24.180:443
fel.blikon.com
Sixsigma Networks Mexico, S.A. de C.V.
MX
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
u940138.ct.sendgrid.net
  • 167.89.115.54
  • 167.89.123.16
suspicious
ocsp.godaddy.com
  • 192.124.249.41
  • 192.124.249.22
  • 192.124.249.23
  • 192.124.249.24
  • 192.124.249.36
whitelisted
fel.blikon.com
  • 201.175.24.180
unknown
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.sectigo.com
  • 151.139.128.14
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
unpkg.com
  • 104.16.124.175
  • 104.16.126.175
  • 104.16.125.175
  • 104.16.123.175
  • 104.16.122.175
whitelisted
www.facturarenlinea.com.mx
  • 13.84.149.34
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MEJIA RODRIGUEZ ABRIL ILEANA.msg