File name:

Action Required 4 Notification from Adtalem Admin on 13 August 2019.msg

Full analysis: https://app.any.run/tasks/5235364b-73ca-43e4-b084-1b1813843813
Verdict: Malicious activity
Analysis date: August 13, 2019, 16:59:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

51B8AB0FEB0CEC39941A480C74430F65

SHA1:

7CB81743A20784D870661A9E4B6C54E34876C522

SHA256:

5D50D4A47597ABF7B2FA5B3D11023452FDC8F79C6C3CEB8A3ECCE900F778FC08

SSDEEP:

1536:v7i7rlexK3vLnXHou7zWcW8Wn9l/IHAWqAjgNBOGWWkhiD+nq5qM4:v2PlRLn3o8MgoAjgNBeX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1912)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1912)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1912)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1912)

  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1912)

    • Changes internet zones settings

      • iexplore.exe (PID: 3564)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 388)
      • iexplore.exe (PID: 3564)

    • Manual execution by user

      • firefox.exe (PID: 2368)

    • Reads internet explorer settings

      • iexplore.exe (PID: 388)

    • Application launched itself

      • firefox.exe (PID: 2284)
      • iexplore.exe (PID: 3564)

    • Creates files in the user directory

      • firefox.exe (PID: 2284)

    • Reads CPU info

      • firefox.exe (PID: 2284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
388"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3564 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
764"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2284.20.182099442\1340803983" -childID 3 -isForBrowser -prefsHandle 3656 -prefMapHandle 3660 -prefsLen 7129 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2284 "\\.\pipe\gecko-crash-server-pipe.2284" 3672 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1364"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2284.13.653512591\896045599" -childID 2 -isForBrowser -prefsHandle 2472 -prefMapHandle 2480 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2284 "\\.\pipe\gecko-crash-server-pipe.2284" 2500 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1912"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Action Required 4 Notification from Adtalem Admin on 13 August 2019.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Modules
Images
c:\progra~1\micros~1\office14\outlook.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2284"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2368"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2472"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2284.3.887365970\1277523874" -childID 1 -isForBrowser -prefsHandle 1328 -prefMapHandle 1432 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2284 "\\.\pipe\gecko-crash-server-pipe.2284" 1744 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3564"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4RNW275O\13-August-2019.htmlC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3968"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2284.0.28457751\1307424433" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2284 "\\.\pipe\gecko-crash-server-pipe.2284" 1156 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
2 512
Read events
2 031
Write events
460
Delete events
21

Modification events

(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
Operation:writeName:$d?
Value:
24643F0078070000010000000000000000000000
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
Operation:writeName:MTTT
Value:
78070000F0C48783F851D50100000000
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
Operation:writeName:SQMSessionNumber
Value:
0
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
Operation:writeName:SQMSessionDate
Value:
220168800
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\0a0d020000000000c000000000000046
Operation:writeName:00030429
Value:
03000000
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
Operation:writeName:{ED475418-B0D6-11D2-8C3B-00104B2A6676}
Value:
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
Operation:writeName:LastChangeVer
Value:
1200000000000000
(PID) Process:(1912) OUTLOOK.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400000000000F01FEC\Usage
Operation:writeName:OutlookMAPI2Intl_1033
Value:
1326252053
Executable files
0
Suspicious files
64
Text files
68
Unknown types
49

Dropped files

PID
Process
Filename
Type
1912OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR8CA4.tmp.cvr
MD5:
SHA256:
1912OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\mso902F.tmp
MD5:
SHA256:
1912OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4RNW275O\13-August-2019 (2).html\:Zone.Identifier:$DATA
MD5:
SHA256:
1912OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:
SHA256:
1912OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_A73024C569BD90468F88B68CE19148D3.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
1912OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\4RNW275O\13-August-2019 (2).htmlhtml
MD5:
SHA256:
3564iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
388iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
3564iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1912OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{32BCC260-611C-499C-A6B8-C1A03FFFC206}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
43
DNS requests
76
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2284
firefox.exe
GET
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
whitelisted
1912
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2284
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2284
firefox.exe
POST
200
216.58.207.35:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3564
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2284
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2284
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3564
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
388
iexplore.exe
162.241.65.216:443
boaiea.com
CyrusOne LLC
US
malicious
2284
firefox.exe
52.43.169.220:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2284
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2284
firefox.exe
54.186.239.73:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
2284
firefox.exe
52.43.150.4:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2284
firefox.exe
172.217.22.74:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2284
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2284
firefox.exe
99.86.1.62:443
snippets.cdn.mozilla.net
AT&T Services, Inc.
US
unknown
2284
firefox.exe
13.35.253.117:443
firefox.settings.services.mozilla.com
US
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
boaiea.com
  • 162.241.65.216
malicious
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.services.mozilla.com
  • 52.43.169.220
  • 52.88.112.58
  • 34.211.94.5
whitelisted
search.r53-2.services.mozilla.com
  • 34.211.94.5
  • 52.88.112.58
  • 52.43.169.220
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
push.services.mozilla.com
  • 54.186.239.73
whitelisted
autopush.prod.mozaws.net
  • 54.186.239.73
whitelisted
snippets.cdn.mozilla.net
  • 99.86.1.62
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Action Required 4 Notification from Adtalem Admin on 13 August 2019.msg