analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Account Details for kbkbzRisySX at All about . Label Packaging.msg

Full analysis: https://app.any.run/tasks/5dfa202f-d3ff-454c-8ccf-085cb8f722ab
Verdict: Malicious activity
Analysis date: May 24, 2019, 06:56:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

63B4E2EF93815FF556A37D1CF8D25E1F

SHA1:

33D98A581F7743DF28CBFC57C8E8F1B39E40B036

SHA256:

5DCB21E40909BD794934420DA96B290F210EF834AEFA17FB40A6A32F73BFC736

SSDEEP:

768:jptTZR17aM6gaPALR1fg500Ud0yepR5xxgMSLunHVYgmfffX937zQx6a:3H1uqaoc+4V4Ox6a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2820)
  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2820)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2820)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2820)
    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3516)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2820)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2156)
    • Creates files in the user directory

      • iexplore.exe (PID: 2156)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3516)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2156)
      • iexplore.exe (PID: 3768)
    • Changes internet zones settings

      • iexplore.exe (PID: 3476)
      • iexplore.exe (PID: 3332)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2156)
    • Application launched itself

      • iexplore.exe (PID: 3476)
      • iexplore.exe (PID: 3332)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2820"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Account Details for kbkbzRisySX at All about . Label Packaging.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3476"C:\Program Files\Internet Explorer\iexplore.exe" http://labelandpackaging.4your.biz/index.php/component/users/?task=registration.activate&token=ca671402fe7a8407f5f5184a974f6ba3C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2156"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3476 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3516C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
3332"C:\Program Files\Internet Explorer\iexplore.exe" http://labelandpackaging.4your.biz/index.php/component/users/?task=registration.activate&token=ca671402fe7a8407f5f5184a974f6ba3C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3768"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 988
Read events
1 463
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
126
Unknown types
13

Dropped files

PID
Process
Filename
Type
2820OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVREA20.tmp.cvr
MD5:
SHA256:
3476iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2156iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:EF2175B61D8C98FA5A265C0B404A9276
SHA256:053F89E3B3594441000D2B2B6C1067823BDE346056279F20DBCB290326D512B9
3476iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
2156iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YH0SZYD9\index[1].php
MD5:
SHA256:
2820OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:6F3AF035A952784C5B4AA276AC8DBED5
SHA256:0B2DE649FF88E8105BE20732C327476532796DEABED517293875E03DA3738154
2820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_27D101BEA4926142882FB11EF7DC1DBF.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{88D271D6-639B-49B9-A3E5-38C5855DBBCF}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
2156iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YRX74QQV\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
101
TCP/UDP connections
22
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2820
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2156
iexplore.exe
GET
303
217.160.0.100:80
http://labelandpackaging.4your.biz/index.php/component/users/?task=registration.activate&token=ca671402fe7a8407f5f5184a974f6ba3
DE
malicious
2156
iexplore.exe
GET
200
217.160.0.100:80
http://labelandpackaging.4your.biz/t3-assets/js/js-d593c.js?t=99
DE
text
460 Kb
malicious
2156
iexplore.exe
GET
200
217.160.0.100:80
http://labelandpackaging.4your.biz/t3-assets/css/css-e27b2.css?t=1
DE
text
222 Kb
malicious
2156
iexplore.exe
GET
200
217.160.0.100:80
http://labelandpackaging.4your.biz/index.php
DE
html
26.6 Kb
malicious
2156
iexplore.exe
GET
200
217.160.0.100:80
http://labelandpackaging.4your.biz/t3-assets/css/css-b0d2a.css?t=314
DE
text
139 Kb
malicious
2156
iexplore.exe
GET
200
217.160.0.100:80
http://labelandpackaging.4your.biz/media/com_acymailing/js/acymailing_module.js?v=
DE
text
14.4 Kb
malicious
2156
iexplore.exe
GET
200
217.160.0.100:80
http://labelandpackaging.4your.biz/t3-assets/css/css-89136.css?t=384
DE
text
2.42 Kb
malicious
2156
iexplore.exe
GET
200
217.160.0.100:80
http://labelandpackaging.4your.biz/t3-assets/js/js-4a5e7.js?t=415
DE
text
34.3 Kb
malicious
2156
iexplore.exe
GET
200
157.240.1.23:80
http://connect.facebook.net/en_US/sdk.js
US
text
1.74 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2156
iexplore.exe
74.125.140.82:80
html5shim.googlecode.com
Google Inc.
US
whitelisted
2156
iexplore.exe
157.240.1.23:443
connect.facebook.net
Facebook, Inc.
US
whitelisted
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3476
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2156
iexplore.exe
217.160.0.100:80
labelandpackaging.4your.biz
1&1 Internet SE
DE
malicious
2156
iexplore.exe
93.184.220.66:80
platform.twitter.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2156
iexplore.exe
157.240.1.23:80
connect.facebook.net
Facebook, Inc.
US
whitelisted
3476
iexplore.exe
217.160.0.100:80
labelandpackaging.4your.biz
1&1 Internet SE
DE
malicious
2156
iexplore.exe
192.229.133.150:80
platform.linkedin.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2156
iexplore.exe
151.101.0.84:443
log.pinterest.com
Fastly
US
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
labelandpackaging.4your.biz
  • 217.160.0.100
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
connect.facebook.net
  • 157.240.1.23
whitelisted
platform.twitter.com
  • 93.184.220.66
whitelisted
html5shim.googlecode.com
  • 74.125.140.82
whitelisted
apis.google.com
  • 172.217.21.238
whitelisted
assets.pinterest.com
  • 151.101.120.84
whitelisted
platform.linkedin.com
  • 192.229.133.150
whitelisted
joomlart.s3.amazonaws.com
  • 52.216.178.219
shared

Threats

No threats detected
No debug info