analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Administrator Notification_ Redirecting email with malware.msg

Full analysis: https://app.any.run/tasks/8ac499d5-f141-42ce-b598-38126ab05fcd
Verdict: Malicious activity
Analysis date: July 17, 2019, 13:49:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

948361E587E6369C8EAEF54836C503A3

SHA1:

4044ED23AE8FB2E5CA7493E115028EE81EBBD64D

SHA256:

5E2CEDE458BDE1F82B5F41BB90C9F452873D05DD162BDB799E4C7938DBA8D6B9

SSDEEP:

3072:za1CVjA6fjFXtRnHVuGA6gjc9aLXYpJYM0FB8YI5rG6CBQ7P7:zVjRHVzA6gj6aLXYpx0lQGLe7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3756)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3756)

  • INFO

    • Manual execution by user

      • firefox.exe (PID: 3492)

    • Application launched itself

      • firefox.exe (PID: 3492)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3756)

    • Reads CPU info

      • firefox.exe (PID: 3492)

    • Creates files in the user directory

      • firefox.exe (PID: 3492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
3756"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3492"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
3972"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.0.1165578648\286890312" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 1140 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
3840"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.3.1870768625\1352336100" -childID 1 -isForBrowser -prefsHandle 1804 -prefMapHandle 1800 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 1700 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
1324"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.13.657837930\1396239970" -childID 2 -isForBrowser -prefsHandle 2688 -prefMapHandle 2692 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 2716 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
2296"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.20.1981344364\316817024" -childID 3 -isForBrowser -prefsHandle 3536 -prefMapHandle 3540 -prefsLen 6662 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3552 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Total events
1 513
Read events
1 101
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
39
Text files
33
Unknown types
30

Dropped files

PID
Process
Filename
Type
3756OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF889.tmp.cvr
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
3756OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:0F5A5447A9CDA9582F88A65C888DE4CF
SHA256:7536F3523309341D7887598E8B99F47B5D433A04D65282377EAEFFDC292913A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
16
DNS requests
53
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3756
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
216.58.206.3:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3492
firefox.exe
108.128.247.43:443
location.services.mozilla.com
AT&T Services, Inc.
US
unknown
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3756
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
172.217.16.206:80
www.youtube.com
Google Inc.
US
whitelisted
3492
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3492
firefox.exe
34.209.56.240:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
3492
firefox.exe
13.225.79.58:443
snippets.cdn.mozilla.net
US
unknown
216.58.206.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3492
firefox.exe
35.166.166.56:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3492
firefox.exe
172.217.18.170:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
location.services.mozilla.com
  • 108.128.247.43
  • 52.210.139.31
  • 52.50.56.62
whitelisted
locprod1-elb-eu-west-1.prod.mozaws.net
  • 52.50.56.62
  • 52.210.139.31
  • 108.128.247.43
whitelisted
push.services.mozilla.com
  • 34.209.56.240
whitelisted
autopush.prod.mozaws.net
  • 34.209.56.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
snippets.cdn.mozilla.net
  • 13.225.79.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Administrator Notification_ Redirecting email with malware.msg