analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW E Document studio-insite.msg

Full analysis: https://app.any.run/tasks/2c5d6a27-46c1-4deb-b207-48f242d82851
Verdict: Malicious activity
Analysis date: May 20, 2019, 15:14:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

32A0AA0F1C5AF96A4D15CC4362D3BB48

SHA1:

81B027E6E875FE2E5F8E2BAB975BD8477695417C

SHA256:

5FA1A6E222E0A9A7461B6F75B370D7614FE91AC9653A7B59F06EC639A9EDA76A

SSDEEP:

3072:iK3ytIpAl15Se6oD9PsP3lVl3vSbsN/6a6HIiE:i/IxVlIswbBE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3384)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3384)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3384)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3384)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1968)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3384)

    • Creates files in the user directory

      • iexplore.exe (PID: 3480)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 1968)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3480)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1968)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1968)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW E Document studio-insite.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1968"C:\Program Files\Internet Explorer\iexplore.exe" https://paloduro.sharepoint.com/:b:/s/studio-insite/ER5tsUR0HDVMoaR8X4AiD5IBVKHRF4-nV69yyUdE-Bb8Qw?e=9vryexC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1968 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 638
Read events
1 143
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
43
Unknown types
6

Dropped files

PID
Process
Filename
Type
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRDF2.tmp.cvr
MD5:
SHA256:
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47F03189.datimage
MD5:12DFFF1D4B3FC09564D733CF5B1FDC09
SHA256:4541C4D363AF1B7C46F731BBF4F8ABD63D2433BD3968247D50359C4F16C8C662
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F1EF174.datimage
MD5:A6EA09613EB06BE95D320BB0A52BE71B
SHA256:C3AC3FC677F8C9CAF970F79463BF3D2C6EC9B214583FFBE7D55D55B34F1A98D5
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86D53C00.datimage
MD5:66520B0BF0B2426768524C209EE0E3CF
SHA256:E650C94ACF8FF197FE63674E4358E7AAC26EF71FBA038DC252BCB969610B461D
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\315019F6.datimage
MD5:B942CB495873961DA6DBBF40BF8F3344
SHA256:391195A4397DB0BB190067CBE4D8739C793BB5CE0B91E72D06162A5FC0A9281E
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D1A7AE5.datimage
MD5:84AF984A7589AA5312F26D02F4982918
SHA256:6169DC87F54888B26863A088D3C9FF3CEA47D4F2DDEE84329B67F407B0811DDE
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F46F557F.datimage
MD5:54EE72AABDA42241EE0662DAF4B33495
SHA256:E9E017D87093F3A37FC8839626E014A28394962F927997E1111C83B2605B2DA2
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8FD6D33B.datimage
MD5:2744BAA8F1285BEA0DD6E0E183DF9945
SHA256:994E69276C618F53B604DC80A7B7C001E9D60865891DE40702B5FE542A895C12
3384OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7AC7BA2.datimage
MD5:3E9B2C2F3B0640DFE1BB82E6B3779E48
SHA256:445A72992078A4E729BC4A73A4775182E2A6F6A43B53C21D92009569D665206D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3384
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1968
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1968
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3384
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3480
iexplore.exe
13.107.136.9:443
paloduro.sharepoint.com
Microsoft Corporation
US
whitelisted
1968
iexplore.exe
13.107.136.9:443
paloduro.sharepoint.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
paloduro.sharepoint.com
  • 13.107.136.9
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FW E Document studio-insite.msg