analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW E Document studio-insite.msg

Full analysis: https://app.any.run/tasks/86cd4b1a-87f9-4e85-8ccf-a40786b0c38c
Verdict: Malicious activity
Analysis date: May 20, 2019, 15:08:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

32A0AA0F1C5AF96A4D15CC4362D3BB48

SHA1:

81B027E6E875FE2E5F8E2BAB975BD8477695417C

SHA256:

5FA1A6E222E0A9A7461B6F75B370D7614FE91AC9653A7B59F06EC639A9EDA76A

SSDEEP:

3072:iK3ytIpAl15Se6oD9PsP3lVl3vSbsN/6a6HIiE:i/IxVlIswbBE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1892)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1892)
    • Starts itself from another location

      • OUTLOOK.EXE (PID: 1892)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1892)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1892)
      • OUTLOOK.EXE (PID: 3816)
      • OUTLOOK.EXE (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe outlook.exe no specs outlook.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1892"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW E Document studio-insite.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3816"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
2480"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Total events
1 366
Read events
923
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
32
Unknown types
1

Dropped files

PID
Process
Filename
Type
1892OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR3E93.tmp.cvr
MD5:
SHA256:
3816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR6FA5.tmp.cvr
MD5:
SHA256:
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRBBB2.tmp.cvr
MD5:
SHA256:
1892OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:DC66986D820E0297A8EF7BE561F0B5F7
SHA256:2F3613480555595D9ACF244BDD36AB4712F07AEFA61F6E28C25CA53E145EBF59
1892OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C9556BF.datimage
MD5:B942CB495873961DA6DBBF40BF8F3344
SHA256:391195A4397DB0BB190067CBE4D8739C793BB5CE0B91E72D06162A5FC0A9281E
1892OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFBE487B.datimage
MD5:3E9B2C2F3B0640DFE1BB82E6B3779E48
SHA256:445A72992078A4E729BC4A73A4775182E2A6F6A43B53C21D92009569D665206D
1892OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EEFD1036.datimage
MD5:12DFFF1D4B3FC09564D733CF5B1FDC09
SHA256:4541C4D363AF1B7C46F731BBF4F8ABD63D2433BD3968247D50359C4F16C8C662
1892OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CCC81B4.datimage
MD5:54EE72AABDA42241EE0662DAF4B33495
SHA256:E9E017D87093F3A37FC8839626E014A28394962F927997E1111C83B2605B2DA2
1892OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CA44E25.datimage
MD5:A6EA09613EB06BE95D320BB0A52BE71B
SHA256:C3AC3FC677F8C9CAF970F79463BF3D2C6EC9B214583FFBE7D55D55B34F1A98D5
1892OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\418DB040.datimage
MD5:2744BAA8F1285BEA0DD6E0E183DF9945
SHA256:994E69276C618F53B604DC80A7B7C001E9D60865891DE40702B5FE542A895C12
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1892
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1892
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info