analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Jessy from SJ Vet China (13.4 KB).msg

Full analysis: https://app.any.run/tasks/cb34418d-aae7-4201-a871-72614c204a8d
Verdict: Malicious activity
Analysis date: January 14, 2022, 19:33:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

AE5EA07D1DD3A4F4F09E29847F472400

SHA1:

CA61D9682313E2BBC1987E1E0EB12F1B6840B8FE

SHA256:

607D5C050C77B8F588627F72BE626D67AF5A9E2F9CBB10AB07A31E68D5305185

SSDEEP:

384:8OTbAcevtYLQoTd2tzGFFzYmAVlgFwfBNDNhYEUs9PbtEDToPkxlNwl7anKKuSWa:8OivmLPQBNDNhTUsFyZgl7ac3MYn70N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3048)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3048)

    • Reads Microsoft Outlook installation path

      • IEXPLORE.EXE (PID: 1448)
      • IEXPLORE.EXE (PID: 1396)

    • Executed via COM

      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 1660)

    • Checks supported languages

      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 1660)

    • Creates files in the user directory

      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 1660)

    • Reads the computer name

      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 1660)

  • INFO

    • Reads the computer name

      • OUTLOOK.EXE (PID: 3048)
      • iexplore.exe (PID: 2264)
      • IEXPLORE.EXE (PID: 1448)
      • IEXPLORE.EXE (PID: 1396)

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3048)
      • IEXPLORE.EXE (PID: 1448)
      • iexplore.exe (PID: 2264)
      • IEXPLORE.EXE (PID: 1396)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3048)
      • iexplore.exe (PID: 2264)
      • IEXPLORE.EXE (PID: 1396)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 3048)

    • Changes internet zones settings

      • iexplore.exe (PID: 2264)

    • Reads settings of System Certificates

      • IEXPLORE.EXE (PID: 1396)
      • iexplore.exe (PID: 2264)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 1448)
      • IEXPLORE.EXE (PID: 1396)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2264)
      • IEXPLORE.EXE (PID: 1396)

    • Reads CPU info

      • IEXPLORE.EXE (PID: 1396)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe no specs iexplore.exe flashutil64_27_0_0_187_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3048"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\Jessy from SJ Vet China (13.4 KB).msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.4760.1000
2264"C:\Program Files\Internet Explorer\iexplore.exe" https://sxsuje.com/C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1448"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1396"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:267533 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1660C:\Windows\system32\Macromed\Flash\FlashUtil64_27_0_0_187_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil64_27_0_0_187_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe� Flash� Player Installer/Uninstaller 27.0 r0
Version:
27,0,0,187
Total events
11 502
Read events
10 383
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
139
Unknown types
18

Dropped files

PID
Process
Filename
Type
3048OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR63EA.tmp.cvr
MD5:
SHA256:
3048OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3048OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:F3796F03BD19E11727EFA6ADDF327902
SHA256:6F3344260824FA2ED3A7788D74CB2F82F6B746CDE7259DE5AC7514519FBFB2E7
3048OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:7B0D9E6D748C73D8FD78B00235D4A9F5
SHA256:DBA7F7990973FD0F0FBF488FB3EA2F16C9543FA81D2F5B6968CC1E24D90B7689
1396IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\default_9d77dce2[1].csstext
MD5:07FE852C4B8C75A090BA9020AD7B1A72
SHA256:05F80F1B693CDBCB40DDBBAAFED1D09C4A0BDF854EB27C658B028EBD1B54C374
1396IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\IF5NHPDD.txttext
MD5:7D829177DDDB3B6F7280EA57A1690736
SHA256:1384E7EDDE1E36220C50D3105FA4F9A85A94EDD9C153F79B80813AE3A59C135E
3048OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_D161B0A728E1AA47B734315768DDF8AB.datxml
MD5:EC8CA8C4D9E4B21BF1DBC33B4FD27816
SHA256:B1230E47FEE2A9F664C82C590C242F764D50C542F8F773254B6CEAC9145F50EF
1396IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\BANVPNYT.htmhtml
MD5:50F6147ECCB7A1F28B2C7E853999667E
SHA256:BD340840C1B7762542D72DC9BA01A61E74B27C4EEF1EE99D2A167E469C790F2A
1396IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5YKOMFGF.txttext
MD5:EBBA2ED8876644D636AB2EFC6FE54A47
SHA256:7C8E5745D5A51564385BF018E39D8CD96F94CD2C71D76C4292BC591913879E28
1396IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HMWGQD5Z.txttext
MD5:B062DB0E78FD889C6E7527A8E8D18F49
SHA256:6A94C2DE53C3FF2F21A47AAD93E8242167A930CBB1BA8A80C2BC83BDCA64E526
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
81
DNS requests
41
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3048
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1396
IEXPLORE.EXE
GET
200
2.16.106.186:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?428ce02c5e9a1523
unknown
compressed
59.9 Kb
whitelisted
1396
IEXPLORE.EXE
GET
200
104.18.11.39:80
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
US
der
914 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2264
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1396
IEXPLORE.EXE
2.16.187.56:443
stat.made-in-china.com
Akamai International B.V.
whitelisted
3048
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1396
IEXPLORE.EXE
2.16.186.131:443
sxsuje.en.made-in-china.com
Akamai International B.V.
whitelisted
2264
iexplore.exe
2.16.186.131:443
sxsuje.en.made-in-china.com
Akamai International B.V.
whitelisted
1396
IEXPLORE.EXE
2.16.186.195:443
www.made-in-china.com
Akamai International B.V.
whitelisted
1396
IEXPLORE.EXE
2.16.186.154:443
www.micstatic.com
Akamai International B.V.
whitelisted
1396
IEXPLORE.EXE
172.217.16.142:443
www.google-analytics.com
Google Inc.
US
whitelisted
1396
IEXPLORE.EXE
172.217.16.136:443
www.googletagmanager.com
Google Inc.
US
suspicious
1396
IEXPLORE.EXE
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
sxsuje.com
unknown
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
sxsuje.en.made-in-china.com
  • 2.16.186.131
  • 2.16.186.129
suspicious
www.micstatic.com
  • 2.16.186.154
  • 2.16.186.225
whitelisted
stat.made-in-china.com
  • 2.16.187.56
  • 2.16.187.98
suspicious
www.made-in-china.com
  • 2.16.186.195
  • 2.16.186.147
whitelisted
pylon.micstatic.com
  • 2.16.186.154
  • 2.16.186.225
suspicious
image.made-in-china.com
  • 2.16.186.195
  • 2.16.186.147
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Jessy from SJ Vet China (13.4 KB).msg