analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Administrator Notification_ Redirecting email with malware.msg

Full analysis: https://app.any.run/tasks/f82d4761-7d10-4c13-be2b-60c1723b8715
Verdict: Malicious activity
Analysis date: July 17, 2019, 14:49:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

6DD76A0C23864B9EC86ED1021F437172

SHA1:

84DF0C5783C14709FE0316D840664D4EFDA88455

SHA256:

61A9B2B73C1C69861966F6A7984FB2C8B8E122C7E5C71F9B73B3C9B2F5F47CCE

SSDEEP:

1536:d1hWHWjnrU9O2DEDctbFi+OwoI241eruPIntOoyWCWrWKUB0ZqhkQiLGi:d1EDEIbFi+U41erOItO3hviLGi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3728)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3728)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3728)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3728)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3756)
    • Application launched itself

      • iexplore.exe (PID: 3756)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1636)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3728)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3728"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Administrator Notification_ Redirecting email with malware.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3756"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\P2RXTUGR\📞VD-60190771715230.htmC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1636"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3756 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 938
Read events
1 459
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
36
Unknown types
6

Dropped files

PID
Process
Filename
Type
3728OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF80C.tmp.cvr
MD5:
SHA256:
3728OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\~DFD974A4A72F2A72ED.TMP
MD5:
SHA256:
3728OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\P2RXTUGR\📞VD-60190771715230 (2).htm\:Zone.Identifier:$DATA
MD5:
SHA256:
3756iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3756iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3728OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:536A25C3D6D1B32633B5CC17F30EF3A0
SHA256:BA28E3204C17F56B0BAE8B4EAFFE903F33B790C11F384F65AD654710D2FF2BDC
3728OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\P2RXTUGR\Dial Active Recording.msgmsg
MD5:41AE655B2AE1ED758D921DFA01919EE5
SHA256:19FF0A2420757E3E37ECE9E6FE7BF01806BD19D06680B51C7751D095979E91A2
3728OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\P2RXTUGR\📞VD-60190771715230 (2).htmhtml
MD5:08058DADFEFCFA907E173D48DAD610E4
SHA256:26170DD930F7B1EF344DAC914AA52F155C007AC011E2859D6C0445A982EB6800
3728OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\P2RXTUGR\📞VD-60190771715230.htmhtml
MD5:08058DADFEFCFA907E173D48DAD610E4
SHA256:26170DD930F7B1EF344DAC914AA52F155C007AC011E2859D6C0445A982EB6800
1636iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071720190718\index.datdat
MD5:6D2C9E1D49F334A5C4E980E435BF3F33
SHA256:6EE276E535BE41CEEB5A1E555423DC5DBA33DACF15586246B2FFA0B8481FA409
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3756
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3728
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3756
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1636
iexplore.exe
165.227.83.35:443
noodles.ddns.net
Digital Ocean, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
noodles.ddns.net
  • 165.227.83.35
malicious

Threats

No threats detected
No debug info