analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW Sandra participate in this survey for an Amazon Gift Card.msg

Full analysis: https://app.any.run/tasks/c4a41be7-b5f9-4949-a305-89fd227ba557
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:25:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

4B4EEF260C1620918DB7A4A95CB7C460

SHA1:

014E6578E911124242124553E3898C6BEA9D6433

SHA256:

61C23D0E32D1C40F3DE9F9672CDB0FEFCC04DAB7E35A397F6960C6DC91ACEEAD

SSDEEP:

768:qeYWDtBrpb7tFiWy2qVZk5w6ZW35YTJ+Yl2INNlHSU:YODZiWy2qVZk5wT2d+o2o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2756)
      • firefox.exe (PID: 2216)
      • firefox.exe (PID: 2112)
      • firefox.exe (PID: 2700)
      • firefox.exe (PID: 2308)
      • firefox.exe (PID: 840)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 2756)
      • firefox.exe (PID: 2216)
      • firefox.exe (PID: 2112)
      • firefox.exe (PID: 2308)
      • firefox.exe (PID: 2700)
      • firefox.exe (PID: 840)
    • Manual execution by user

      • firefox.exe (PID: 2216)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2756)
    • Application launched itself

      • firefox.exe (PID: 2216)
    • Reads CPU info

      • firefox.exe (PID: 2216)
    • Creates files in the program directory

      • firefox.exe (PID: 2216)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2216)
    • Reads the date of Windows installation

      • firefox.exe (PID: 2216)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2756"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\FW Sandra participate in this survey for an Amazon Gift Card.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.4760.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2216"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
Explorer.EXE
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2112"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.0.924040899\1522925823" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 1184 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
2308"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.3.1164269291\577668024" -childID 1 -isForBrowser -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 1 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 1732 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2700"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.13.1320006625\890862511" -childID 2 -isForBrowser -prefsHandle 2764 -prefMapHandle 2772 -prefsLen 5823 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 2784 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
840"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.20.632299238\2104670201" -childID 3 -isForBrowser -prefsHandle 3364 -prefMapHandle 3368 -prefsLen 6545 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 3424 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
7 757
Read events
7 188
Write events
550
Delete events
19

Modification events

(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2756) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
94
Text files
30
Unknown types
54

Dropped files

PID
Process
Filename
Type
2756OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA3AE.tmp.cvr
MD5:
SHA256:
2756OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2216firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2756OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:3A0CC4BD82B854ECE1D3E88AC6B41ED2
SHA256:89C9A03FCF1C27D53CC43A92FA1DFEEE24D25688287D59CE6F1825C73C0D7D32
2756OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:F52434DF98418373F44AC78FE8A5F6B6
SHA256:0CF1BFE6FAD111E15B1ABDE0AB6A2A0D311D2AAB953012D1FE8D4C99126C1936
2216firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\permissions.sqlite-journalbinary
MD5:514A30A538E16AAE2D7268B5CC58FFF0
SHA256:89F200283000135ABCD6BF63CE632EAB9E0DA0850390D697AF3D3D5AC45DF2DD
2756OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_576765698E10194685B55BF29BA5C6FF.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2756OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{ADB16E78-733A-4553-A7DB-34F2FAC190E5}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
2756OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_8B2D4C018F86244DB6A1916ABC6BE3F6.datxml
MD5:57F30B1BCA811C2FCB81F4C13F6A927B
SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
2756OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_15220B3A32B2874BBD509A9870C0F482.datxml
MD5:D58C02D47497EFF7B621405F528C201A
SHA256:F3322AFB6FE61BCB9A12C1C134340C87CF3A97F1BB0F7731067973D8563AC95A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
58
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2756
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2216
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2216
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt
US
text
8 b
whitelisted
2216
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2216
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2216
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3
US
der
472 b
whitelisted
2216
firefox.exe
POST
200
2.16.186.11:80
http://r3.o.lencr.org/
unknown
der
503 b
shared
2216
firefox.exe
POST
200
2.16.186.11:80
http://r3.o.lencr.org/
unknown
der
503 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2216
firefox.exe
52.35.93.250:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2756
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2216
firefox.exe
34.107.221.82:80
detectportal.firefox.com
US
whitelisted
2216
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2216
firefox.exe
13.32.121.85:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
suspicious
2216
firefox.exe
52.42.74.230:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
2216
firefox.exe
2.16.186.11:80
r3.o.lencr.org
Akamai International B.V.
whitelisted
2216
firefox.exe
52.43.189.249:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown
2216
firefox.exe
172.217.18.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2216
firefox.exe
207.189.124.9:443
info.zoomintel.com
ViaWest
US
suspicious

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
search.services.mozilla.com
  • 52.35.93.250
  • 54.213.198.91
  • 44.225.72.11
whitelisted
search.r53-2.services.mozilla.com
  • 44.225.72.11
  • 54.213.198.91
  • 52.35.93.250
whitelisted
push.services.mozilla.com
  • 52.42.74.230
whitelisted
autopush.prod.mozaws.net
  • 52.42.74.230
whitelisted
snippets.cdn.mozilla.net
  • 13.32.121.85
  • 13.32.121.112
  • 13.32.121.15
  • 13.32.121.49
whitelisted
tiles.services.mozilla.com
whitelisted

Threats

PID
Process
Class
Message
2216
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
No debug info