analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TNT Collection Request BH7 178845.msg

Full analysis: https://app.any.run/tasks/18ff994b-5459-4ebc-acee-e23cd8dc47c0
Verdict: Malicious activity
Analysis date: September 19, 2019, 04:33:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

5FAFCB318D263A823129BE15D898C357

SHA1:

282F22AC84B54EA0766528D6919167BCCE7D4CFA

SHA256:

62EA481E339CE3265FFC22ECC3774D08F8AA04F3FC89B76B755808E98537C6D8

SSDEEP:

384:AyyAgpkRsTqIzOVuEUx4sZJPnSO9Ap0D0izaownR1bJHFzPmyWs1u1jduG:AyyVOR9gx4sZdn39I+aLrxtPmyHQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 680)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 324)
      • wscript.exe (PID: 1216)
      • wscript.exe (PID: 2876)
    • Writes to a start menu file

      • WScript.exe (PID: 324)
      • wscript.exe (PID: 1216)
      • wscript.exe (PID: 2876)
  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 680)
      • WScript.exe (PID: 324)
      • wscript.exe (PID: 1216)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 680)
      • wscript.exe (PID: 1216)
      • wscript.exe (PID: 2876)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 680)
    • Reads the machine GUID from the registry

      • WScript.exe (PID: 324)
      • WinRAR.exe (PID: 2840)
      • wscript.exe (PID: 1216)
      • wscript.exe (PID: 2876)
    • Executes scripts

      • WScript.exe (PID: 324)
      • wscript.exe (PID: 2876)
    • Application launched itself

      • WScript.exe (PID: 324)
      • wscript.exe (PID: 2876)
    • Checks for external IP

      • wscript.exe (PID: 2876)
  • INFO

    • Reads the machine GUID from the registry

      • OUTLOOK.EXE (PID: 680)
      • iexplore.exe (PID: 2608)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2608)
    • Changes internet zones settings

      • iexplore.exe (PID: 2608)
    • Creates files in the user directory

      • IEXPLORE.EXE (PID: 1876)
    • Manual execution by user

      • WScript.exe (PID: 324)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe no specs iexplore.exe winrar.exe no specs wscript.exe wscript.exe wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\TNT Collection Request BH7 178845.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.4760.1000
2608"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/617964571378057228/624018298127908892/TNT_Collection_Request_BH7_178845.zipC:\Program Files\Internet Explorer\iexplore.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1876"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2840"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\TNT_Collection_Request_BH7_178845.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
324"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\TNT Collection Request BH7 178845.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1216"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2876"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\TNT Collection Request BH7 178845.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2536"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
5 457
Read events
4 819
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
20
Unknown types
2

Dropped files

PID
Process
Filename
Type
680OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR7EFD.tmp.cvr
MD5:
SHA256:
1876IEXPLORE.EXEC:\Users\admin\Desktop\TNT_Collection_Request_BH7_178845.zip.69w3rf0.partial
MD5:
SHA256:
2608iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF292651A94E06C097.TMP
MD5:
SHA256:
2608iexplore.exeC:\Users\admin\Desktop\TNT_Collection_Request_BH7_178845.zip.69w3rf0.partial:Zone.Identifier
MD5:
SHA256:
2608iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB3AB3F3FCD9816DB.TMP
MD5:
SHA256:
2608iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BE177F13-DA96-11E9-9008-5254004AAD21}.dat
MD5:
SHA256:
2840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2840.19378\TNT Collection Request BH7 178845.js
MD5:
SHA256:
680OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6B1529C4-4A0E-488C-94F3-591A9E5463EB}.tmp
MD5:
SHA256:
680OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\~DFE20172CE8BC1C5B3.TMP
MD5:
SHA256:
680OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77981584-FEAC-4ED2-88B2-A71B20533E0F}.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
28
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
680
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2876
wscript.exe
GET
200
185.194.141.58:80
http://ip-api.com/json/
DE
text
301 b
shared
1876
IEXPLORE.EXE
GET
200
162.159.135.233:443
https://cdn.discordapp.com/attachments/617964571378057228/624018298127908892/TNT_Collection_Request_BH7_178845.zip
unknown
compressed
93.0 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
680
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2876
wscript.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
1876
IEXPLORE.EXE
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
2876
wscript.exe
154.124.195.86:2813
2813.noip.me
Autonomous System
SN
malicious
1216
wscript.exe
45.79.48.200:7757
pluginsrv1.duckdns.org
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.134.233
  • 162.159.133.233
  • 162.159.130.233
  • 162.159.129.233
shared
pluginsrv1.duckdns.org
  • 45.79.48.200
malicious
ip-api.com
  • 185.194.141.58
shared
2813.noip.me
  • 154.124.195.86
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2876
wscript.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2876
wscript.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
No debug info