analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

COVID19 Work Survey!.msg

Full analysis: https://app.any.run/tasks/b833c95c-26b4-4d0c-b729-ae45b48657d4
Verdict: Malicious activity
Analysis date: June 27, 2022, 09:27:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

EE6DD0F2D6E898F9FFFA946CF423FA10

SHA1:

645553C0B249FE8026FD2BF5A0AA7C3142536984

SHA256:

631CD9F9C43A2DE9FD7A3DF81F8E005B028127F81A7A3A41A8E52DE9CF56232D

SSDEEP:

768:dlI3TeBss3fXeCgSKDM0FZuWgJUUWsKtW2K3fXqRYLRqxM:DDCOyZuDPWVWlI2q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1000)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1000)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3996)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 836)
      • OUTLOOK.EXE (PID: 1000)
      • iexplore.exe (PID: 3996)

    • Reads the computer name

      • iexplore.exe (PID: 836)
      • OUTLOOK.EXE (PID: 1000)
      • iexplore.exe (PID: 3996)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1000)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 1000)

    • Changes internet zones settings

      • iexplore.exe (PID: 836)

    • Application launched itself

      • iexplore.exe (PID: 836)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 836)
      • iexplore.exe (PID: 3996)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 836)
      • iexplore.exe (PID: 3996)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3996)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1000"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\COVID19 Work Survey!.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
836"C:\Program Files\Internet Explorer\iexplore.exe" https://www.templatent.com/ind/4d8b04bf-7a7c-48a0-b6e3-38da5008297e/61c9e0e8-a9e5-484a-acdb-b2003bdbe3d7/50e4c52b-d32b-495c-9986-4f32616c57eb/landing?id=bXp1ZjUyUnliaGtGMDVDNXZnRzlwSVpsRmxVdkt5TXJoamJoYkxrWldLU1Zra1lvZVo2WVBVYkRYeDdOVkVRL0NSWms1WG5FWnZKVUp6UlVvazBPeThIZFpQaWNTM2lUMURVOGdYTU9ja0o0UUVKZDRuT0lGN01lOGhNTGhBSlB6RVBVNENDNUNVZ201UVlLa0ppOXk4MVJZdEwzNlVHOXR1WXdPbHN4bzRkY3g2RENYYUMxWVE4dS9xbFJUV091L3ZNWXJDOXpaNTRMUnpRTE50UW9tbks5eU5TVmc4dnVPdGs5bG1HTDdjMmtRUS9PUWNCenljL1pid09SdTVWVkpJYVVOejFOL0oxd1NvWTF5cGpPUDRjcHVNaDBjZjI3b0RPR204UGdRRyttMWs5d0VJNHp6cHAzZ3RNNlVZSkZkU21SL2p1QW1uYitrV0lQNDJTVXpnPT0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3996"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:836 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
14 636
Read events
13 938
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
13
Unknown types
4

Dropped files

PID
Process
Filename
Type
1000OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR94F3.tmp.cvr
MD5:
SHA256:
1000OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1000OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:FD05055FB7C90CE5CB65C2C6AB92E7F7
SHA256:D80A81F4078DD5C3088CFCA00A3D0E890A837003E8EEB764E7261696D1C13600
3996iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEbinary
MD5:8221AA63CCDDE87545FAE4723EBA2F44
SHA256:A081761A823559590DC3495255ADFBEEDBCD8AA3C4FBB78B3AB5670EEFB652DF
836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
3996iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEder
MD5:6070D165F317137BFA0039387B244CDB
SHA256:534AD56166D4D29D7744322BD18EBE9E8EFE5DEFF1C0E367C70F774478D7C738
1000OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:306027CA63A8AFEA7E26856A7C58BAB2
SHA256:D5BDFD66F6D2B7006D5E30A013F5EC30408CD344CC2DE1AF3C3A80D2A481E174
836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:2F7C07C448F98CD3A9F15D72FA52F248
SHA256:3A70F82136DDF56746BBE728F43D496171A9F061EF62C3F5513BB06070062B3D
836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:31590CEC34C20640A4C5A0C0C2445E7A
SHA256:37ED4DAA6987AD4FD671D927604EFAD92D4341B4843A2B6C9CC97A638C74F262
836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1000
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3996
iexplore.exe
GET
200
13.107.40.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQN1VoiX40jVOMldh7uDThi9DqeewQU1cFnOsKjnfR3UltZEjgp5lVou6UCEzMANPAzk2JZiyvmkdgAAAA08DM%3D
US
der
1.74 Kb
whitelisted
836
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3996
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
836
iexplore.exe
GET
200
41.63.96.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0313db5469b36e55
ZA
compressed
4.70 Kb
whitelisted
3996
iexplore.exe
GET
200
41.63.96.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9dfc310853302a4f
ZA
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1000
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
836
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3996
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3996
iexplore.exe
41.63.96.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
ZA
suspicious
836
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
836
iexplore.exe
41.63.96.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
ZA
suspicious
3996
iexplore.exe
13.107.40.203:80
oneocsp.microsoft.com
Microsoft Corporation
US
whitelisted
3996
iexplore.exe
13.107.227.45:443
www.templatent.com
Microsoft Corporation
US
suspicious
836
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
836
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.templatent.com
  • 13.107.219.45
  • 13.107.227.45
malicious
ctldl.windowsupdate.com
  • 41.63.96.128
  • 41.63.96.0
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
oneocsp.microsoft.com
  • 13.107.40.203
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
COVID19 Work Survey!.msg