analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Multiple ISOnet User IDs Clean up ref_00D301Oe1._5004S3vDMmref .msg

Full analysis: https://app.any.run/tasks/d865ba25-07b4-48bb-8a5b-7d68e82c600c
Verdict: Malicious activity
Analysis date: October 05, 2022, 07:12:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

8FD44658FF56D8DDE60AB6BE2B1FDCC5

SHA1:

DFD087C564E50875C76CADB1115BD8DB12EB4F92

SHA256:

6708A97D637C211D54A6069141B278B7580824610A228381C3519FD976C56EBC

SSDEEP:

1536:hhKBYeeeeKB3eeeeK8IeSedB+eeeedBLeeeedBDeeeeKLVTcQJgWaWKT7dZhErjy:rE7STRfE9i1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Saves itself using an automatic execution at the hidden registry location

      • OUTLOOK.EXE (PID: 676)

  • SUSPICIOUS

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 3220)

  • INFO

    • Process checks LSA protection

      • OUTLOOK.EXE (PID: 676)

    • Process checks computer location settings

      • OUTLOOK.EXE (PID: 676)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 676)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 676)

    • Reads the machine GUID from the registry

      • OUTLOOK.EXE (PID: 676)
      • SearchFilterHost.exe (PID: 2104)
      • SearchIndexer.exe (PID: 3220)
      • SearchProtocolHost.exe (PID: 2832)
      • SearchProtocolHost.exe (PID: 3740)

    • Reads Microsoft Office registry keys

      • SearchProtocolHost.exe (PID: 3740)
      • OUTLOOK.EXE (PID: 676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe searchindexer.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
676"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Multiple ISOnet User IDs Clean up ref_00D301Oe1._5004S3vDMmref .msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3220C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\system32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3740"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2104"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528 C:\Windows\system32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2832"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Total events
9 178
Read events
8 499
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
10
Unknown types
1

Dropped files

PID
Process
Filename
Type
676OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR974F.tmp.cvr
MD5:
SHA256:
676OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
676OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:AFD7D56819BE1A2FD8DD5344B3832613
SHA256:EC417556E648DCBB44AFF2E6BCA6681C0CA49AA6656260601ACEDB77DE67928F
676OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:AA826E462FC2C851B07D48B5A5236DAE
SHA256:612037FB1B6686D0136E2ACAE2B01F0F9072E5B27BEA8767B12503F6FA94E25D
3220SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010011.dirbinary
MD5:0512B0DD84145F0B91F2711A3B4ABB40
SHA256:CD63C0C766D91BC404A4CA2B839D0863441C3C4C245B4EB29BC013D63B5141EE
3220SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logbinary
MD5:C2D0F3E51867260A082FE4A27F16F870
SHA256:D3B401C613D4E4905442FF25C98B32C26867CB81E94B325243538B175FBC3C88
3220SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010011.cibinary
MD5:C4544EB582EA3314A9883C1509B77D79
SHA256:9AD34C97BE9A2C37005092B08352E8507C72DFAD3F6E02C241C779C4BC5B4789
676OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_631E8C29C28D1C408A24B5BD78B761F0.datxml
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2
SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74
676OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_332054CC0CB3524C97A3BC4957AA8143.datxml
MD5:BBCF400BD7AE536EB03054021D6A6398
SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD
676OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_A5CE06CBB17D2A4D8D9D92D1C0606C06.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
676
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
676
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
192.168.100.2:53
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Multiple ISOnet User IDs Clean up ref_00D301Oe1._5004S3vDMmref .msg