analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Лотерейный билет.eml

Full analysis: https://app.any.run/tasks/04cd0846-285e-4736-9025-56fc54e6cbce
Verdict: Malicious activity
Analysis date: March 30, 2020, 15:51:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
covid19
Indicators:
MIME: message/rfc822
File info: SMTP mail, UTF-8 Unicode text
MD5:

4A208B33104FFD964DD03C62647FA8A9

SHA1:

4C071E42970934F944D1D17A14D73E3B99004CCA

SHA256:

67E9D9BABA822D133D94A930ADBCA2055C821FB93D1151177F1209B361871430

SSDEEP:

48:STqeqw+KqtM+1LnsU5u1McJO3W9fvVT55RlbjZp9TWUiQLqyLRb+bVy40C/TsiB/:2qeqwQxjX9hEfdd5HbjHgUiQLDwYLE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3000)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3000)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3000)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2612)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1760)
      • iexplore.exe (PID: 3464)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3000)

    • Drops Coronavirus (possible) decoy

      • iexplore.exe (PID: 3464)

    • Application launched itself

      • iexplore.exe (PID: 1760)

    • Changes internet zones settings

      • iexplore.exe (PID: 1760)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3464)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3464)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2612)
      • iexplore.exe (PID: 3464)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1760)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1760)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 1) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Лотерейный билет.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1760"C:\Program Files\Internet Explorer\iexplore.exe" http://pgvquantum.com/wp-content/themes/twentysixteen-child/template-parts/footer/3/C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3464"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1760 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2612C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
3 383
Read events
2 250
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
280
Text files
349
Unknown types
149

Dropped files

PID
Process
Filename
Type
3000OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR8862.tmp.cvr
MD5:
SHA256:
1760iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3464iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabC57B.tmp
MD5:
SHA256:
3464iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarC57C.tmp
MD5:
SHA256:
3000OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:FF2FE9B1A62EECB7C213463B671F8BA3
SHA256:48E2567141C05C4DD29C43214626218DCD7B39020FB934CD32B68B6608B97B1F
3000OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:FEC2711B945FC3C2B1A3CC8F6C7B1C0E
SHA256:B88F6EA20781729DC868BAAA738A49F13CCED058EC468E9F2029B7DE6C69B916
3464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27Cder
MD5:63311A320518E4CA5045931F3E6ADE16
SHA256:23B7BECCB98DAF194EF0EE6709E93CAC4632C1214F6478FCFA2A547515237D83
3000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
3464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE52899963CDE_8CB36310D7DE2704E6294B3E104E72F7der
MD5:503F6318AEBCDDE71943FDE206942183
SHA256:3F1EA1F2C7FAE4006130B74DF173F5906EA867226C43C71B41E39146FD7FA5EE
3464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\41065586[1].htmhtml
MD5:EBDD9AC765892D8D91E1AEBD09497451
SHA256:1E4448DDE176A769FD2BA81018CECE4C8C9248088D4B114B655E6F5B0D0AE767
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
153
TCP/UDP connections
319
DNS requests
129
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3464
iexplore.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr3/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCCwQAAAAAATGJxkTJ
US
der
1.48 Kb
whitelisted
3000
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3464
iexplore.exe
GET
200
93.184.220.29:80
http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEA8Byg3xePJ2xAXD21b7Wg8%3D
US
der
471 b
whitelisted
3464
iexplore.exe
GET
302
112.213.89.7:80
http://pgvquantum.com/wp-content/themes/twentysixteen-child/template-parts/footer/3/
VN
suspicious
3464
iexplore.exe
GET
304
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx
US
der
1.49 Kb
whitelisted
3464
iexplore.exe
GET
200
93.184.220.29:80
http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAfPgrgEmbcjJexpgYUf%2BBU%3D
US
der
471 b
whitelisted
3464
iexplore.exe
GET
200
93.184.220.29:80
http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAlcEGMQ6%2BaXcVfbcNX89rE%3D
US
der
471 b
whitelisted
3464
iexplore.exe
GET
200
93.184.220.29:80
http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEA9Fw%2BeisXO35WtYpu%2BqoDw%3D
US
der
471 b
whitelisted
3464
iexplore.exe
GET
304
104.18.21.226:80
http://ocsp2.globalsign.com/rootr3/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCCwQAAAAAATGJxkTJ
US
der
1.48 Kb
whitelisted
3464
iexplore.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx
US
der
1.49 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1760
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3464
iexplore.exe
112.213.89.7:80
pgvquantum.com
SUPERDATA
VN
malicious
3000
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3464
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3464
iexplore.exe
217.69.139.14:443
likemore-go.imgsmail.ru
Limited liability company Mail.Ru
RU
unknown
3464
iexplore.exe
217.69.130.233:443
mcdn.imgsmail.ru
Limited liability company Mail.Ru
RU
unknown
3464
iexplore.exe
217.69.139.33:443
news.mail.ru
Limited liability company Mail.Ru
RU
unknown
3464
iexplore.exe
94.100.180.36:443
cp-filin.mail.ru
Limited liability company Mail.Ru
RU
unknown
3464
iexplore.exe
94.100.180.197:443
rs.mail.ru
Limited liability company Mail.Ru
RU
unknown
3464
iexplore.exe
217.69.139.36:443
news.mail.ru
Limited liability company Mail.Ru
RU
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
pgvquantum.com
  • 112.213.89.7
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
news.mail.ru
  • 217.69.139.33
  • 217.69.139.36
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
status.geotrust.com
  • 93.184.220.29
whitelisted
likemore-go.imgsmail.ru
  • 217.69.139.14
whitelisted
mcdn.imgsmail.ru
  • 217.69.130.233
unknown
rs.mail.ru
  • 94.100.180.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Лотерейный билет.eml