analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

-8504145373391576500.eml

Full analysis: https://app.any.run/tasks/beaf2616-3bc5-4252-8777-347aa1551ef1
Verdict: Malicious activity
Analysis date: August 12, 2022, 13:56:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

D1C46F41BC67473D9BDA6050D0756B1D

SHA1:

31EE07BBBDC6D1C736F836AAC600FF30B870B0CF

SHA256:

6EE10328DB28E92F37B9CB782BC21531107FB4A46D49BAD60F10E29FA750402F

SSDEEP:

6144:oGg+LrRmChPqEToBfll0FfhQkUH9NDoPY6VAPiqRh3lqYkPDRW1Epn2hMN3p43fu:oGXLU4PVTaNGlOLdNMzVOhVan2KZ4+rz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2964)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2964)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 2964)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3352)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 3352)
      • AcroRd32.exe (PID: 632)
      • AcroRd32.exe (PID: 2824)
      • RdrCEF.exe (PID: 3700)
      • RdrCEF.exe (PID: 2192)
      • RdrCEF.exe (PID: 1604)
      • RdrCEF.exe (PID: 1528)
      • RdrCEF.exe (PID: 376)
      • RdrCEF.exe (PID: 1260)
      • RdrCEF.exe (PID: 3448)
      • RdrCEF.exe (PID: 616)

    • Reads the computer name

      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 3352)
      • AcroRd32.exe (PID: 632)
      • AcroRd32.exe (PID: 2824)
      • RdrCEF.exe (PID: 3700)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3352)
      • iexplore.exe (PID: 2924)
      • AcroRd32.exe (PID: 632)

    • Changes internet zones settings

      • iexplore.exe (PID: 2924)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3352)

    • Application launched itself

      • iexplore.exe (PID: 2924)
      • AcroRd32.exe (PID: 632)
      • RdrCEF.exe (PID: 3700)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3352)
      • iexplore.exe (PID: 2924)
      • RdrCEF.exe (PID: 3700)
      • AcroRd32.exe (PID: 632)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 2924)

    • Searches for installed software

      • AcroRd32.exe (PID: 632)
      • AcroRd32.exe (PID: 2824)

    • Reads Microsoft Office registry keys

      • AcroRd32.exe (PID: 2824)
      • OUTLOOK.EXE (PID: 2964)

    • Reads CPU info

      • AcroRd32.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe acrord32.exe acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\-8504145373391576500.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2924"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\OWDC22TI\brown Claim History.htmlC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3352"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2924 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
632"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\OWDC22TI\Xerox Scan_08092022093854.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
OUTLOOK.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
2824"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\OWDC22TI\Xerox Scan_08092022093854.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
3700"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
2192"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1188,14987946445822871560,15135845311575489538,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6992556868800801086 --renderer-client-id=2 --mojo-platform-channel-handle=1184 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
616"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1188,14987946445822871560,15135845311575489538,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=11491233215450685509 --mojo-platform-channel-handle=1212 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
1528"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1188,14987946445822871560,15135845311575489538,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=16549691105893070531 --mojo-platform-channel-handle=1220 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
1604"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1188,14987946445822871560,15135845311575489538,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=17253602481398153458 --mojo-platform-channel-handle=1384 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Total events
29 687
Read events
28 932
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
151
Text files
26
Unknown types
14

Dropped files

PID
Process
Filename
Type
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR9E54.tmp.cvr
MD5:
SHA256:
2964OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp9FCD.tmptext
MD5:C5FF7FDA36EA664259D3D67E3557C2A3
SHA256:6323C66D85B024BB2A096B18AEDF2FF26455AE1BE12CA675FA52D880C2A13BDD
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\OWDC22TI\brown Claim History.htmlhtml
MD5:9F2F230F5058E6DE933A3767E31D803F
SHA256:F30012826D4BA6CC776D89849B38BBF658D464A9EE2EB1FBCAE356341A79F457
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:69516BCD324E43A59BF8CC04715E08C9
SHA256:B8AD8CCB72956B9C91624F6FB6983299EB6A9F947B0DD081AA8EDB58BE3C7C33
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp9FBC.tmpbinary
MD5:4D82C5A117D4A7164CE3253091EC1C73
SHA256:C067D411BC17520B6CEFD0E109916E3C5B25734462962670782AC324CB454DAC
2964OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:D079E9B9C2B24DF436189FA71C879C30
SHA256:22750AC0C418AC29DC0299FA7BB9C381D5A9513D7889913695C8D2CDD0E14008
3352iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4D6EB2A6D4315B1EED8E571CA9DB7A46
SHA256:ED54C42549F5358621E17D5D9599F4BEBCECFCB4A820FBEFA4C1AD2D17ACDE1A
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2964OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F222E89F-FD93-460B-9DF7-62161AAC0CE0}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
27
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3352
iexplore.exe
GET
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9c3c66b9a5aba2fc
US
whitelisted
2964
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3352
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
US
der
471 b
whitelisted
632
AcroRd32.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
2924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3352
iexplore.exe
GET
200
13.224.189.104:80
http://cdn.appdynamics.com/adrum-ext.59191791453ae6311081a09b4cf33c2d.js
US
text
19.4 Kb
whitelisted
3352
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cee5b25793630fa5
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2964
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2924
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3352
iexplore.exe
69.192.160.133:443
s.go-mpulse.net
Akamai International B.V.
US
suspicious
3352
iexplore.exe
13.224.189.104:80
cdn.appdynamics.com
US
suspicious
2924
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3352
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
632
AcroRd32.exe
23.48.23.54:443
acroipm2.adobe.com
TRUE INTERNET Co.,Ltd.
US
suspicious
3700
RdrCEF.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3352
iexplore.exe
50.112.172.18:80
pdx-col.eum-appdynamics.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
s.go-mpulse.net
  • 69.192.160.133
whitelisted
cdn.appdynamics.com
  • 13.224.189.104
  • 13.224.189.64
  • 13.224.189.35
  • 13.224.189.4
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
pdx-col.eum-appdynamics.com
  • 50.112.172.18
  • 44.237.198.20
  • 54.186.151.6
  • 52.34.173.191
  • 34.209.46.146
  • 54.148.156.115
  • 52.34.0.251
  • 44.224.247.177
shared
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
-8504145373391576500.eml