analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New Fax.msg

Full analysis: https://app.any.run/tasks/69d518f5-d190-457f-92bf-a0e2adf8fc57
Verdict: Malicious activity
Analysis date: October 19, 2020, 22:55:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

D48BF1FE2CF5AD1EB3FAB040933D2229

SHA1:

87FA9F485687CB36107A521E51816CC4D3E3CB1B

SHA256:

716A903F485A34F69F884A0A3CA57852796AED3344DDD7D87AE872828DE693F1

SSDEEP:

1536:L1XUMWDWfe5HeWKuLmbnWOWmC1Xz2bkZ0hxUZpLGGC:L1Xw5HiuLrXWkZtIGC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1772)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1772)

    • Starts itself from another location

      • OUTLOOK.EXE (PID: 1772)

  • INFO

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1772)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 3876)

    • Changes internet zones settings

      • iexplore.exe (PID: 3876)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3876)
      • OUTLOOK.EXE (PID: 1772)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 3860)
      • iexplore.exe (PID: 1788)

    • Application launched itself

      • iexplore.exe (PID: 3876)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1724)
      • OUTLOOK.EXE (PID: 1772)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 3876)
      • iexplore.exe (PID: 3860)
      • iexplore.exe (PID: 1788)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3876)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3876)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe outlook.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1772"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\New Fax.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3876"C:\Program Files\Internet Explorer\iexplore.exe" http://t.mail.sony-europe.com/r/?id=h42f5194e,42e87e9c,44610685&p1=buitengewoonzwartewaterland.nl/3535#[email protected]C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3716"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1724"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
1788"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:1185040 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3860"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:2954513 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
3 145
Read events
2 376
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
67
Unknown types
5

Dropped files

PID
Process
Filename
Type
1772OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR40D6.tmp.cvr
MD5:
SHA256:
3716iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5Y1R3S26.txttext
MD5:2AEEE680EB4447797F256AAFFA1D5E67
SHA256:0D0032D5E870B4407813D3C40168353BBA64EC6CC7F849DCFFDC2FAD70B29F3B
1772OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:8A3AF7732DF16EAFC688820559209E18
SHA256:666B56882725410172661CA5DED026076BDF4F5A4C82804E0C8DBEF7C3247823
1772OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_9AD109386252234BAD0E99DB9942E083.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
1772OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
3876iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1724OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE12D.tmp.cvr
MD5:
SHA256:
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:9C79052CD4702AB47E3269B42E873AC7
SHA256:27174FF21A72F50A2731A7454133B29C2397AA53ABD8848C6FED36A36F0E25EE
1772OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:505D23C5B5C9F9DB28AB218C18B55484
SHA256:F37A3A814D64353C246B6623F54A8184E071BC3CF3B37AE20F9B6F8A91C1149D
3876iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab6B7.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
25
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3716
iexplore.exe
GET
301
185.104.29.4:80
http://buitengewoonzwartewaterland.nl/3535
NL
suspicious
3876
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3860
iexplore.exe
GET
301
185.104.29.4:80
http://buitengewoonzwartewaterland.nl/3535
NL
suspicious
1772
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1788
iexplore.exe
GET
301
185.104.29.4:80
http://buitengewoonzwartewaterland.nl/3535
NL
suspicious
3716
iexplore.exe
GET
404
185.104.29.4:80
http://www.buitengewoonzwartewaterland.nl/3535
NL
compressed
363 b
malicious
3860
iexplore.exe
GET
404
185.104.29.4:80
http://www.buitengewoonzwartewaterland.nl/3535
NL
compressed
363 b
malicious
3716
iexplore.exe
GET
200
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=%2Fr%2F%3Fid%3Dh42f5194e,42e87e9c,44610685%26p1%3Dbuitengewoonzwartewaterland.nl%2F3535%23javelasquezc%40compensar.com&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
246 b
whitelisted
3876
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3876
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3876
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1772
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3876
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3716
iexplore.exe
99.86.7.90:80
t.mail.sony-europe.com
AT&T Services, Inc.
US
unknown
3876
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3716
iexplore.exe
185.104.29.4:80
buitengewoonzwartewaterland.nl
Stichting DIGI NL
NL
malicious
3876
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3860
iexplore.exe
185.104.29.4:80
buitengewoonzwartewaterland.nl
Stichting DIGI NL
NL
malicious
3716
iexplore.exe
13.107.5.80:80
api.bing.com
Microsoft Corporation
US
whitelisted
1788
iexplore.exe
99.86.7.125:80
t.mail.sony-europe.com
AT&T Services, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
t.mail.sony-europe.com
  • 99.86.7.90
  • 99.86.7.4
  • 99.86.7.26
  • 99.86.7.125
suspicious
buitengewoonzwartewaterland.nl
  • 185.104.29.4
suspicious
www.buitengewoonzwartewaterland.nl
  • 185.104.29.4
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
New Fax.msg