analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5 Incontro giuriaNotaio Mariconda per definizione ultima short list (rosa di 3 nomi) - prima del.msg

Full analysis: https://app.any.run/tasks/7175a52a-1c31-4b28-8354-22e271edaaae
Verdict: Malicious activity
Analysis date: June 27, 2022, 08:16:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

FB78F2278FE793B947B31E5B5B25BCA2

SHA1:

09F0C2E09756A890D4FDAEABCF4ED9245440CAAD

SHA256:

7795AE7F14DECB1F62D12D4BAFA8A67FB42895B12023BFE1961F469FA8912420

SSDEEP:

3072:vFxjPmHRaTjkSU7khyGhy8ccH+mDARoPTlEq1yAgfNvYZ1an:phyGhy47

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2956)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2956)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 2308)
    • Executed via COM

      • OUTLOOK.EXE (PID: 3504)
  • INFO

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2956)
      • iexplore.exe (PID: 1780)
      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 1836)
      • iexplore.exe (PID: 2308)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 2956)
      • iexplore.exe (PID: 1780)
      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 2308)
      • iexplore.exe (PID: 1836)
      • OUTLOOK.EXE (PID: 3504)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2956)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2956)
      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 2308)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 1780)
      • iexplore.exe (PID: 2308)
      • iexplore.exe (PID: 1836)
    • Application launched itself

      • iexplore.exe (PID: 1780)
      • iexplore.exe (PID: 1836)
    • Changes internet zones settings

      • iexplore.exe (PID: 1780)
      • iexplore.exe (PID: 1836)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1780)
      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 1836)
      • iexplore.exe (PID: 2308)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 1780)
      • iexplore.exe (PID: 1836)
    • Reads internet explorer settings

      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 2308)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2956)
      • OUTLOOK.EXE (PID: 3504)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe outlook.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\5 Incontro giuriaNotaio Mariconda per definizione ultima short list (rosa di 3 nomi) - prima del.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
1780"C:\Program Files\Internet Explorer\iexplore.exe" https://teams.microsoft.com/l/meetup-join/19%3ameeting_MjYwYWQ1OGItYTNmNy00NzFlLTgxNDUtZjkyZDYwYjZhMzI5%40thread.v2/0?context=%7b%22Tid%22%3a%22d2a717e0-5630-4111-9863-be69529bd704%22%2c%22Oid%22%3a%229ca432ec-5aeb-42db-8094-924c6a0a2d6e%22%7dC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
328"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1780 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1836"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/JoinTeamsMeetingC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2308"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1836 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3504"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Total events
35 207
Read events
34 354
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
25
Text files
93
Unknown types
27

Dropped files

PID
Process
Filename
Type
2956OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD0E3.tmp.cvr
MD5:
SHA256:
2956OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2956OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:DC1299CC8FC2421D13E9DC0E53B07373
SHA256:DB043BCAC88D83D5A2713FEFD6EA8995029D481FB764E11C0FAE7743D91F069F
328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:1E59DA967E5251FB6363E91677C70153
SHA256:CA59967EDB1115006D498632F34F0B7082C5A17DC5BBE98293CD4708E21BFE88
328iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GBP1FLK9.txttext
MD5:F095770F8D34A55BAF1708CC5806F735
SHA256:1C5245E3DF71C910248B2659BC7A5E30A787D1359CA3C5A1B6EF442C3DE96415
328iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\launcher[1].htmhtml
MD5:07A0055AF2D02B2DC9E13C15BE841745
SHA256:645B54944302604486806705360DCA659C93E9701E0F4D1E40AD95E85B4578E2
328iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\JMPLCWCC.txttext
MD5:7FEFD6508F0252D80096EA62C3FEC70C
SHA256:55683AD8549544C8AAB095A4E3C797F0A30B09752F05D862D4ED516B28CD02AA
2956OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_D0E501DCAC934943B006ED33BD648FD2.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:3335C25B08EC75374EC203CF6BBA12DE
SHA256:7FEC2FC70B801F2725313B1DE2C772AD934D2D1C6FB47BF4EE4E619C732086E5
2956OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_FC72BBC758D349499BD296AD73C2A45C.datxml
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2
SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
72
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2956
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2308
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
1780
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2308
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2308
iexplore.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSjA8CoiHvUecQnjrXXWH08EsBNpAQU%2Fy9%2F4Qb0OPMt7SWNmML%2BDvZs%2FPoCEy0ALY0AlzE8ptxT6YwAAAAtjQA%3D
US
der
1.70 Kb
whitelisted
328
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b75d0ed168bcb374
US
compressed
4.70 Kb
whitelisted
328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2308
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
2308
iexplore.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRSHuNsR4EZqcsD%2BrdOV%2BEZevGBiwQUtXYMMBHOx5JCTUzHXCzIqQzoC2QCExIAGiYjg1TzdHbEebAAAAAaJiM%3D
US
der
1.70 Kb
whitelisted
2308
iexplore.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSjA8CoiHvUecQnjrXXWH08EsBNpAQU%2Fy9%2F4Qb0OPMt7SWNmML%2BDvZs%2FPoCE38AFQsnzSkNiNTIkrwAAAAVCyc%3D
US
der
1.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2956
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1780
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1780
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
328
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
328
iexplore.exe
40.79.150.121:443
browser.pipe.aria.microsoft.com
Microsoft Corporation
FR
suspicious
328
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
328
iexplore.exe
52.113.194.132:443
teams.microsoft.com
Microsoft Corporation
US
suspicious
2308
iexplore.exe
23.72.109.242:443
aka.ms
Akamai International B.V.
US
malicious
2308
iexplore.exe
23.205.226.107:443
support.office.com
GTT Communications Inc.
NL
unknown
2308
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
teams.microsoft.com
  • 52.113.194.132
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
statics.teams.cdn.office.net
  • 52.113.194.132
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
browser.pipe.aria.microsoft.com
  • 40.79.150.121
whitelisted
aka.ms
  • 23.72.109.242
whitelisted

Threats

No threats detected
No debug info