analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

EXTERNAL Exchange MX [email protected]

Full analysis: https://app.any.run/tasks/7f2cce8f-4523-452d-95c2-211228f93ac6
Verdict: Malicious activity
Analysis date: December 02, 2019, 20:15:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

A524A7BF7CFA94D2BF42460E985F3826

SHA1:

5CD69818DA1ADBA96AA2D536B59108E89A27B9CC

SHA256:

7BE78F881980C498E89BF90389AB90DEB067A659F670908824AD55B6F22394AF

SSDEEP:

768:DbUWsKeWsKwLmeWsK18mk/DNhQ9qHzK+13TTWsKuMWU5:DIWGWoLmeWd8m+K+tW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2844)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2844)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2844)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2844)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2528)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 748)
      • chrome.exe (PID: 2528)

    • Changes internet zones settings

      • iexplore.exe (PID: 748)

    • Creates files in the user directory

      • iexplore.exe (PID: 1292)
      • iexplore.exe (PID: 748)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1292)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1292)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1292)

    • Manual execution by user

      • chrome.exe (PID: 2528)

    • Reads the hosts file

      • chrome.exe (PID: 2528)
      • chrome.exe (PID: 1428)

    • Changes settings of System certificates

      • iexplore.exe (PID: 748)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 748)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 748)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
37
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\EXTERNAL Exchange MX [email protected]"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
748"C:\Program Files\Internet Explorer\iexplore.exe" https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Furl9325.mastersacts.com%2Fwf%2Fclick%3Fupn%3DAPMi-2BwjYaaJh3lPIhLMcS3b4ZUwiPvxps7Ils0fpGU7ZH75lbWzDWVT2jNyZF-2BskwXGN8GwbI27i9wh70HAf9IblF0na5HvEBSha764NN8cZQHbHlrpTwmvGVxNmADLN6C134GTepa6JuBwcOQuSZzmMUKYskcx6v-2B066T4r4bpVG5eCgr3-2F-2BKjKr6kme8SUdJXwrfP-2BzGbq-2FfQkf8N8dC0Rapzp9xhfNS-2FOwzqnoJ8s2PCL03K8oXY1hbOgWUsOZh8nUel1IBmh-2BgZz6eSd7g-3D-3D_palDskKho4VuKoYryZqMTOh5muiZe3oMr74LfoOCYfdlhMTY3HTi4Tlc311pv84DsiuBjMRozW1-2BSKtqHsZ2GYuwEHj9cx6L2z5leXtljOmHJQUjuV5pY0ak1ZpIaskUuPYEruQ-2F4EmN2-2BZbOBQWnyamFugvyO7utM707YHVqnaTupCjLPmlsWZhNXQu-2Bwi8jtChotoBVusKwM9C2IeURA-3D-3D&data=02%7C01%7Cpsherrill%40nses.com%7Ce359a94701b14e0b1d9708d77752651c%7C78d5360854ca4a748beb8a1399c1189c%7C0%7C1%7C637109068087055632&sdata=GZ6ytMn5VD4e9MHqQbGVfenISxp8K26BHPEivf0BReQ%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1292"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:748 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2528"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2500"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6a61a9d0,0x6a61a9e0,0x6a61a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1780"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2800 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3932"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11273443785022729811 --mojo-platform-channel-handle=988 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1428"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15695361287669630257 --mojo-platform-channel-handle=1608 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2096"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11729344122599236426 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2900"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,16845269008916518779,13615395296269151566,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15763623269606557028 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2424 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 658
Read events
1 910
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
47
Text files
263
Unknown types
11

Dropped files

PID
Process
Filename
Type
2844OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE00F.tmp.cvr
MD5:
SHA256:
2844OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:9505DCCEEB1E2F89D39131BFB543DC93
SHA256:2BB2FE7AD9F01DB15A291FAEA5F9FBE3EB26D9A1482A24179B1F769F7181FAFC
2844OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:9087BC5A39BDC5779789AD636A7D681E
SHA256:CBF900815FC254984B828E624B0205B8571A32E88F3EB874625C7CE7A68079AC
1292iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\166B5S8Z\forms_office_com[1].txt
MD5:
SHA256:
1292iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:8B89E40A7632A7397231401862F376B5
SHA256:5055D0E0D103C9D252679737154402E22B99D040455ADB7407D9B8D5B743E577
2844OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:F5ED8061BAC533AE3FCCBF0A0111B762
SHA256:65DA46FAD51DBF36103CCCDA1EDD25B4E1BE4DABC9A577F160E3379014AE7FD6
1292iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:562E1DB7A82B2609C754137FA878F9DD
SHA256:A7C25DA8A0BE2502223C23C120F1B564E6B14760744373DEEEA69D64F03FF2AD
748iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
748iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].htm
MD5:
SHA256:
748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
63
DNS requests
42
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1428
chrome.exe
GET
200
159.148.69.143:80
http://r4---sn-a5uoxu-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1575317722&mv=m&mvi=3&pcm2cms=yes&pl=24&shardbypass=yes
LV
crx
293 Kb
whitelisted
1428
chrome.exe
GET
302
172.217.22.14:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
533 b
whitelisted
1428
chrome.exe
GET
302
172.217.22.14:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
538 b
whitelisted
1428
chrome.exe
GET
200
159.148.69.142:80
http://r3---sn-a5uoxu-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1575317209&mv=u&mvi=2&pcm2cms=yes&pl=24&shardbypass=yes
LV
crx
862 Kb
whitelisted
748
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
748
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1292
iexplore.exe
152.199.19.160:443
az725175.vo.msecnd.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1292
iexplore.exe
52.109.76.79:443
forms.office.com
Microsoft Corporation
IE
whitelisted
748
iexplore.exe
52.109.76.79:443
forms.office.com
Microsoft Corporation
IE
whitelisted
1292
iexplore.exe
2.16.186.106:443
cdn.forms.office.net
Akamai International B.V.
whitelisted
2.16.186.106:443
cdn.forms.office.net
Akamai International B.V.
whitelisted
1292
iexplore.exe
104.47.41.28:443
nam03.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
1292
iexplore.exe
167.89.118.52:80
url9325.mastersacts.com
SendGrid, Inc.
US
suspicious
2844
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1428
chrome.exe
216.58.206.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
nam03.safelinks.protection.outlook.com
  • 104.47.41.28
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
url9325.mastersacts.com
  • 167.89.118.52
  • 167.89.115.56
suspicious
forms.office.com
  • 52.109.76.79
whitelisted
cdn.forms.office.net
  • 2.16.186.106
  • 2.16.186.83
whitelisted
az725175.vo.msecnd.net
  • 152.199.19.160
whitelisted
clientservices.googleapis.com
  • 216.58.206.3
whitelisted
accounts.google.com
  • 216.58.210.13
shared
www.google.com.ua
  • 172.217.18.3
whitelisted

Threats

No threats detected
No debug info