analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RV Raul Gonzalez Martin share a file with you.msg

Full analysis: https://app.any.run/tasks/0e36e375-4e4d-4ce5-b3b1-d2680b3e626e
Verdict: Malicious activity
Analysis date: October 20, 2020, 08:59:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

16B6B1C49895C15DE61635FD753826BB

SHA1:

8D9B1B60F344109836BE18D5AD996F7167FA1756

SHA256:

7DADF14646FD93BBCE05F2530A05F553C7B3AA54C388E092C0D7BB5CC0DCBCC8

SSDEEP:

1536:gjNmK5lxxzIeUXR+dlRbT/W9OkTYKmxSbQD:gjNX5RUAmLvmxF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2944)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2944)

  • INFO

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2944)
      • iexplore.exe (PID: 3988)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2944)
      • iexplore.exe (PID: 3988)
      • iexplore.exe (PID: 3616)
      • chrome.exe (PID: 3176)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2944)

    • Changes internet zones settings

      • iexplore.exe (PID: 3988)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3616)
      • iexplore.exe (PID: 3988)
      • chrome.exe (PID: 3516)

    • Application launched itself

      • iexplore.exe (PID: 3988)
      • chrome.exe (PID: 3176)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3616)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3988)

    • Manual execution by user

      • chrome.exe (PID: 3176)

    • Reads the hosts file

      • chrome.exe (PID: 3176)
      • chrome.exe (PID: 3516)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (50.8)
.oft | Outlook Form Template (29.7)
.doc | Microsoft Word document (old ver.) (13.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
39
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\RV Raul Gonzalez Martin share a file with you.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3988"C:\Program Files\Internet Explorer\iexplore.exe" https://esicedu-my.sharepoint.com/:b:/g/personal/raul_gonzalez_esic_edu/Eeq4PdrpOANGjbKigZNSNhsBLOYtnh7hnDZNHs901iyLcw?e=T7QbbMC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3616"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3988 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3176"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2096"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6030a9d0,0x6030a9e0,0x6030a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3692"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3200 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,14767203780690689224,12360827305972315815,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=3785877105493009685 --mojo-platform-channel-handle=1032 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3516"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,14767203780690689224,12360827305972315815,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=5044824654697298103 --mojo-platform-channel-handle=1636 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2472"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,14767203780690689224,12360827305972315815,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3583779530501557482 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3320"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,14767203780690689224,12360827305972315815,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=856925530313477101 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
Total events
3 379
Read events
2 244
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
130
Text files
197
Unknown types
12

Dropped files

PID
Process
Filename
Type
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5161.tmp.cvr
MD5:
SHA256:
3616iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabD6BD.tmp
MD5:
SHA256:
3616iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarD6BE.tmp
MD5:
SHA256:
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:BD2CB1ECC1FF96334BCC797B988E2D66
SHA256:E0869C28AB2B56F9892AFD74E126012FAEA01468E711EF55DBEAA4C83A4C2288
3988iexplore.exeC:\Users\admin\AppData\Local\Temp\CabE014.tmp
MD5:
SHA256:
2944OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:227FBD5C9DAA0E55FC0A4553A7CD5573
SHA256:C40F6FBA2FF408C6F664D06605A33A7561937989F3768CB593619C0E6C293EA4
3988iexplore.exeC:\Users\admin\AppData\Local\Temp\TarE015.tmp
MD5:
SHA256:
2944OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61CA0A0E.datimage
MD5:0578948432E8BD5C1A3CE3B4F799499C
SHA256:13377E45BEF2CA66AAF4FBF959CA9828B882F69ADAF9F653FAB3D08F58D8C9AD
3616iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\onedrive[1].htmhtml
MD5:682E07A9BDF0220EEBD0334D152B0AAD
SHA256:59182CD30528C40916291AB5C6CBD1BF31ABFCF63CECC4F6E7C9669FF117C61A
3616iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04binary
MD5:8B3EADBAC4F61A5D3D93CE0C679D5B38
SHA256:7BED43677AFAD19FE3F722042D01EC735BEE58C5AFAEFA2DB80F2EAF65186F9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
124
DNS requests
58
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3616
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3616
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
1.47 Kb
whitelisted
3616
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3616
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
3616
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
whitelisted
3516
chrome.exe
GET
46.105.171.173:80
http://sepo.es/v5/
FR
unknown
3616
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
3616
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
US
der
1.47 Kb
whitelisted
3616
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3616
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3988
iexplore.exe
104.146.250.33:443
esicedu-my.sharepoint.com
Microsoft Corporation
IE
unknown
3616
iexplore.exe
104.146.250.33:443
esicedu-my.sharepoint.com
Microsoft Corporation
IE
unknown
3988
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3616
iexplore.exe
2.21.37.2:443
shell.cdn.office.net
GTT Communications Inc.
FR
unknown
2944
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3516
chrome.exe
172.217.22.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3516
chrome.exe
172.217.22.110:443
apis.google.com
Google Inc.
US
whitelisted
3516
chrome.exe
216.58.205.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3516
chrome.exe
216.58.212.173:443
accounts.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
esicedu-my.sharepoint.com
  • 104.146.250.33
  • 13.107.136.9
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
shell.cdn.office.net
  • 2.21.37.2
  • 23.210.249.64
whitelisted
api.bing.com
  • 13.107.47.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
clientservices.googleapis.com
  • 172.217.22.3
whitelisted
accounts.google.com
  • 216.58.212.173
shared
www.google.com
  • 216.58.210.4
whitelisted
clients2.google.com
  • 172.217.18.174
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RV Raul Gonzalez Martin share a file with you.msg