analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW ACH Ref 61028374 MT103 Customer Ref.msg

Full analysis: https://app.any.run/tasks/da444e2e-5337-4c40-92b8-f6e39dfbc4e5
Verdict: Malicious activity
Analysis date: May 20, 2019, 22:22:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

4BD7DF6EF44AC39071F0FA8E69503B17

SHA1:

395CC3D228362BE917A1A2921D125CE761E7506B

SHA256:

81BA327A0C7919D26CFEDBAAE92560810D1C8CF516174E61AC8182A6F9440C4D

SSDEEP:

1536:iJ6pKDEahIp/WeWIWJdWeWoWgpjG5ZhWXsWUq2QA/VSmD5ZqtJN/IW5f03PCjgzE:UEa2p09ppcqMpDrqqW5KCj6ejASv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2840)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2840)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2840)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2840)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2376)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2840)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2816)
    • Changes internet zones settings

      • iexplore.exe (PID: 2376)
    • Creates files in the user directory

      • iexplore.exe (PID: 2816)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2816)
      • iexplore.exe (PID: 2376)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2376)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2376)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW ACH Ref 61028374 MT103 Customer Ref.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2376"C:\Program Files\Internet Explorer\iexplore.exe" http://bit.ly/2YCREMITC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2816"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2376 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 684
Read events
1 185
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
62
Unknown types
8

Dropped files

PID
Process
Filename
Type
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVREABC.tmp.cvr
MD5:
SHA256:
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EA8CB5E.datimage
MD5:54EE72AABDA42241EE0662DAF4B33495
SHA256:E9E017D87093F3A37FC8839626E014A28394962F927997E1111C83B2605B2DA2
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4BC7C7C7.datimage
MD5:A5F0BC7076564213803E743477AA7127
SHA256:7507B6D29695D3B64E8D9C1B6F7C43C44EFA9699F1323D538290329719557D1E
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11F8BCD0.datimage
MD5:49080D1763E7D884883B82BB3642D47B
SHA256:F75C8C915675D345F224EB58E3CDC003078F9F5CA5CBB53A7D74A82412706C59
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64168603.datimage
MD5:66520B0BF0B2426768524C209EE0E3CF
SHA256:E650C94ACF8FF197FE63674E4358E7AAC26EF71FBA038DC252BCB969610B461D
2840OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:FC7A452123D92826657D84A4DB282B99
SHA256:CDF0498165FDFE45E5F1B71B3C50CB6285DC02EB1962A9F17C7BE89FF48125B5
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\752C7691.datimage
MD5:AB3B81178D7CC5ED29BA56442C2EF9D5
SHA256:F19E3F1E13E53DD2099FDBF7E8988C20FA7E127F8DFA4EA4E996C46F46F2670E
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F52D6F1C.datimage
MD5:84AF984A7589AA5312F26D02F4982918
SHA256:6169DC87F54888B26863A088D3C9FF3CEA47D4F2DDEE84329B67F407B0811DDE
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\674FCC6D.datimage
MD5:3E9B2C2F3B0640DFE1BB82E6B3779E48
SHA256:445A72992078A4E729BC4A73A4775182E2A6F6A43B53C21D92009569D665206D
2840OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24D50028.datimage
MD5:B067C4F9847185A4C56EAC50FE36FC8F
SHA256:5149902F4830E22AE874E1904C75EBA06C8820286B2529AAD89492B79B628767
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
14
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2840
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2816
iexplore.exe
GET
301
67.199.248.10:80
http://bit.ly/2YCREMIT
US
html
218 b
shared
2376
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2376
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2816
iexplore.exe
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2816
iexplore.exe
13.107.136.9:443
agzagope-my.sharepoint.com
Microsoft Corporation
US
whitelisted
2376
iexplore.exe
13.107.136.9:443
agzagope-my.sharepoint.com
Microsoft Corporation
US
whitelisted
2840
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2816
iexplore.exe
2.19.34.64:443
static.sharepointonline.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
agzagope-my.sharepoint.com
  • 13.107.136.9
suspicious
static.sharepointonline.com
  • 2.19.34.64
whitelisted

Threats

No threats detected
No debug info