analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

о заказе.msg

Full analysis: https://app.any.run/tasks/ec99394f-2c57-42cb-ab34-d8e67062bde5
Verdict: Malicious activity
Analysis date: September 19, 2019, 06:35:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

871C1757DBD031CA30F12F8C4E783FB5

SHA1:

A9845273989706E80975FE6047793886F586B778

SHA256:

8443F8439296CB8DF19A09716E731DB0E40E9CF05402EDE7F6AE60669BDB8B04

SSDEEP:

384:ccwM42e5sKspsK3VZhJhfV9FwgdqZcT26g4A:czM4JsKIsK3tJTldqZ/t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3012)
  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3012)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3012)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3012)
    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2080)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3012)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2384)
    • Changes internet zones settings

      • iexplore.exe (PID: 3492)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2384)
    • Application launched itself

      • iexplore.exe (PID: 3492)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2080)
      • iexplore.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3012"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\о заказе.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3492"C:\Program Files\Internet Explorer\iexplore.exe" http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/languages/doc/C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2384"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3492 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2080C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Total events
1 615
Read events
1 155
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
77
Unknown types
6

Dropped files

PID
Process
Filename
Type
3012OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR9E0A.tmp.cvr
MD5:
SHA256:
3492iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3492iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3012OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:6C65E00B7B8170A48A0CF00C50CEC76E
SHA256:044FBF4A1D7974CE9F03B765BC6C1C092A3B99CC34C69EA1DFF3584376736895
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:E7908B091E43FE80CF8586DA04963B15
SHA256:2729BC12D31138EF0D1FE9BB6FE0E518FBE3836B64573ED244058695ECA6184A
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:EB66144C05322C504362FAC0E83FE7E8
SHA256:D22F68883BADE1EDBD80F64B561470F6AE18E2C1276D6FF16CD08E517B581A08
3012OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_F2BFF595974016488D085337967AC8C3.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OQVIPE1A\default[1].csstext
MD5:73E549A588705678C8CB5F465D9E8C3D
SHA256:8C2E46B9132161497D7EE34BCA90D1D2A105A263993E73193649A02489D1AEA5
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8DP4RNDG\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OQVIPE1A\newstyle[1].csstext
MD5:F23FCB5E2B6AE829C9E9226996F615A0
SHA256:89D741DE0788F30E3F90D4B343460C84E6AE8839ED7081389C1D8696FA223D64
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3012
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2384
iexplore.exe
GET
200
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/css/default.css?ver=5.0.3
US
text
102 b
unknown
2384
iexplore.exe
GET
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/languages/doc/css/ie.css
US
unknown
2384
iexplore.exe
GET
404
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/languages/doc/
US
html
17.2 Kb
unknown
2384
iexplore.exe
GET
200
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/ie.css
US
text
18.4 Kb
unknown
2384
iexplore.exe
GET
200
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/css/component2.css?ver=5.0.3
US
text
1.93 Kb
unknown
2384
iexplore.exe
GET
200
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/js/new/gnmenu.js?ver=5.0.3
US
text
2.09 Kb
unknown
2384
iexplore.exe
GET
200
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/style.css?031218&ver=5.0.3
US
text
19.8 Kb
unknown
2384
iexplore.exe
GET
200
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-content/themes/flatbox_pixfort/css/component.css?ver=5.0.3
US
text
1.59 Kb
unknown
2384
iexplore.exe
GET
200
64.90.34.176:80
http://www.tomcairnsphotography.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
US
text
3.95 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2384
iexplore.exe
172.217.16.206:80
www.google-analytics.com
Google Inc.
US
whitelisted
3492
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2384
iexplore.exe
93.184.220.70:80
cdn.syndication.twimg.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2384
iexplore.exe
46.105.201.240:80
s10.histats.com
OVH SAS
FR
suspicious
3012
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2384
iexplore.exe
64.90.34.176:80
www.tomcairnsphotography.com
New Dream Network, LLC
US
unknown
198.27.80.143:80
s4.histats.com
OVH SAS
CA
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.tomcairnsphotography.com
  • 64.90.34.176
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google-analytics.com
  • 172.217.16.206
whitelisted
s10.histats.com
  • 46.105.201.240
whitelisted
cdn.syndication.twimg.com
  • 93.184.220.70
whitelisted
s4.histats.com
  • 198.27.80.143
  • 198.27.67.211
  • 192.99.8.34
  • 192.99.8.28
  • 192.99.8.27
  • 198.27.69.19
  • 158.69.252.241
  • 198.27.67.198
whitelisted

Threats

No threats detected
No debug info