analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

message (32).eml

Full analysis: https://app.any.run/tasks/314c6966-29b8-427a-a894-83168d748653
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:24:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

EF21F3FA6F64FC478A76E0CF8A1F7E2D

SHA1:

B1A64FB66770B5E10D661933EE94699ED7AF6B6F

SHA256:

86A89A85B23C8D43C2535030CCF6CD3B276FA463BC7AEC639B1080198A09F09F

SSDEEP:

3072:pzcM6W8I4WM8TcV8nSW1Tw/4DN5ICoAG8k8q1u:pzcM6ANTm4DzoJ84u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3476)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 3476)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3476)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3228)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 1432)
      • iexplore.exe (PID: 3228)
    • Checks supported languages

      • iexplore.exe (PID: 1432)
      • iexplore.exe (PID: 3228)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 1432)
    • Changes internet zones settings

      • iexplore.exe (PID: 1432)
    • Application launched itself

      • iexplore.exe (PID: 1432)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3476"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\message (32).eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1432"C:\Program Files\Internet Explorer\iexplore.exe" https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.dropbox.com%2Fscl%2Ffi%2Fwg2u64p9gg53bcda16gzd%2FYou-have-been-invited-you-to-view-the-folder-%25E2%2580%259CPO48993_49110%2522.paper%3Fdl%3D0%26rlkey%3Drls1740uy7srqs62ao8k12usp&data=05%7C01%7Cabigail.vanek%40assaabloy.com%7Ca9d0992d46dd4690db7a08da7c7aa88c%7Cf0bdc1c951484f86ac40edd976e1814c%7C0%7C0%7C637959163500127851%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3tmBFSe%2FdSVuMMPRNEZXXEZBVIS79HEA6iqXhE6X9m8%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3228"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1432 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
5 715
Read events
5 068
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
11
Unknown types
5

Dropped files

PID
Process
Filename
Type
3476OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD576.tmp.cvr
MD5:
SHA256:
3476OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3476OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:2C096D1B1197BB2B80EC8FBCC82C9A61
SHA256:77E6680A567EC4923AB4917F463C0E373A254B71212C48DE4729EE132E5134E9
1432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{5ABEFACC-1A5B-11ED-8C90-12A9866C77DE}.datbinary
MD5:FDC5A8930107A6E91ADE23179CD7D500
SHA256:98F97FECACA7379F59013E85BA9CD2A2B91455C4A205E23314C992DF256BC2CC
3476OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_0F4E5D4D2EC63D499377E8DDECBB22EB.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
1432iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF02429B0953C8E6BE.TMPgmc
MD5:9F40BD0B054E107DFE6A331D3D050C6C
SHA256:95BD445237E42ED04D53817C786131149B5097F2C69AE2BC545DFF1C0181198A
3476OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:3ACEFE4A931AC8B5860474451757BF15
SHA256:906794B9B500E37E1754D465EFB8C1C1BE167FCD901ABB22B91BFAC8A0ECDF83
1432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{5ABEFACB-1A5B-11ED-8C90-12A9866C77DE}.datbinary
MD5:C88FC288C089177A2A36AA29FC70CD36
SHA256:46877117CC254040AF402A045F6B3AAC9D6904781C6027E57F26228D5DB70242
1432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42C873D0-1D90-11EB-BA2C-12A9866C77DE}.datbinary
MD5:A20EA53095CAF3CC82DB817EEFCBBEC3
SHA256:3BE49E16CCD07476C2F192231342FC30509C3FF8156E54D681A09FCE43A773BE
1432iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC7CCC565641CAAB5.TMPgmc
MD5:E8E91B440F068D9A4C2C03F306254D37
SHA256:96B1708BE93854BF82B7F904C4E9FA4C01E59F213DED244CF8B7291294FDFF68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3476
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3228
iexplore.exe
104.47.56.28:443
nam02.safelinks.protection.outlook.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
nam02.safelinks.protection.outlook.com
  • 104.47.56.28
  • 104.47.51.28
whitelisted

Threats

No threats detected
No debug info