analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

873d1032-4c19-43e8-baa9-08da39abc28d_757e76fa-5408-1010-9ac8-27c591dc94c9.eml

Full analysis: https://app.any.run/tasks/680e11af-1bfe-4cf8-a82e-b541d42230b7
Verdict: Malicious activity
Analysis date: May 20, 2022, 21:08:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

996AABC68935748DE2440308A8ED5E4B

SHA1:

33101C1D94142FDDD9CA1F32234DB7744F3879E6

SHA256:

8AE59D38D9D584BEA1C78B4EAC3E7DA4849D8A5C6D75DE699E929B495971FB94

SSDEEP:

12288:E37F1YFpN/1yfDOpdY33ddy7lo2/cC8i9aedBDgNwc7Lv2qdw:E3PYLNiDuuym2/cCVaefpApdw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2228)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2228)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2228)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 2228)

    • Executed via COM

      • prevhost.exe (PID: 2860)

  • INFO

    • Reads the computer name

      • AcroRd32.exe (PID: 2312)
      • prevhost.exe (PID: 2860)
      • AcroRd32.exe (PID: 880)

    • Checks supported languages

      • prevhost.exe (PID: 2860)
      • AcroRd32.exe (PID: 2312)
      • AcroRd32.exe (PID: 880)

    • Application launched itself

      • AcroRd32.exe (PID: 2312)

    • Searches for installed software

      • AcroRd32.exe (PID: 2312)
      • AcroRd32.exe (PID: 880)

    • Reads CPU info

      • AcroRd32.exe (PID: 880)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe prevhost.exe no specs acrord32.exe no specs acrord32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2228"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\873d1032-4c19-43e8-baa9-08da39abc28d_757e76fa-5408-1010-9ac8-27c591dc94c9.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2860C:\Windows\system32\prevhost.exe {DC6EFB56-9CFA-464D-8880-44885D7DC193} -EmbeddingC:\Windows\system32\prevhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Preview Handler Surrogate Host
Version:
6.1.7601.17562 (win7sp1_gdr.110217-1504)
2312"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /b /id 2860_1941984719 /if pdfshell_prev8dee5b55-067f-43ae-867d-db8975befdc9C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeprevhost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
880"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /b /id 2860_1941984719 /if pdfshell_prev8dee5b55-067f-43ae-867d-db8975befdc9C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
Total events
5 091
Read events
4 493
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
12
Unknown types
1

Dropped files

PID
Process
Filename
Type
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR96B9.tmp.cvr
MD5:
SHA256:
2228OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:C8A70059A41407B1AFCADCC722415B9E
SHA256:3F9FA8EF1AE3513F68686D6D7C1729A03250DC3091A4A099786AF77B1240448E
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp9831.tmpbinary
MD5:CEE403E51855C662B2C637E4835B4ACD
SHA256:D75CD5B6929B0EEC4D198515B34178BB2A23947F8C0B118D21156F051D526D0D
2228OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:FC526AD47FF393356123269692CBEEAA
SHA256:F5F4D0E44E4B183DE3A34150910B8367D4AC1E25D6F29CFEBE4CBA0A36FAF259
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_44D017059B758547A7290A45BCB7C339.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FK3E2PBN\Buscar.pdfpdf
MD5:F21BAF045FF0846D9052AA790AF08544
SHA256:207EC86DD646CEF8E8890A5EC6618B024C4ACB6B1FB2FF7DB0F6919DB41D1F56
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4B0074EF-E5E4-41DB-9912-759FB1C3A29E}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2228OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\FK3E2PBN\Buscar (2).pdfpdf
MD5:F21BAF045FF0846D9052AA790AF08544
SHA256:207EC86DD646CEF8E8890A5EC6618B024C4ACB6B1FB2FF7DB0F6919DB41D1F56
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2228
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2228
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
873d1032-4c19-43e8-baa9-08da39abc28d_757e76fa-5408-1010-9ac8-27c591dc94c9.eml