analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0147911_Copy_of_Paid_Invoice_508.msg

Full analysis: https://app.any.run/tasks/f696929c-4539-402c-a3d2-587aa90242dc
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:48:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

03D6E00BEE2C4C6DD0167587090155B4

SHA1:

C486C5ABC6386FECAE830A12A610938E7B9F78C9

SHA256:

9264FAB6DA8C0E00B09343B30AA976FA0CC0AC2D2F770EFA55C2E9A61822F5E8

SSDEEP:

3072:t00GOP2hqek3ouhOkM6/XLgsq/RvGCgoCq/Trck2j0Z4WOGl+tc3i:m0dJowfq/Qq/TrcZIZAGl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2920)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2920)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3428)

  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2920)
      • iexplore.exe (PID: 2992)
      • iexplore.exe (PID: 3428)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2920)
      • iexplore.exe (PID: 2992)
      • iexplore.exe (PID: 3428)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2920)
      • iexplore.exe (PID: 3428)
      • iexplore.exe (PID: 2992)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 2920)

    • Changes internet zones settings

      • iexplore.exe (PID: 2992)

    • Application launched itself

      • iexplore.exe (PID: 2992)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3428)
      • iexplore.exe (PID: 2992)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3428)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3428)
      • iexplore.exe (PID: 2992)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2992)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2992)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (50.8)
.oft | Outlook Form Template (29.7)
.doc | Microsoft Word document (old ver.) (13.6)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\0147911_Copy_of_Paid_Invoice_508.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2992"C:\Program Files\Internet Explorer\iexplore.exe" https://filliprre211.smb.page/C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3428"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2992 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
15 306
Read events
14 203
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
33
Unknown types
11

Dropped files

PID
Process
Filename
Type
2920OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD6BF.tmp.cvr
MD5:
SHA256:
2920OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:DF6DEECBA36F8D0AF53EAFA9C51AB1F7
SHA256:60D1053BDE5FBCA23ED8976F1EABAEE9C4BB459D9C997E5A76BB2182EE916D98
2920OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:33BBE22FACB3D590FD0A29CE76451631
SHA256:E238EEBF522E3A7B3CA33D9ACD541E448784BA5DB1A01A8ADF7C1901EB3050A5
3428iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:2BFDDF0808A13D62110549AFA5806221
SHA256:9AE7B9BF0C77BAB56AF749F23413C21DD0E4F7DFB2406EA0D9D59E9FCC4D3E85
2920OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{ED07D643-B0EC-48F6-A624-00F2CBBC621D}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
2920OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E577D536818C537AA15088C0455F2209
SHA256:A295669BA6063DA6EB3C84AACDB5A62B7C9023E04A5B3A7E8D996F9DDBA739E5
2920OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_F3A98C2D41135F4BA47FA303AB7361CE.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
3428iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:149784CE891369A0935A19D376ED6E2D
SHA256:E338E67B19C2817AD9AB6488599A570689F4A0382379D37DD34B73C64023DB6A
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\OR55YX59.htmhtml
MD5:2483D2C724931E4B65E596B5C0587886
SHA256:3271445AB31396DD24BC8459BA09D0467B04556EFA16FAEC93242F305583914C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
41
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3428
iexplore.exe
GET
200
108.138.2.195:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3428
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEAT%2FrubUb6nOEpcsoEFY3SI%3D
US
der
471 b
whitelisted
3428
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3428
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
3428
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ed065676fdc1fe0
US
compressed
4.70 Kb
whitelisted
3428
iexplore.exe
GET
200
18.66.242.58:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3428
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3428
iexplore.exe
GET
200
18.66.242.62:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
2992
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
2992
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2920
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3428
iexplore.exe
172.67.223.147:443
filliprre211.smb.page
US
suspicious
192.168.100.2:53
whitelisted
3428
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3428
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2992
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3428
iexplore.exe
142.250.185.72:443
www.googletagmanager.com
Google Inc.
US
suspicious
3428
iexplore.exe
18.66.242.62:80
ocsp.rootg2.amazontrust.com
Massachusetts Institute of Technology
US
whitelisted
3428
iexplore.exe
142.250.185.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2992
iexplore.exe
172.67.223.147:443
filliprre211.smb.page
US
suspicious

DNS requests

Domain
IP
Reputation
www.microsoft.com
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
filliprre211.smb.page
  • 172.67.223.147
  • 104.21.54.42
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.22.200
  • 131.253.33.200
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
media.cobiro.com
  • 52.222.214.18
  • 52.222.214.116
  • 52.222.214.9
  • 52.222.214.95
suspicious
www.googletagmanager.com
  • 142.250.185.72
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0147911_Copy_of_Paid_Invoice_508.msg