analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | COH_label_pin_.eml |
| Full analysis: | https://app.any.run/tasks/4da2929e-ce08-4032-877d-240afc44f884 |
| Verdict: | Malicious activity |
| Analysis date: | March 31, 2023, 19:27:00 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| MIME: | message/rfc822 |
| File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 94CB68F7AE0F0A814774520056333EB6 |
| SHA1: | 1D4083B3504DF243DA42A00F00E8EC964B369BB3 |
| SHA256: | 926F94681AC18179835778C5301CDB2AC2E6983057A42B7CF87D71A3DF499A73 |
| SSDEEP: | 49152:GPt8jWxRx2Ialm869K7BplWNtr6N6wBos1:b |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Internet Settings
- OUTLOOK.EXE (PID: 2368)
Searches for installed software
- OUTLOOK.EXE (PID: 2368)
INFO
Checks supported languages
- OUTLOOK.EXE (PID: 2368)
Reads the computer name
- OUTLOOK.EXE (PID: 2368)
Reads Microsoft Office registry keys
- OUTLOOK.EXE (PID: 2368)
The process checks LSA protection
- OUTLOOK.EXE (PID: 2368)
Create files in a temporary directory
- OUTLOOK.EXE (PID: 2368)
Checks proxy server information
- OUTLOOK.EXE (PID: 2368)
Reads the machine GUID from the registry
- OUTLOOK.EXE (PID: 2368)
Creates files or folders in the user directory
- OUTLOOK.EXE (PID: 2368)
Process checks computer location settings
- OUTLOOK.EXE (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .eml | | | E-Mail message (Var. 5) (100) |
|---|
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2368 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\COH_label_pin_.eml" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
Total events
7 678
Read events
6 930
Write events
710
Delete events
38
Modification events
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: On | |||
| (PID) Process: | (2368) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1055 |
Value: On | |||
Executable files
0
Suspicious files
6
Text files
26
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRFADB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp3D.tmp | binary | |
MD5:56874A4D9AE99B764FBA3DBFC898A9F7 | SHA256:0EBB1B5481E81194D21E2BD837684D9DB4B1A9660AF6D7FDF6B767D4FAC869D9 | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp1D.tmp | binary | |
MD5:8C2FED5339C7153B3901B5BAFA4E75F0 | SHA256:D4AA925E286DE8557CF4941FD90E289DC720EECACEA212AC405B2E7D828A51C6 | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A8680BE.dat | image | |
MD5:23C78DDBD55C57C9B4B09D68FF65147E | SHA256:3BD19DF8932B60E76004E6B542BDE9821D29DDB82FFDFBC466463A87ABCB37F7 | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:6F00380D9BACD03AC3860E196F9270EA | SHA256:6C2BF365D37CF5FD8B4442BDB5F01C1576DA5A5DD2AC310F86CF092C82B9D75A | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:2D58C0CCB36BED6855F408790BBCF71D | SHA256:38A4435F8D9D47B58C6EACCF79D5B623C22213E64CC07F2C21AADCB399B31161 | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\11220971.dat | image | |
MD5:3A0D1B268CFC045D1ACD7BD35F2CFFD7 | SHA256:CCBDBBDF5DEDC39E320F17CD94122F5D0DDAD6E4259FDA216FA1B142B5DD7403 | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmpFCC1.tmp | binary | |
MD5:BEFBB388150E130C0E2ADA0F876F0734 | SHA256:D86BC2CD3D5087850AF2A3E5299A9675EE60316FF9E7DF323FC91D03D021EE6C | |||
| 2368 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{222228AC-A947-4947-AD3A-80BD230AE963}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2368 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2368 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |