analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Shipping Documents For Consignee. - Alison_Baker.msg

Full analysis: https://app.any.run/tasks/f9d7387d-45a1-49b8-a0f5-4a6b901cdf27
Verdict: Malicious activity
Analysis date: March 31, 2020, 05:20:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

A9940F825BE8008EA73E369124042AA9

SHA1:

3510BA26FFB351ADAD759C7FAEFA932158777C88

SHA256:

92D85B2E56A8329D3F2835C651FDD4C478D58B2C1FFF4EAB3DD76D242E7EA50B

SSDEEP:

3072:0rNL9PiP59PiP5hBFs2RIzH9pJjfYC6ei4:uNL1w51wn3sjHTJDN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1720)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1720)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1720)

  • INFO

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1720)
      • iexplore.exe (PID: 2676)
      • iexplore.exe (PID: 4092)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1720)

    • Application launched itself

      • iexplore.exe (PID: 2676)

    • Changes internet zones settings

      • iexplore.exe (PID: 2676)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4092)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2676)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2676)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1720"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Shipping Documents For Consignee. - Alison_Baker.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2676"C:\Program Files\Internet Explorer\iexplore.exe" https://cogisrc53.com/wp-content/maerskline/maersk/[email protected]C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4092"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2676 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
5 196
Read events
1 239
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
33
Unknown types
1

Dropped files

PID
Process
Filename
Type
1720OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR6AB8.tmp.cvr
MD5:
SHA256:
2676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1720OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:00CD252F38ACD256E3733776BC2E36A8
SHA256:E2B41018EE583B3108A5CFBD93F1B8E86442C8B94F7AA445CC8B66831E295710
1720OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:2C87BCBD790E783B601DF7BF4905886C
SHA256:6E36FA7A5B6AAAD22FAD27B270D48F79BE2366F266F3BE98DE72E9E8B1C89DB7
1720OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4705D85D.datimage
MD5:C601254F5AA59F7C8F0AA54AB3113E4E
SHA256:84D8D744CFDC99289D80DBF35E6DFBE0FF80F0334D37556E711E0F8DAC659F57
1720OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\425F1ECC.datimage
MD5:DF5E7C0959C50413CD1A90A0497406BB
SHA256:AB446C13F2D2D155BA2BC8308737D83D4BD2113FEC59BE4D843D3E3D1FFB31BA
4092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
1720OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
1720OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E519D7C6-CB48-4379-9F5B-B2B6D6F8F340}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
1720OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_77E4A75C491E2E4DBFA1CF4F276AA23B.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2676
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2676
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1720
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
4092
iexplore.exe
145.239.234.101:443
cogisrc53.com
OVH SAS
DE
suspicious
2676
iexplore.exe
72.21.81.200:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
cogisrc53.com
  • 145.239.234.101
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 72.21.81.200
whitelisted

Threats

PID
Process
Class
Message
4092
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
4092
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Shipping Documents For Consignee. - Alison_Baker.msg