analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Email4761962204771973903.eml

Full analysis: https://app.any.run/tasks/c6045922-15b8-450d-981a-ad58dc94fc8e
Verdict: Malicious activity
Analysis date: September 30, 2020, 08:54:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

7E0635593C126E7A8DAFEF2F43C3B1FE

SHA1:

C5772A5B351323615F365E3C73F71C137360103E

SHA256:

94A4CA1AB37681AF0FF20C37F08023EFF2797BEC4A65AD141F893DC9B7C29718

SSDEEP:

768:3wLC/WgpWqI0YwGRAkJPVBYs5aMC43o5LY8iE:3wLC/ZYwAdBt5aq4qbE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • OUTLOOK.EXE (PID: 3784)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2580)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2580)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2580)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3784)
      • OUTLOOK.EXE (PID: 2580)
    • Application launched itself

      • iexplore.exe (PID: 1964)
      • iexplore.exe (PID: 3552)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 1964)
      • iexplore.exe (PID: 3552)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1964)
      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 3552)
      • iexplore.exe (PID: 1832)
    • Changes internet zones settings

      • iexplore.exe (PID: 1964)
      • iexplore.exe (PID: 3552)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 1832)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1964)
      • iexplore.exe (PID: 3552)
    • Creates files in the user directory

      • iexplore.exe (PID: 1964)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1964)
      • iexplore.exe (PID: 3552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe outlook.exe no specs iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Email4761962204771973903.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3784"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
1964"C:\Program Files\Internet Explorer\iexplore.exe" https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fourlittlesecret.com.au%2Fh%2FbXBhZ3Vhc0Bzb25hZXNyLmNvbQ%3D%3D&data=02%7C01%7Cmpaguas%40sonaemc.com%7C6c6eae13cb1945a6eb8b08d865191168%7C5757a8da047746d4bc8ab0feabdcc71a%7C0%7C1%7C637370505630561656&sdata=I0bXVmTLd%2FRuw4IVtIPslNxzrD1N%2FSzIzNccMgMtwms%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3332"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1964 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3552"C:\Program Files\Internet Explorer\iexplore.exe" https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fourlittlesecret.com.au%2Fh%2FbXBhZ3Vhc0Bzb25hZXNyLmNvbQ%3D%3D&data=02%7C01%7Cmpaguas%40sonaemc.com%7C6c6eae13cb1945a6eb8b08d865191168%7C5757a8da047746d4bc8ab0feabdcc71a%7C0%7C1%7C637370505630561656&sdata=I0bXVmTLd%2FRuw4IVtIPslNxzrD1N%2FSzIzNccMgMtwms%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1832"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3552 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 674
Read events
1 926
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
43
Text files
46
Unknown types
22

Dropped files

PID
Process
Filename
Type
2580OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR7903.tmp.cvr
MD5:
SHA256:
3784OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRBADE.tmp.cvr
MD5:
SHA256:
3332iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabDB90.tmp
MD5:
SHA256:
3332iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarDB91.tmp
MD5:
SHA256:
2580OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:BF48032AE018DC46021CA2405C88819D
SHA256:5FF4311CB18D93BF833D52715049EA53FE609AF588615DB80CB5B3CC8381A7B8
2580OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:9F497BA567E1DE91B0A929825EEE1049
SHA256:0B357E92C030DC9D09EFBD16A1973E149C8A37674FAF170559872445AA27574A
2580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F694A170.datimage
MD5:886BA41DA68715B03A85CBC74751ED05
SHA256:A757809EDC985907314EACD5F44623A9BB679FDDAE5A90FEC7029B598A439245
3332iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:9D15BAEBA9F8618EF88F4EA27F887484
SHA256:CDAE980735D0506AAF9479646444911A0FCDF2673E77C48EEEFD8AF8F9A3060E
2580OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92BC38FE.datimage
MD5:886BA41DA68715B03A85CBC74751ED05
SHA256:A757809EDC985907314EACD5F44623A9BB679FDDAE5A90FEC7029B598A439245
3332iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49binary
MD5:FD9E4D71AC3CB0EEA66CB200A4C43C68
SHA256:13E3743BFF3D3B3534E8C5B01B3333E9D880324A2FE104131063C13D4A32D0D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
44
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2580
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3332
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEGIzD2spy7RpWovXWZwoTNM%3D
US
der
471 b
whitelisted
3332
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
US
der
471 b
whitelisted
3332
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3332
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
3332
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3332
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
US
der
471 b
whitelisted
3332
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3332
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEGIzD2spy7RpWovXWZwoTNM%3D
US
der
471 b
whitelisted
3332
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCoziyTHasflwIAAAAAekur
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3332
iexplore.exe
142.250.74.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2580
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3332
iexplore.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
3332
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3332
iexplore.exe
172.217.23.131:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3332
iexplore.exe
27.121.67.118:443
ourlittlesecret.com.au
NetRegistry Pty Ltd.
AU
unknown
3332
iexplore.exe
172.217.21.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3332
iexplore.exe
216.58.208.36:443
www.google.com
Google Inc.
US
whitelisted
1964
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3332
iexplore.exe
104.47.1.28:443
eur01.safelinks.protection.outlook.com
Microsoft Corporation
AT
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
eur01.safelinks.protection.outlook.com
  • 104.47.1.28
  • 104.47.0.28
  • 104.47.2.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ourlittlesecret.com.au
  • 27.121.67.118
unknown
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
noosahealth.com
  • 103.13.103.135
unknown
www.google.com
  • 216.58.208.36
whitelisted
ocsp.pki.goog
  • 142.250.74.195
whitelisted

Threats

No threats detected
No debug info