analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

R Inserimenti sotto Terza variante met. Catania-Augusta .msg

Full analysis: https://app.any.run/tasks/7d24d2ce-11e6-4272-a103-66f15d4af6f2
Verdict: Malicious activity
Analysis date: September 30, 2020, 10:11:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

EE0121585C95302B61A91A7006C0F93A

SHA1:

D792E6592DCA231FA7901EEB60EFA6A58AE239EE

SHA256:

97E3C0286FD1CC69D6DF7D56F078EC617180BE782A738596D7EC50599699E285

SSDEEP:

1536:BEoFL8tRnQsWpIEwW7VKs1wdXjbsBmWZjLE/ULri:fWnQnIoKs1wNjWri

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1200)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1200)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1200)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2140)
      • OUTLOOK.EXE (PID: 1200)
      • iexplore.exe (PID: 1148)
    • Application launched itself

      • iexplore.exe (PID: 2140)
    • Changes internet zones settings

      • iexplore.exe (PID: 2140)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2140)
    • Creates files in the user directory

      • iexplore.exe (PID: 2140)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1200)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2140)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1148)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1200"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\R Inserimenti sotto Terza variante met. Catania-Augusta .msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
2140"C:\Program Files\Internet Explorer\iexplore.exe" https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Flondon.upopolis.com%2Fwp-content%2Fsites%2FN5HgzOGEOJ5cstyf%2F&data=02%7C01%7CCarloMaria.Caputi%40snam.it%7C7ee01c48f9954127acd608d8649ded6d%7C19646c181578452eb5fb8504eb919aaa%7C0%7C1%7C637369976757645488&sdata=xYmlF2WpXL2BUoEUG8SZeGdf%2F9Maw8cvJR1QRI7IX1c%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1148"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 182
Read events
1 522
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
36
Unknown types
8

Dropped files

PID
Process
Filename
Type
1200OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR763A.tmp.cvr
MD5:
SHA256:
1148iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabAC00.tmp
MD5:
SHA256:
1148iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarAC01.tmp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1200OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:47D1AA7E6F7E6EA9A7626349382A920F
SHA256:082386B1ECCE544B2E73EF95A8F6389C226F0AF00212F8FDC121CEA03C5005DB
2140iexplore.exeC:\Users\admin\AppData\Local\Temp\TarBC7C.tmp
MD5:
SHA256:
1200OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E9D7818D4F00D9C0C7BC9EE67DAA3371
SHA256:CCD9D7FA700E8BBD925E500439E745B992EB8CC5BE0DD1302380607B21576D57
2140iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].htm
MD5:
SHA256:
1148iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:9D15BAEBA9F8618EF88F4EA27F887484
SHA256:CDAE980735D0506AAF9479646444911A0FCDF2673E77C48EEEFD8AF8F9A3060E
1200OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A3CE7E91-2E29-4EA7-9874-40DDB02D5115}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
30
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1200
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1056
svchost.exe
GET
200
172.217.23.163:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D
US
der
492 b
whitelisted
1056
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
2140
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2140
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1056
svchost.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0%2Fv9GUvNUu1EP06Tu7%2BChyAQUkZ47RGw9V5xCdyo010%2FRzEqXLNoCEyAAASWxwt68EQiA3cUAAAABJbE%3D
US
der
1.75 Kb
whitelisted
1056
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
2140
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1056
svchost.exe
GET
200
23.55.161.142:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.5 Kb
whitelisted
1056
svchost.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2140
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1200
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1056
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1148
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1148
iexplore.exe
104.47.9.28:443
eur03.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
2140
iexplore.exe
104.47.9.28:443
eur03.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
1056
svchost.exe
172.217.23.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
1056
svchost.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted
2140
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1056
svchost.exe
23.55.161.142:80
www.download.windowsupdate.com
Akamai International B.V.
US
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
eur03.safelinks.protection.outlook.com
  • 104.47.9.28
  • 104.47.8.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted
ocsp.msocsp.com
  • 104.18.25.243
  • 104.18.24.243
whitelisted
ocsp.pki.goog
  • 172.217.23.163
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info