analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

md50000004866.eml.msg

Full analysis: https://app.any.run/tasks/ffe42d6e-4c7a-4415-99ca-acda05de257b
Verdict: Malicious activity
Analysis date: May 20, 2019, 13:14:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

C4096E6A84929D36807726F8D2EAEED3

SHA1:

AF4084C81FF0D5DAC4BA6D19E6BA406C46FC3A8E

SHA256:

9AA8D2F983A98CD52EB2805F8EA4E577F2A6EAFE8422452C67F22D3668D6735C

SSDEEP:

768:gcOiIy6mI/sLJqinXrHywsyalQyDi8xKesb8Ys0riF8p6C+vmF6Dk4WHT:My6kJqinXrRkhsiMJphH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 1260)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1260)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1260)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1260)

    • Low-level read access rights to disk partition

      • msconfig.exe (PID: 3104)

  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1260)

    • Application launched itself

      • iexplore.exe (PID: 3124)

    • Creates files in the user directory

      • iexplore.exe (PID: 2960)
      • iexplore.exe (PID: 3124)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2960)

    • Changes internet zones settings

      • iexplore.exe (PID: 3124)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2960)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3124)

    • Manual execution by user

      • msconfig.exe (PID: 2720)
      • msconfig.exe (PID: 3104)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3124)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe msconfig.exe no specs msconfig.exe

Process information

PID
CMD
Path
Indicators
Parent process
1260"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\md50000004866.eml.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3124"C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download?cid=E9A4ABA28EDB0B05&resid=E9A4ABA28EDB0B05%21113&authkey=AHczx7_xHaiofEsC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2960"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3124 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2720"C:\Windows\system32\msconfig.exe" C:\Windows\system32\msconfig.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Configuration Utility
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3104"C:\Windows\system32\msconfig.exe" C:\Windows\system32\msconfig.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
System Configuration Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 644
Read events
1 165
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
50
Unknown types
5

Dropped files

PID
Process
Filename
Type
1260OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD3.tmp.cvr
MD5:
SHA256:
1260OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BACE9E4.datimage
MD5:2C356E9D6D278AE0E291741296C7C63D
SHA256:63B06EDD5108FD5F6BF4DC256E142F43CA0BC8F63AF8271282E089912A6B3147
3124iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:5461DB2396F9935AE2425C763D955710
SHA256:9BB7C4C16CE99BACC4E74B96BB92879B3E78B7F71C5B67921369880F61746A3F
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1260OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
1260OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:9EA14B48FE78CD127212633EDC2EE112
SHA256:262D224639044B81C7759ECB3D199920E0BF6A45C2A251B8D586BA8071212777
1260OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:90A4705E393C3C9AB2F7D0A0032AEA9C
SHA256:9051921AE7B0554D35D3F669FF992454C8E66B61E1A08F970882772F9A63C643
1260OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A594E7B2-4869-4739-8D5E-1BDFA554658A}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
1260OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_ADEEFC7FE1EA084BABF6F6677B684646.datxml
MD5:57F30B1BCA811C2FCB81F4C13F6A927B
SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1260
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3124
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3124
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2960
iexplore.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
1260
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
2960
iexplore.exe
2.16.186.40:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
2.16.186.40:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
3124
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
spoprod-a.akamaihd.net
  • 2.16.186.40
  • 2.16.186.25
whitelisted
p.sfx.ms
  • 2.19.37.83
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
md50000004866.eml.msg