analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

You [email protected] receieved a shared document.msg

Full analysis: https://app.any.run/tasks/3ccc5562-85bb-415e-a476-4f32c6d900c4
Verdict: Malicious activity
Analysis date: June 27, 2022, 07:43:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

8B9ADCD216D74E0070512FD5962ACB53

SHA1:

03146C38927B4624EA5405274A567092B9E5489E

SHA256:

9CE399566653A8D17627F3B45E2CFBBEF7651DE4E76553D4E33696A15DBADFC0

SSDEEP:

768:ipfbJX1sKtsKRGLHjxJvUf0Qd3SelCGpmb01rffwG4eX:irX1VsJMf0Qd3SelCGpm0w6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 696)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 696)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1648)
  • INFO

    • Reads the computer name

      • OUTLOOK.EXE (PID: 696)
      • iexplore.exe (PID: 2480)
      • iexplore.exe (PID: 1648)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 696)
      • iexplore.exe (PID: 2480)
      • iexplore.exe (PID: 1648)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 696)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 696)
    • Application launched itself

      • iexplore.exe (PID: 2480)
    • Changes internet zones settings

      • iexplore.exe (PID: 2480)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1648)
      • iexplore.exe (PID: 2480)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2480)
      • iexplore.exe (PID: 1648)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
696"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\You [email protected] receieved a shared document.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2480"C:\Program Files\Internet Explorer\iexplore.exe" https://u27450775.ct.sendgrid.net/ls/click?upn=XbYMJcAS8Q0fgcw-2Bg1ATKTeSxfMeUmN6KNOC6Wh4YU3DVQB0qeHChv6cI2WROJII3C-2FcaRQwT7mqOFjrz4213BuY0BqaxszCRT3PCZeTOTYdg1T75c6DjN1mX5b9TZD70xc2GJFmkva-2F1kKVJTt7XA-3D-3D2DOo_QxExAhMclvv1bul8mqbZ76V1fEF6A5uzbK-2Fa0-2BSun3FIAZxkWZF4TnV9IMFtlznjl4oAO2DGq8s5fEaVeU-2BPMNeTJrTn-2BtKsZUA8boXPlR7whbf9xX3dVKZijLDYsg7BvDtpkEFmXzM3KYWR0758KYhhjKh7aUDUof2XTahuIvLiLJGMn8azvThWLdShEFBWEy-2Bu4sVYNey4xvdkgVfuTz6tOBd5Og4E8xyH8KDNcww-3DC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1648"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2480 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
17 530
Read events
16 858
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
15
Unknown types
6

Dropped files

PID
Process
Filename
Type
696OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR985E.tmp.cvr
MD5:
SHA256:
696OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1648iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:5816D760338F7501A8BFFEAD7842D854
SHA256:936E6EE75D688CFC795948B1ACDB199C56A958EF11EC217848C63BDB5474328F
696OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:FC79503F6571324B19109151F12F64DD
SHA256:29D68FC5D73B65029811A10CF08726AB27D255B9EEE6E49B05F76DE47C7821F7
2480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:DF6DEECBA36F8D0AF53EAFA9C51AB1F7
SHA256:60D1053BDE5FBCA23ED8976F1EABAEE9C4BB459D9C997E5A76BB2182EE916D98
1648iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:F97B6323F97828CEA41EB02D479AE1CC
SHA256:363614FEC0B8D065E0756E9BD0A23D71EB8FD414E3B264949A874C60ED8EAC70
696OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:1087631A72C7BF5E3E748DBF09E942C9
SHA256:0989FC84664253B2E5884AFD921740C5214D5D65B1ADBA407E159DCFA2BE6A88
1648iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:3FFAF5F91F9C984009B5ECC84982F83C
SHA256:1D3DA70B046146DD748A5C43DDE91939601A4D87304C80E77F832818A522D260
696OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_0F242EEAA0585B468D62D25D2E18C8E8.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
1648iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:594D802A0CCC428FCDFC397BD6ED09AA
SHA256:E11D57A7187C2B184F45CE8158C0749F632403F5D4EDC2910107A1868951A9A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
19
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1648
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2480
iexplore.exe
GET
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
whitelisted
2480
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2480
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
631 b
whitelisted
1648
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1648
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCbtonfHJ3EDA%3D%3D
US
der
1.74 Kb
whitelisted
2480
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb8914ef1e77e13
US
compressed
4.70 Kb
whitelisted
1648
iexplore.exe
GET
200
95.140.236.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c7f7165edb602f14
GB
compressed
4.70 Kb
whitelisted
2480
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bfd2a261415bbe34
US
compressed
4.70 Kb
whitelisted
1648
iexplore.exe
GET
200
95.140.236.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ddc2078ffd4ec683
GB
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2480
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1648
iexplore.exe
95.140.236.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
whitelisted
696
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2480
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
1648
iexplore.exe
192.124.249.41:80
ocsp.godaddy.com
Sucuri
US
suspicious
1648
iexplore.exe
167.89.123.122:443
u27450775.ct.sendgrid.net
SendGrid, Inc.
US
suspicious
2480
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
2480
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2480
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
u27450775.ct.sendgrid.net
  • 167.89.123.122
  • 167.89.123.16
  • 167.89.118.28
  • 167.89.118.35
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
  • 95.140.236.0
  • 178.79.242.128
whitelisted
ocsp.godaddy.com
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.22
  • 192.124.249.23
  • 192.124.249.24
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info