analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Le damos la bienvenida a MyAnalytics.msg

Full analysis: https://app.any.run/tasks/41195f5f-39ad-4fc2-b7fb-cdce67e897e3
Verdict: Malicious activity
Analysis date: October 14, 2019, 21:41:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

79D19BF5B05C6A7CF414F5F0EA28F3A6

SHA1:

B1ADDEBCC7669055CC13B7C937C266BFE0A21CA2

SHA256:

A0AE74FC2501775D4833D5A6606A30762B2EA2F8E2D22625DF9A720D2EC987C8

SSDEEP:

3072:+bIfNsXQdqCYC/C/mY538slxKlyq8rIGFQc5kafGx:SIHqCRcmU84e9BwVvG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2480)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2480)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2480)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2480)
  • INFO

    • Manual execution by user

      • chrome.exe (PID: 940)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2428)
      • iexplore.exe (PID: 3332)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2428)
      • iexplore.exe (PID: 3332)
    • Changes internet zones settings

      • iexplore.exe (PID: 3060)
    • Application launched itself

      • iexplore.exe (PID: 3060)
      • chrome.exe (PID: 940)
    • Reads the hosts file

      • chrome.exe (PID: 940)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2480"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Le damos la bienvenida a MyAnalytics.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3060"C:\Program Files\Internet Explorer\iexplore.exe" https://go.microsoft.com/fwlink/?linkid=2104226C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3332"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3060 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2428"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3060 CREDAT:6403C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
940"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3300"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6feda9d0,0x6feda9e0,0x6feda9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
956"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2260 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2440"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,10900975974631229371,1292723867417985616,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=4772811929567297024 --mojo-platform-channel-handle=1048 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1028,10900975974631229371,1292723867417985616,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=8459339290889866294 --mojo-platform-channel-handle=1636 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2536"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,10900975974631229371,1292723867417985616,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1432345096288674840 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
Total events
2 167
Read events
1 524
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
86
Unknown types
4

Dropped files

PID
Process
Filename
Type
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA8FC.tmp.cvr
MD5:
SHA256:
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:76251936821C3FA4B0561FADE41B95D1
SHA256:1218298F251355DAA76E8F9AA71B96ADB0866D45C7619D2A0A26B8C87CE11689
2480OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:54AC8AE97124359512BA367D093DCA6D
SHA256:79E67C3DDC2EBD380BC9B25E4CB5B694A87FAE96943B52EBA58482DE5C2F5AFA
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C804EE3.datimage
MD5:24B2B8B263BD8CED3A12F970FDCBCBB1
SHA256:D9A66BE6E9E24C4EE061EDD8490E3DA63130FF098A6BCE0C6F1E983E6E647E9A
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61F32DF9.datimage
MD5:8DB6F62816FD0C94C288F93224BC803A
SHA256:B87974726F8B720D48A32F3C95E8D1C742A9B32AE146611006352526C22B597E
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC8352A7.datimage
MD5:752755D9541CBB4ECE6F74DF664D2ECE
SHA256:EBECF5EC9B6CB5CE402E0B48742E101AB2319A2015715DF89204D80DFB0F0C1C
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ECA83EA4.datimage
MD5:3B2E59E41065E176B3A7B76D99945ADD
SHA256:CC70FE3C926AF654A9DFE7C12B25499F2DF9C9210B9FC522F07EFE77B786A750
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA06FA4D.datimage
MD5:9451572A6EEC66EDE571C13ADD250D88
SHA256:F18BDA162C12EC867DFF1064C84594A0ED5FC40B8FE12B574E60F23F47D858A4
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6074A02B.datimage
MD5:F32883C33166977C59CF27D618B1E2CE
SHA256:BC6B6A5A9C350E1AD65F9F2747A78586EBC8FF0A6B91013B77F338B5FE8D8E50
2480OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B848655.datimage
MD5:A222235DAD8BC050B81E7AEFE259DC78
SHA256:B4AA05B7D2A810C101CB196CE0F622A29799B9BC15A18B178FE1F757CA965FD7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
11
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2480
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3060
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3060
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2480
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3332
iexplore.exe
95.101.177.126:443
docs.microsoft.com
Akamai Technologies, Inc.
whitelisted
2428
iexplore.exe
40.86.224.81:443
myanalytics.microsoft.com
Microsoft Corporation
CA
unknown
3332
iexplore.exe
2.19.38.59:443
go.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
go.microsoft.com
  • 2.19.38.59
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
docs.microsoft.com
  • 95.101.177.126
whitelisted
myanalytics.microsoft.com
  • 40.86.224.81
whitelisted

Threats

No threats detected
No debug info