Malware analysis Sua Fatura Vivo Móvel chegou - (89114).msg Malicious activity

Add for printing

File name:	Sua Fatura Vivo Móvel chegou - (89114).msg
Full analysis:	https://app.any.run/tasks/31482e59-a744-487f-9a18-617b1dac7294
Verdict:	Malicious activity
Analysis date:	May 24, 2019, 14:28:58
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir
Indicators:
MIME:	application/vnd.ms-outlook
File info:	CDFV2 Microsoft Outlook Message
MD5:	3A5A6BBDB2ED3AE3F124E7D14DBCA696
SHA1:	2C7A471A418712A1E7E13A28A03AE182CF664D9B
SHA256:	AA129F6D7B1A65B1A959BCC2112A9F96947EF192DD5197CD5370DCF6B6023A4C
SSDEEP:	768:MdKcMSd9xe2VABO0ncN2EWsK7bqO7qiXMkgRRzh/r/OoWrWsKeWsK8d2pauZSPDw:MdqrcvWx7qugDz1rG5WWWjsWBWJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Unusual execution from Microsoft Office
  - OUTLOOK.EXE (PID: 2948)
SUSPICIOUS
- Reads Internet Cache Settings
  - OUTLOOK.EXE (PID: 2948)
- Executed via COM
  - OUTLOOK.EXE (PID: 2776)
- Creates files in the user directory
  - OUTLOOK.EXE (PID: 2948)
- Starts Internet Explorer
  - OUTLOOK.EXE (PID: 2948)
- Creates files in the program directory
  - AdobeARM.exe (PID: 860)
INFO
- Reads Microsoft Office registry keys
  - OUTLOOK.EXE (PID: 2776)
  - OUTLOOK.EXE (PID: 2948)
  - iexplore.exe (PID: 3976)
- Reads settings of System Certificates
  - OUTLOOK.EXE (PID: 2948)
  - iexplore.exe (PID: 3976)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 2828)
  - iexplore.exe (PID: 3976)
  - iexplore.exe (PID: 3840)
- Changes internet zones settings
  - iexplore.exe (PID: 3976)
- Reads internet explorer settings
  - iexplore.exe (PID: 2828)
  - iexplore.exe (PID: 3840)
- Creates files in the user directory
  - iexplore.exe (PID: 2828)
- Application launched itself
  - iexplore.exe (PID: 3976)
  - RdrCEF.exe (PID: 3348)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3976)
- Changes settings of System certificates
  - iexplore.exe (PID: 3976)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msg	\|	Outlook Message (58.9)
.oft	\|	Outlook Form Template (34.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2948	"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Sua Fatura Vivo Móvel chegou - (89114).msg"	C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000
2776	"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding	C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000
3976	"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\53BTIOI8\email.mht	C:\Program Files\Internet Explorer\iexplore.exe		OUTLOOK.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2828	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3976 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe	—	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3840	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3976 CREDAT:6403	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3796	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3840	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	—	iexplore.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 0 Version: 15.23.20070.215641
3920	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3840	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe		iexplore.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641
3124	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3840	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	—	AcroRd32.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641
3348	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	—	AcroRd32.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670
3156	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3348.0.92165107\504328219" --allow-no-sandbox-job /prefetch:673131151	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	—	RdrCEF.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670

Add for printing

Total events

2 617

Read events

2 044

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\CVRE88A.tmp.cvr		—
		MD5:—	SHA256:—
2776	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\CVRF710.tmp.cvr		—
		MD5:—	SHA256:—
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		pgc
		MD5:5B50B2AE618B656BBD7B52A4611EEA9D	SHA256:E49EB14B050D633F7A61D523D88EC5FF0756A00A788739FF5B8AB60A68D078F4
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\7KdaGVU[1].jpg		image
		MD5:595AA92866C91604EE00116D666E8D05	SHA256:F1C44D2D25B6A7DF410B1C3175C27AEC6DDC4AF7CE67184E54F6973203335565
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\9nzF1so[1].jpg		image
		MD5:52D6C32825F276805A935E17B87E8FFD	SHA256:602F9068449870E99B36A2B654D7EF994B9D827F5AF4E9611B393EF42FE8A6AC
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\Mj1glp1[1].jpg		image
		MD5:ABAD27971EEDA36666628531107557B9	SHA256:2F7E107F2C75B3AB5267BC984375245309D0C0FA93B9AE8E747583E466CE055C
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\bffvP42[1].jpg		image
		MD5:9F0CEC0D8282F62A2CD1DF8975342FD9	SHA256:4377F4382BEC9A5C430D6466EDDCFFB349C236854FAE3B67117D87F2F73BD78C
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cWp7xmH[1].jpg		image
		MD5:241246E4ED5BE2A1EDCE558222B8B1CC	SHA256:B994A3D50D4B7F0C4FF296A1B382555202476CF62ECBE43F256238BC38C834D9
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf		text
		MD5:48DD6CAE43CE26B992C35799FCD76898	SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
2948	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_4BED883300C45A43848FF6617DE7DA96.dat		xml
		MD5:D8B37ED0410FB241C283F72B76987F18	SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3920	AcroRd32.exe	GET	304	2.16.186.26:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/282_15_23_20070.zip	unknown	—	—	whitelisted
3840	iexplore.exe	GET	302	178.79.136.242:80	http://li192-242.members.linode.com/catalog/seo_sitemap/vivofatura79pach/	GB	—	—	unknown
2948	OUTLOOK.EXE	GET	—	64.4.26.155:80	http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig	US	—	—	whitelisted
3920	AcroRd32.exe	GET	304	2.16.186.26:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/284_15_23_20070.zip	unknown	—	—	whitelisted
3976	iexplore.exe	GET	200	13.107.21.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted
3920	AcroRd32.exe	GET	304	2.16.186.26:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/283_15_23_20070.zip	unknown	—	—	whitelisted
3920	AcroRd32.exe	GET	304	2.16.186.26:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3976	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3976	iexplore.exe	13.107.21.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2948	OUTLOOK.EXE	151.101.36.193:443	i.imgur.com	Fastly	US	unknown
2948	OUTLOOK.EXE	64.4.26.155:80	config.messenger.msn.com	Microsoft Corporation	US	whitelisted
3840	iexplore.exe	172.217.18.16:443	storage.googleapis.com	Google Inc.	US	whitelisted
3976	iexplore.exe	172.217.18.16:443	storage.googleapis.com	Google Inc.	US	whitelisted
3840	iexplore.exe	52.219.96.18:443	s3.us-east-2.amazonaws.com	—	US	shared
3976	iexplore.exe	216.58.210.4:443	www.google.com	Google Inc.	US	whitelisted
3840	iexplore.exe	178.79.136.242:80	li192-242.members.linode.com	Linode, LLC	GB	unknown
3920	AcroRd32.exe	2.16.186.26:80	acroipm2.adobe.com	Akamai International B.V.	—	whitelisted

DNS requests

Domain	IP	Reputation
config.messenger.msn.com	64.4.26.155	whitelisted
i.imgur.com	151.101.36.193	shared
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
storage.googleapis.com	172.217.18.16	whitelisted
li192-242.members.linode.com	178.79.136.242	unknown
s3.us-east-2.amazonaws.com	52.219.96.18	shared
www.google.com	216.58.210.4	whitelisted
armmf.adobe.com	2.18.233.74	whitelisted
acroipm2.adobe.com	2.16.186.26 2.16.186.32	whitelisted
ardownload2.adobe.com	104.111.214.232	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Sua Fatura Vivo Móvel chegou - (89114).msg

3A5A6BBDB2ED3AE3F124E7D14DBCA696

2C7A471A418712A1E7E13A28A03AE182CF664D9B

AA129F6D7B1A65B1A959BCC2112A9F96947EF192DD5197CD5370DCF6B6023A4C

768:MdKcMSd9xe2VABO0ncN2EWsK7bqO7qiXMkgRRzh/r/OoWrWsKeWsK8d2pauZSPDw:MdqrcvWx7qugDz1rG5WWWjsWBWJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from Microsoft Office

SUSPICIOUS

Reads Internet Cache Settings

Executed via COM

Creates files in the user directory

Starts Internet Explorer

Creates files in the program directory

INFO

Reads Microsoft Office registry keys

Reads settings of System Certificates

Reads Internet Cache Settings

Changes internet zones settings

Reads internet explorer settings

Creates files in the user directory

Application launched itself

Adds / modifies Windows certificates

Changes settings of System certificates

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings