analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Your_Encrypted_Message_Activation_Information.eml

Full analysis: https://app.any.run/tasks/98c15627-5241-4ca7-8acd-2fe30d9ed1d3
Verdict: Malicious activity
Analysis date: August 12, 2022, 22:02:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

6A60EBB4468D8406033FB8EA2E225C5D

SHA1:

FFB752735D510EC2B68C53306560F866135BA17D

SHA256:

AE3E7F2F1C666E5B05838509556896B51FD7B7B6098E9E5D8CBBA384FA1F2AA6

SSDEEP:

384:hvjc62oVlpxdM01LA98nPVTYbdIbnqKXimDhbA9UcuZedC5nOkyitE:hvQ62oDnmGM9QdT0d+nqKSmDNy3uZedj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the computer name

      • OUTLOOK.EXE (PID: 968)

    • Checks supported languages

      • OUTLOOK.EXE (PID: 968)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 968)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3852)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3852)
      • iexplore.exe (PID: 2124)

    • Reads the computer name

      • iexplore.exe (PID: 3852)
      • iexplore.exe (PID: 2124)

    • Changes internet zones settings

      • iexplore.exe (PID: 2124)

    • Application launched itself

      • iexplore.exe (PID: 2124)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3852)
      • iexplore.exe (PID: 2124)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3852)
      • iexplore.exe (PID: 2124)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3852)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
968"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Your_Encrypted_Message_Activation_Information.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2124"C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.com/v3/__https:/us.pbe.encryption.symantec.com/login.html?msgUserId=41e6598b746ab112&enterprise=questdiagnostics&rrRegcode=FyZnfK9q&locale=en_US__;!!Fou38LsQmgU!qejWhB4V3iXILxZtm7aJIoFMdhOfNEbodJ7I0OrKd7URz3VpStxUHYVnkoJm2XecRsnFlDOPByVs5Y6ebnVTVfL3RbOVWxrT$C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3852"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2124 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
16 300
Read events
15 603
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
16
Unknown types
8

Dropped files

PID
Process
Filename
Type
968OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR9AD9.tmp.cvr
MD5:
SHA256:
968OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
968OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:4C2E693A487E28D9A73540448C7FEDA0
SHA256:E3BCD0B2B650C7337B8E75E15FE59039BE428A512033BD67867172AED4FE5B17
2124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:EE87BB11E233C12009CC11725035DBDC
SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5
968OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:E1B37DE51FACF21749664CEAEE09FA5E
SHA256:3D37C3F3AC5AF4EE5E32A46ACDEC0196B6E618256608CC7CAD8F0F97D382D725
2124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:C8CFDE7B7CFB4762FBBEE953DBEDF2EC
SHA256:782CC1D8CFA3718403E34AD4BFAE8538D8D81D747069D40D6D2DA479D207A859
3852iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:3E4074EC3E7B1CCFF6AD61B0A5EC99E1
SHA256:D0D4EFF1595E2160980F6896141286D218A02305F90DDDFB4DB3062C5AB1855D
3852iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9der
MD5:AA8F23C15389F1964C9AA15801F5B68E
SHA256:6D4A5AFE97FED51A855072038AE4B66902C0955D240D9C55C487CF05BF169F9B
2124iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3852iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
26
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
968
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3852
iexplore.exe
GET
200
104.18.32.68:80
http://crl.comodoca.com/AAACertificateServices.crl
US
der
506 b
whitelisted
3852
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
2124
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3852
iexplore.exe
GET
200
172.64.155.188:80
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
US
der
978 b
whitelisted
3852
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEA2KFitLH9n0LY9WTWFSpcE%3D
US
der
471 b
whitelisted
2124
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3852
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6fdabcad10f44235
US
compressed
4.70 Kb
whitelisted
3852
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1c3e076ed021c716
US
compressed
4.70 Kb
whitelisted
3852
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
US
der
2.18 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
968
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3852
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
2124
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3852
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
3852
iexplore.exe
3.134.4.181:443
us.pbe.encryption.symantec.com
US
suspicious
2124
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3852
iexplore.exe
52.71.28.102:443
urldefense.com
Amazon.com, Inc.
US
suspicious
3852
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3852
iexplore.exe
18.190.88.230:443
us.pbe.encryption.symantec.com
Massachusetts Institute of Technology
US
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
urldefense.com
  • 52.204.90.22
  • 52.6.56.188
  • 52.71.28.102
shared
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
crl.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted

Threats

PID
Process
Class
Message
3852
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3852
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Your_Encrypted_Message_Activation_Information.eml