analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

caution - phishing email.msg

Full analysis: https://app.any.run/tasks/f0f501fe-0673-4412-960e-4794079e43dd
Verdict: Malicious activity
Analysis date: November 16, 2019, 15:07:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

D5BC51405272ABEE62F31CB1C671CE1E

SHA1:

F568723CE34A55CB5447F714073DE8A91000FEC4

SHA256:

B7049825578C206C76167C328549CA4E3488FEF9C90EE2AABA546A213D087437

SSDEEP:

768:MyYwM4kvLASXsKgCsK1sKMxqUPgCR6czysKzZ4iRKTBBgjDlPp7hGXWTxjLWsKd2:+Zfdk+rmsjBGXWlfW1fH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2132)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2132)

    • Starts itself from another location

      • OUTLOOK.EXE (PID: 2132)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2132)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2132)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3816)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1268)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1268)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 640)
      • OUTLOOK.EXE (PID: 4044)
      • OUTLOOK.EXE (PID: 1792)
      • OUTLOOK.EXE (PID: 2132)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe outlook.exe no specs outlook.exe no specs iexplore.exe iexplore.exe outlook.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2132"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\caution - phishing email.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
640"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:%[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
1792"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
3816"C:\Program Files\Internet Explorer\iexplore.exe" http://www.facebook.com/C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1268"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3816 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4044"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Total events
2 020
Read events
1 307
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
36
Unknown types
3

Dropped files

PID
Process
Filename
Type
2132OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA969.tmp.cvr
MD5:
SHA256:
640OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD03B.tmp.cvr
MD5:
SHA256:
1792OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF72C.tmp.cvr
MD5:
SHA256:
3816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3816iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\26ZZS46G\m_facebook_com[1].txt
MD5:
SHA256:
2132OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E8181931F3FB34F5041F3BCF146F0BF8
SHA256:7DBE96DF43954DA03FE5109A7226294009A3BB1755C26B96A204AF83D0904ABD
2132OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:57C6A283E0D60AA53BDB9C0ACCE6C1C2
SHA256:1F3741D73C558ACF9BD29288832410666AC7EE3032820BAE16A5A300D786E700
1268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:DE53942CB916583ED456607FEB73E368
SHA256:9D378230DFEB2483A2DC6B0DCC4C76F7BF9B7E43B809B5910C5EE5AF476BEBCD
1268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A657B158D276AF006CF8E70B15BF8563
SHA256:1592F0087085CB5E2981076973FABB596D700FD8131466883C6C5280CAB052C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2132
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1268
iexplore.exe
GET
302
157.240.20.35:80
http://www.facebook.com/
US
whitelisted
3816
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2132
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1268
iexplore.exe
157.240.20.35:443
www.facebook.com
Facebook, Inc.
US
whitelisted
3816
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1268
iexplore.exe
157.240.20.35:80
www.facebook.com
Facebook, Inc.
US
whitelisted
1268
iexplore.exe
31.13.92.14:443
static.xx.fbcdn.net
Facebook, Inc.
IE
whitelisted
31.13.92.36:443
m.facebook.com
Facebook, Inc.
IE
whitelisted
3816
iexplore.exe
31.13.92.36:443
m.facebook.com
Facebook, Inc.
IE
whitelisted
1268
iexplore.exe
31.13.92.36:443
m.facebook.com
Facebook, Inc.
IE
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.facebook.com
  • 157.240.20.35
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
m.facebook.com
  • 31.13.92.36
whitelisted
static.xx.fbcdn.net
  • 31.13.92.14
whitelisted
facebook.com
  • 31.13.92.36
whitelisted
fbcdn.net
  • 31.13.92.36
whitelisted
fbsbx.com
  • 31.13.92.36
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
caution - phishing email.msg