analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Facture 3789 Reçu de paiement 202027 mai.msg

Full analysis: https://app.any.run/tasks/4b4f8d1e-7419-4ea3-945e-496c9bcdba70
Verdict: Malicious activity
Analysis date: September 30, 2020, 07:05:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

D08AD34F48D33F48D4E326857A3922FB

SHA1:

F76493709AEBF29E8B21C6374DA581BB895B7CB9

SHA256:

B8F54660668BC3C507F5B1DFACA967B0F3543A3D8C254F34A5F8C2636EEFBF8E

SSDEEP:

1536:/vsLPr0ew/N7KHleqdrTlsY3bVJAJKD1:cbr0ewVues3bVJoKD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2092)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2092)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2092)

  • INFO

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2092)
      • iexplore.exe (PID: 2432)
      • iexplore.exe (PID: 3000)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2092)

    • Application launched itself

      • iexplore.exe (PID: 3000)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2432)

    • Changes internet zones settings

      • iexplore.exe (PID: 3000)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2432)
      • iexplore.exe (PID: 3000)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3000)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2092"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Facture 3789 Reçu de paiement 202027 mai.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3000"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\TXSHUYY1\Remittance_Advice_92334XC_pdf.htMLC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2432"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3000 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 950
Read events
2 311
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
18
Text files
44
Unknown types
10

Dropped files

PID
Process
Filename
Type
2092OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRAAC8.tmp.cvr
MD5:
SHA256:
2092OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\TXSHUYY1\Remittance_Advice_92334XC_pdf (2).htML\:Zone.Identifier:$DATA
MD5:
SHA256:
2092OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:1F48CCEF9588FD1B290495CBAE1AE424
SHA256:B09FDD21AD60A310FF2ED09DB995DF2B4DD80D59611B6F18F2F725589220F16A
2092OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:507AF93114DD7FAAF1FD875B406E2A07
SHA256:FBBE23CC90F3C8B634F05C990E8B9A10F5C0383BD6CB7848F9AC988FCDCF6D47
2092OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32E1F169.datimage
MD5:89102504BC1078713300986EBDB20301
SHA256:CA015D866520CAA2D746AAEA9F47075C24EBEC6570F86C1033F2266BAC372E8D
2092OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\TXSHUYY1\Remittance_Advice_92334XC_pdf (2).htMLhtml
MD5:4B60040779545B6FD05DED36E27B492C
SHA256:D3CE36F98B8C6E3162A3E367DF2B2A626D3490C8BAC06CF39E2DC4BC409B470A
2092OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\TXSHUYY1\Remittance_Advice_92334XC_pdf.htMLhtml
MD5:4B60040779545B6FD05DED36E27B492C
SHA256:D3CE36F98B8C6E3162A3E367DF2B2A626D3490C8BAC06CF39E2DC4BC409B470A
2092OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2EEA1856.datimage
MD5:58B3DF1E1701E4A3BAF62912C74E01E8
SHA256:A98E5A7F155FC970442238B591DBA452A0B9DFDE02B0C085AF01B522E30CB583
2432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
2432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\script[1].jstext
MD5:0ECA7E1576A2E7C89B606A48F78E7F51
SHA256:99F648D83411667649CD7EB7F356E2D16B2A5BD645297672F2DCA1EE6308FE8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
27
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2432
iexplore.exe
GET
200
5.189.183.184:80
http://yourjavascript.com/7128900251/mb.js
DE
whitelisted
2432
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
2432
iexplore.exe
GET
200
5.189.183.184:80
http://yourjavascript.com/2575019802/script.js
DE
text
8.94 Kb
whitelisted
2432
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
US
der
727 b
whitelisted
2432
iexplore.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2432
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
2432
iexplore.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2432
iexplore.exe
GET
200
2.16.186.35:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2432
iexplore.exe
GET
301
51.91.224.95:80
http://i.postimg.cc/vHgYSJgT/arrow.jpg
GB
html
162 b
whitelisted
3000
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2092
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2.16.186.35:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2432
iexplore.exe
51.210.112.129:443
i.ibb.co
GB
unknown
2432
iexplore.exe
209.197.3.24:443
code.jquery.com
Highwinds Network Group, Inc.
US
malicious
2432
iexplore.exe
51.91.224.95:443
i.postimg.cc
GB
suspicious
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
51.91.224.95:80
i.postimg.cc
GB
suspicious
5.189.183.184:80
yourjavascript.com
Contabo GmbH
DE
malicious
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
yourjavascript.com
  • 5.189.183.184
whitelisted
secure.aadcdn.microsoftonline-p.com
  • 95.100.79.183
whitelisted
i.postimg.cc
  • 51.91.224.95
whitelisted
code.jquery.com
  • 209.197.3.24
whitelisted
i.ibb.co
  • 51.210.112.129
  • 51.210.112.130
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted

Threats

PID
Process
Class
Message
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Facture 3789 Reçu de paiement 202027 mai.msg