analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BALANCES DE LOS IMPUESTO PREDIAL POR CANCELAR.msg

Full analysis: https://app.any.run/tasks/8a02192e-6d1a-4ed2-9e30-1dccb66109d0
Verdict: Malicious activity
Analysis date: January 24, 2022, 20:00:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

52A93926423F62E5DD92BFDF1F7909AB

SHA1:

CD15035B5ED92CE6605B7D6ECDCA92D4CBDF7456

SHA256:

BD0F6AAD6579A982D7DE0C8E6A22044863D2678ACB03E79C7F40CCD56B38D3C5

SSDEEP:

1536:WWaRJE/e2LfB2g8qdJwWSWqWyWqWILQmwmhk1:IfUJB2+aWIsH0k1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2200)
    • Application was dropped or rewritten from another process

      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3328)
    • Changes the Startup folder

      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3328)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2200)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 468)
    • Checks supported languages

      • WinRAR.exe (PID: 2808)
      • cmd.exe (PID: 3324)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
      • cmd.exe (PID: 380)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3328)
      • cmd.exe (PID: 1564)
      • cmd.exe (PID: 1648)
      • InstallUtil.exe (PID: 3628)
      • InstallUtil.exe (PID: 2416)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2808)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
    • Reads the computer name

      • WinRAR.exe (PID: 2808)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3328)
      • InstallUtil.exe (PID: 2416)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2808)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
    • Starts CMD.EXE for commands execution

      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3328)
    • Reads Environment values

      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3328)
    • Creates files in the user directory

      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
  • INFO

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2200)
      • iexplore.exe (PID: 3616)
      • iexplore.exe (PID: 468)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 2200)
      • iexplore.exe (PID: 3616)
      • iexplore.exe (PID: 468)
      • timeout.exe (PID: 3164)
      • timeout.exe (PID: 856)
      • timeout.exe (PID: 3628)
      • timeout.exe (PID: 2888)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2200)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2200)
      • iexplore.exe (PID: 468)
      • iexplore.exe (PID: 3616)
    • Application launched itself

      • iexplore.exe (PID: 3616)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 468)
      • iexplore.exe (PID: 3616)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3612)
      • BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe (PID: 3328)
    • Changes internet zones settings

      • iexplore.exe (PID: 3616)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 468)
      • iexplore.exe (PID: 3616)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3616)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 3616)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3616)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
16
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start outlook.exe iexplore.exe iexplore.exe winrar.exe balances de los impuesto predial acancelar.exe cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs balances de los impuesto predial acancelar.exe cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs installutil.exe installutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2200"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\BALANCES DE LOS IMPUESTO PREDIAL POR CANCELAR.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3616"C:\Program Files\Internet Explorer\iexplore.exe" https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fuc%3Fexport%3Ddownload%26id%3D1HUcUN37UzBhdxY5a52rZg6TGcUM1ou4o&data=04%7C01%7Cfrancisco.palacio.serna%40epm.com.co%7C496e9a0ba9494935e74208d9df6e30de%7Cbf1ce8b55d394bc5ad6e07b3e4d7d67a%7C1%7C0%7C637786486641613155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ap0zYO7OMmo8eF3CjPF4ccoRDAd1aOW7Q2eGfmvTc4Y%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
468"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3616 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2808"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.tar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3612"C:\Users\admin\AppData\Local\Temp\Rar$EXb2808.10355\BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2808.10355\BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe
WinRAR.exe
User:
admin
Company:
Lark Technologies Pte. Ltd.
Integrity Level:
MEDIUM
Description:
Lark Installer
Exit code:
0
Version:
5.2.0.0
380"C:\Windows\System32\cmd.exe" /C timeout 10C:\Windows\System32\cmd.exeBALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3164timeout 10C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3324"C:\Windows\System32\cmd.exe" /C timeout 10C:\Windows\System32\cmd.exeBALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
856timeout 10C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3328"C:\Users\admin\AppData\Local\Temp\Rar$EXb2808.13184\BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2808.13184\BALANCES DE LOS IMPUESTO PREDIAL ACANCELAR.exe
WinRAR.exe
User:
admin
Company:
Lark Technologies Pte. Ltd.
Integrity Level:
MEDIUM
Description:
Lark Installer
Exit code:
0
Version:
5.2.0.0
Total events
25 614
Read events
24 828
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
15
Text files
28
Unknown types
9

Dropped files

PID
Process
Filename
Type
2200OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR315E.tmp.cvr
MD5:
SHA256:
2200OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2200OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:EC1138D67750F42B945309B79B9CA6B7
SHA256:447EF2D885E62CB3FDB12E88F0149A403C09C39E6A0D00B13EC369F78F7FC23E
2200OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:07A68CC8E32A3B27071E8657D0343523
SHA256:8E73AC839B8C6850C53EF0A2EA8504DCC67A61EDC8830F8609464E9CB1EBE7AC
3616iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1C41C778A520698CAB8F63CCB0439F41
SHA256:59B55A25BCF0C55379A5A7B13584F51C09804747D92738B5487D24D9418BA009
468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:DAC4619E319FD2C836D2FCEB1542D665
SHA256:B715BCE5A46505ECF3DF445B5427EBFCD74279271DA1F019C2CAC521D56B8EA3
468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49binary
MD5:C18DE3D3E6A20659E80C68D3F211310B
SHA256:D8A4F9B1A9A9647C8B8F895530A6FDC3C4556B34600C69904551E8F1E0793DC5
3616iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:B2E092EF5DC0CA9E6931B69C3F9081E5
SHA256:F844920E1BEF2CC95FACC097A5310118830F25BB30CA1CCA0BF9E278B1F99371
3616iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2200OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_01EEAA808073F44F86E57CCC495A7273.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
33
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
468
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
468
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
468
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3616
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
468
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQC04WHG3wyS9QoAAAABK3x8
US
der
472 b
whitelisted
3616
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3616
iexplore.exe
GET
200
8.253.207.120:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a5915c9442700360
US
compressed
4.70 Kb
whitelisted
468
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEA9%2FdKivN6zeCgAAAAErf8I%3D
US
der
471 b
whitelisted
3616
iexplore.exe
GET
200
8.253.207.120:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2c8756cf7f339130
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3616
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2200
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
104.47.56.28:443
nam02.safelinks.protection.outlook.com
Microsoft Corporation
US
suspicious
3616
iexplore.exe
8.253.207.120:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
malicious
3616
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
468
iexplore.exe
104.47.56.28:443
nam02.safelinks.protection.outlook.com
Microsoft Corporation
US
suspicious
468
iexplore.exe
142.250.184.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
468
iexplore.exe
142.250.185.78:443
docs.google.com
Google Inc.
US
whitelisted
468
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
nam02.safelinks.protection.outlook.com
  • 104.47.56.28
  • 104.47.38.28
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 8.253.207.120
  • 8.248.145.254
  • 8.248.119.254
  • 67.26.73.254
  • 67.27.157.126
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
docs.google.com
  • 142.250.185.78
shared
ocsp.pki.goog
  • 142.250.184.195
whitelisted
doc-14-5k-docs.googleusercontent.com
  • 142.250.186.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info