analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/775cbe09-eff2-442f-abd3-ef8549beed51
Verdict: Malicious activity
Analysis date: January 24, 2022, 16:34:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

3EC6466038BC031F2BB763C1F5CA2677

SHA1:

277DCC5654D652B77737DAE573BA921E45488576

SHA256:

BF225BE8CA3BC2845E134D06F59AF1D8ECABD694C1E414D3DF724D67A61A5915

SSDEEP:

384:+nlZEt5csxrS1EyPfYM4WA//u0QxZjIEiOTNR:+nlZEtysxOey4MFAeb3Vvv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 1252)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 1252)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 1252)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1252)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1252)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2996)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 272)
      • iexplore.exe (PID: 2996)

    • Reads the computer name

      • iexplore.exe (PID: 2996)
      • iexplore.exe (PID: 272)

    • Application launched itself

      • iexplore.exe (PID: 272)

    • Changes internet zones settings

      • iexplore.exe (PID: 272)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 272)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1252"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
272"C:\Program Files\Internet Explorer\iexplore.exe" https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbit.ly%2F3Ks00Ek&data=04%7C01%7Cctr-fleetequipment%40cantire.com%7Cafd492787482409c942d08d9dcf04ae4%7Cbd6704ff1437477c9ac9c30d6f5133c5%7C0%7C0%7C637783747402171616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=bV9GevGcSdDbryz8nBSUsBJ96ZalsCeAHe4O0tS%2BQ9Q%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2996"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:272 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
5 808
Read events
5 143
Write events
644
Delete events
21

Modification events

(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(1252) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
4
Text files
10
Unknown types
5

Dropped files

PID
Process
Filename
Type
1252OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE8EC.tmp.cvr
MD5:
SHA256:
1252OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1252OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:8408D9D735A240B9D81F8FAFC82C468D
SHA256:42EDD9F73E40DC61D7D2AD63672827CD2795B36043506811C54DAE6B478F6971
272iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{8EAF51C6-7D33-11EC-A20C-12A9866C77DE}.datbinary
MD5:E85589F5AABAE780A15A40703B17478B
SHA256:580D08189663929BCBD31C581F477CFE6DB190BD20967EF56B9C8BDF65EF4907
1252OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_B3CF828A6882A4458110DA93CBBC310B.datxml
MD5:57F30B1BCA811C2FCB81F4C13F6A927B
SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
1252OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:A6EC923ACAA57C7943270F7EFE1691B7
SHA256:CD220E56147640FCBA1D4A87B208E6C0D6780CF80E4D1180A22FA00E9F3078E2
272iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD04A349296F1BFB4.TMPgmc
MD5:D0E0D513AEFD4D6DD6A615E5760F333A
SHA256:C20ACB82B929C346E351F6CF9B2CE68696EE907A336771E8401676E920619823
272iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8EAF51C5-7D33-11EC-A20C-12A9866C77DE}.datbinary
MD5:4408380539FACCB4F69EFF81AC5136E2
SHA256:2502D1C4EB54A8A89E934AE95E8D322D683A2DB3C4D1B9E414BB22536633442C
272iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42C873D0-1D90-11EB-BA2C-12A9866C77DE}.datbinary
MD5:03DB738961D7F094B50387F84C2D0E4C
SHA256:C5872369AA91763D132B727D77AC86B2D40B3CBC360E9083B057B0B5939A253B
1252OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5A108769-22B8-46E6-8C0B-143CEAFDDF28}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1252
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2996
iexplore.exe
104.47.61.28:443
can01.safelinks.protection.outlook.com
Microsoft Corporation
CA
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
can01.safelinks.protection.outlook.com
  • 104.47.61.28
  • 104.47.60.28
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
phish_alert_sp2_2.0.0.0.eml