analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Nicole hager.eml |
| Full analysis: | https://app.any.run/tasks/8d2d74dc-ebbf-46c6-b918-9c83a3ace3ad |
| Verdict: | Malicious activity |
| Analysis date: | June 27, 2022, 13:36:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| MIME: | message/rfc822 |
| File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 613BE134D7BAD868ED987C9C9EDD65E5 |
| SHA1: | F6651D4D66BA8087C725B4375644CDAA07C94373 |
| SHA256: | C07CF3CFD41CD5655A01773C02ACC8263FD1E0227307EAB44DA842D9D5CC7DCB |
| SSDEEP: | 24576:7/2DIFdMr34hhwxh9PFtWoU37QicewkhpfLkHDEkGE7DAmBiAyE7Dk1hlM/jwj/Z:ZFvhhmSvJ12DFHZR7swx6jJkQ32hIjZ |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the computer name
- OUTLOOK.EXE (PID: 2952)
Checks supported languages
- OUTLOOK.EXE (PID: 2952)
Executed via COM
- DllHost.exe (PID: 3544)
- DllHost.exe (PID: 2512)
Creates files in the user directory
- OUTLOOK.EXE (PID: 2952)
Searches for installed software
- OUTLOOK.EXE (PID: 2952)
INFO
Reads the computer name
- DllHost.exe (PID: 3544)
- DllHost.exe (PID: 2512)
Checks supported languages
- DllHost.exe (PID: 3544)
- DllHost.exe (PID: 2512)
Reads Microsoft Office registry keys
- OUTLOOK.EXE (PID: 2952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .eml | | | E-Mail message (Var. 5) (100) |
|---|
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2952 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Nicole hager.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
| 3544 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 3489660927 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2512 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
5 412
Read events
4 809
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
3
Text files
18
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9339.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp94D1.tmp | binary | |
MD5:74F239D8BBF2510A0EAA1D55B486C7D9 | SHA256:211A4822194517827E73B1A29256A976174C1454AA1626F1C0CA5B9AAB726A77 | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:72B88ACF5D243F5D35C52F16E7094190 | SHA256:1EA8DBCD74F14D10A9F05D014FAFCC23DDBC5336DE2C990C0B313A421659695B | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:00BDBA1D340CCBDE37DB4C7895AD2211 | SHA256:7126DED74317EF6FD424316A15F2BC7DDEE3983D9E08791AEFCC030451D5380B | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp94F2.tmp | binary | |
MD5:0D68B387BD3672E1C1CA597E6F7DD433 | SHA256:B9B80037F77436423DD98CA08EC14B4DEA4B67DB3F7C4B6268D3F65BCFB924DE | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\2CUGWPXY\essai 001.jpg | image | |
MD5:EA56B4D93F6CA6EE3077E5DB4C9CC5AB | SHA256:FB17A0F168F0BD30F017CFC3CFD412F697F158404CFF12B603060723CCCDF9FC | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_504FB70AA3C8C442B420B06F913DDB4F.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_AB080219951ABE438D54046B95CBF182.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD | |||
| 2952 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\2CUGWPXY\manifeste 1799.jpg | image | |
MD5:15BC1CBEAF3A985EE71104E7DEC6A98B | SHA256:F0D5AEC5D5F78C05972EE230CB70991DC1D08AAEAC9C10C3FF55830481B7D8A2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2952 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |
dns.msftncsi.com |
| shared |