analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | FW In_Voice RDSP-953810 from Christine S. Wilson.msg |
| Full analysis: | https://app.any.run/tasks/4256dee2-a6df-466a-b799-a26e103f8579 |
| Verdict: | Malicious activity |
| Analysis date: | August 12, 2022, 14:02:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.ms-outlook |
| File info: | CDFV2 Microsoft Outlook Message |
| MD5: | EF3052FAB2AE98CDE1C0123C5F1CA7B0 |
| SHA1: | B38CDD1AC1AA0BF63648F7583FFA310B93A9A5D1 |
| SHA256: | C4B6B303CA4EB913AE1B2CA7966CDED13A5AD0A0F177EF9144D430925803EC12 |
| SSDEEP: | 6144:QFXXcEisufS0zRjQWeerw/6X5pdmRBR7csV2iUgUadiCj6G8dKsbhBGZXS:uQX+zeM6X5pxE0RamdKihIBS |
MALICIOUS
Drops executable file immediately after starts
- AdobeARM.exe (PID: 2912)
- firefox.exe (PID: 1952)
SUSPICIOUS
Executed via COM
- DllHost.exe (PID: 2624)
Checks supported languages
- opera_plugin_wrapper_32.exe (PID: 384)
- AdobeARM.exe (PID: 2912)
- Reader_sl.exe (PID: 2688)
- notepad++.exe (PID: 1432)
- gup.exe (PID: 676)
Reads the computer name
- AdobeARM.exe (PID: 2912)
- gup.exe (PID: 676)
- notepad++.exe (PID: 1432)
Executable content was dropped or overwritten
- AdobeARM.exe (PID: 2912)
- firefox.exe (PID: 1952)
Drops a file with a compile date too recent
- AdobeARM.exe (PID: 2912)
- firefox.exe (PID: 1952)
Creates files in the program directory
- AdobeARM.exe (PID: 2912)
Reads default file associations for system extensions
- chrome.exe (PID: 4604)
INFO
Checks supported languages
- OUTLOOK.EXE (PID: 2732)
- DllHost.exe (PID: 2624)
- opera_plugin_wrapper.exe (PID: 2900)
- Opera.exe (PID: 3016)
- AcroRd32.exe (PID: 3040)
- RdrCEF.exe (PID: 1740)
- AcroRd32.exe (PID: 2356)
- RdrCEF.exe (PID: 1660)
- RdrCEF.exe (PID: 472)
- explorer.exe (PID: 2932)
- firefox.exe (PID: 1952)
- firefox.exe (PID: 3044)
- firefox.exe (PID: 2080)
- firefox.exe (PID: 2124)
- firefox.exe (PID: 3664)
- chrome.exe (PID: 3948)
- chrome.exe (PID: 4092)
- chrome.exe (PID: 3184)
- chrome.exe (PID: 3228)
- chrome.exe (PID: 3792)
- chrome.exe (PID: 3192)
- chrome.exe (PID: 3720)
- chrome.exe (PID: 3288)
- chrome.exe (PID: 3832)
- chrome.exe (PID: 3800)
- chrome.exe (PID: 3112)
- chrome.exe (PID: 4064)
- chrome.exe (PID: 4524)
- chrome.exe (PID: 984)
- chrome.exe (PID: 3060)
- chrome.exe (PID: 4204)
- chrome.exe (PID: 964)
- chrome.exe (PID: 4832)
- chrome.exe (PID: 3060)
- chrome.exe (PID: 4500)
- chrome.exe (PID: 3492)
- chrome.exe (PID: 4324)
- chrome.exe (PID: 4656)
- chrome.exe (PID: 3596)
- chrome.exe (PID: 4480)
- chrome.exe (PID: 4384)
- chrome.exe (PID: 4688)
- chrome.exe (PID: 4292)
- chrome.exe (PID: 4604)
- chrome.exe (PID: 3832)
- chrome.exe (PID: 5060)
- chrome.exe (PID: 4584)
- chrome.exe (PID: 4636)
- pingsender.exe (PID: 4800)
- pingsender.exe (PID: 4252)
Reads the computer name
- OUTLOOK.EXE (PID: 2732)
- DllHost.exe (PID: 2624)
- Opera.exe (PID: 3016)
- AcroRd32.exe (PID: 3040)
- AcroRd32.exe (PID: 2356)
- RdrCEF.exe (PID: 1740)
- explorer.exe (PID: 2932)
- firefox.exe (PID: 1952)
- firefox.exe (PID: 3044)
- firefox.exe (PID: 3664)
- firefox.exe (PID: 2080)
- firefox.exe (PID: 2124)
- chrome.exe (PID: 3184)
- chrome.exe (PID: 4092)
- chrome.exe (PID: 3948)
- chrome.exe (PID: 4604)
- chrome.exe (PID: 4584)
- pingsender.exe (PID: 4252)
- pingsender.exe (PID: 4800)
Searches for installed software
- OUTLOOK.EXE (PID: 2732)
- AcroRd32.exe (PID: 3040)
- AcroRd32.exe (PID: 2356)
Check for Java to be installed
- Opera.exe (PID: 3016)
Reads the date of Windows installation
- Opera.exe (PID: 3016)
- firefox.exe (PID: 1952)
- chrome.exe (PID: 4584)
Dropped object may contain Bitcoin addresses
- Opera.exe (PID: 3016)
- firefox.exe (PID: 1952)
- chrome.exe (PID: 3184)
Application launched itself
- AcroRd32.exe (PID: 3040)
- RdrCEF.exe (PID: 1740)
- firefox.exe (PID: 1952)
- chrome.exe (PID: 3184)
Reads CPU info
- RdrCEF.exe (PID: 1740)
- AcroRd32.exe (PID: 2356)
- RdrCEF.exe (PID: 472)
- RdrCEF.exe (PID: 1660)
- firefox.exe (PID: 1952)
Reads Microsoft Office registry keys
- OUTLOOK.EXE (PID: 2732)
- AcroRd32.exe (PID: 2356)
Reads settings of System Certificates
- RdrCEF.exe (PID: 1740)
- AcroRd32.exe (PID: 3040)
- AdobeARM.exe (PID: 2912)
- chrome.exe (PID: 4092)
- pingsender.exe (PID: 4800)
- pingsender.exe (PID: 4252)
Checks Windows Trust Settings
- AdobeARM.exe (PID: 2912)
- pingsender.exe (PID: 4252)
- pingsender.exe (PID: 4800)
Manual execution by user
- explorer.exe (PID: 2932)
- notepad++.exe (PID: 1432)
- firefox.exe (PID: 1952)
- chrome.exe (PID: 3184)
Creates files in the program directory
- firefox.exe (PID: 1952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msg | | | Outlook Message (58.9) |
|---|---|---|
| .oft | | | Outlook Form Template (34.4) |
Total processes
100
Monitored processes
55
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2732 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\FW In_Voice RDSP-953810 from Christine S. Wilson.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.4760.1000 Modules
| |||||||||||||||
| 2624 | C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3016 | "C:\Program Files\Opera x64\Opera.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XOU2R0KB\Untitled attachment 00887.png" | C:\Program Files\Opera x64\Opera.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 Modules
| |||||||||||||||
| 2900 | "C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe" -newprocess "3016 2 0 1 2" -logfolder "C:\Users\admin\AppData\Local\Opera\Opera x64\logs" | C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe | — | Opera.exe | |||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser plugin wrapper Exit code: 0 Version: 1748 Modules
| |||||||||||||||
| 384 | "C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper_32.exe" -newprocess "3016 5 0 1 3" -logfolder "C:\Users\admin\AppData\Local\Opera\Opera x64\logs" | C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper_32.exe | — | Opera.exe | |||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser plugin wrapper Exit code: 0 Version: 1748 Modules
| |||||||||||||||
| 3040 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XOU2R0KB\MUDX-91370.pdf" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.7.20033.133275 Modules
| |||||||||||||||
| 2356 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --channel=3040.0.1171351085 --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XOU2R0KB\MUDX-91370.pdf" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.7.20033.133275 Modules
| |||||||||||||||
| 1740 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | AcroRd32.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.7.20033.133275 Modules
| |||||||||||||||
| 1660 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-delegated-renderer --disable-desktop-notifications --disable-file-system --disable-shared-workers --disable-speech-input --disable-threaded-compositing --disable-webaudio --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.7.20033 Chrome/35.0.1916.138" --disable-accelerated-compositing --disable-accelerated-video-decode --enable-software-compositing --disable-gpu-compositing --channel="1740.0.816148788\1355740763" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.7.20033.133275 Modules
| |||||||||||||||
| 472 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-delegated-renderer --disable-desktop-notifications --disable-file-system --disable-shared-workers --disable-speech-input --disable-threaded-compositing --disable-webaudio --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.7.20033 Chrome/35.0.1916.138" --disable-accelerated-compositing --disable-accelerated-video-decode --enable-software-compositing --disable-gpu-compositing --channel="1740.1.1584375898\1655501671" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.7.20033.133275 Modules
| |||||||||||||||
Total events
33 579
Read events
32 450
Write events
0
Delete events
0
Modification events
Executable files
6
Suspicious files
634
Text files
262
Unknown types
123
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA60F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2732 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 2624 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | — | |
MD5:— | SHA256:— | |||
| 2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:556416F7C0BA4E2CDC8970710C2A70CF | SHA256:5562CDB84A1D0345AEF011ABB7676B1A8BAA678E02CA07E6130D0855F5C0A80F | |||
| 2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:E827D141C1F5702DBEB8AB4BE8264294 | SHA256:C4B0654F72A22DC52C31796E7DD1850B667ED6A485709060A5B571E1C3C80632 | |||
| 2624 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk | binary | |
MD5:3DA00FFBA5690F6AF13370F00CAE5A17 | SHA256:FD0449A09A4627216BFABE3DB5243B0DB1818F01ACD3E617AD075668D5D3D011 | |||
| 2624 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.log | binary | |
MD5:5E3C6B74D1FD73C5D74C3871945A55DB | SHA256:B6CB57DE1A5EBF078CFCD4EBC2630DB260D2F2A377D0AEA280B603DC0E8A8CF9 | |||
| 2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{618A5148-5995-4875-809A-2812E16BB9AF}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
| 2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_327410CC4A27D64FBD5D8A9661761A3B.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
| 2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_96463C522335D54BB296B2DC9C08181D.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
108
DNS requests
174
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2732 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3016 | Opera.exe | GET | 200 | 172.217.16.131:80 | http://crl.pki.goog/gsr1/gsr1.crl | US | der | 1.70 Kb | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278.zip | US | — | — | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277.zip | US | — | — | whitelisted |
3016 | Opera.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEBp9LmS70lPuCr4VsgvV1T0%3D | US | der | 471 b | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280.zip | US | — | — | whitelisted |
— | — | HEAD | 200 | 23.48.23.41:80 | http://ardownload.adobe.com/pub/adobe/reader/win/AcrobatDC/1502320070/AcroRdrDCUpd1502320070_MUI.msp | US | — | — | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281.zip | US | — | — | whitelisted |
3016 | Opera.exe | GET | 200 | 172.217.16.131:80 | http://crl.pki.goog/gtsr1/gtsr1.crl | US | der | 760 b | whitelisted |
3016 | Opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3016 | Opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2732 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3016 | Opera.exe | 142.250.186.100:443 | www.google.com | Google Inc. | US | whitelisted |
3016 | Opera.exe | 172.217.16.131:80 | crl.pki.goog | Google Inc. | US | whitelisted |
1740 | RdrCEF.exe | 34.199.101.34:443 | cloud.acrobat.com | Amazon.com, Inc. | US | suspicious |
3016 | Opera.exe | 142.250.185.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3040 | AcroRd32.exe | 23.48.23.54:80 | acroipm2.adobe.com | TRUE INTERNET Co.,Ltd. | US | suspicious |
3016 | Opera.exe | 93.184.220.29:80 | crl3.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 23.48.23.41:80 | ardownload.adobe.com | TRUE INTERNET Co.,Ltd. | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |
www.google.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl.pki.goog |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
crl3.digicert.com |
| whitelisted |
cloud.acrobat.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
ardownload.adobe.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1952 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1952 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1 ETPRO signatures available at the full report
Process | Message |
|---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|