analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/a7e23293-c8cd-41c1-9c77-cb25effd258b
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:23:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

F6F5098584DE754CB5BDD5698D0BEC89

SHA1:

9DC2A37E5FB1C6BD670486CE9A2CD27EB659A670

SHA256:

C955CBC8CDC2BAA588AA847A35D3BB0D613F4B12804CE8229D30490D5C432ABC

SSDEEP:

96:lE7o3S+ACRUz7Do/k9OrHG+u7otebALEyjML+tDWtiYIPYIAP+uTrszkwceZ+F9B:tkReaIj4t7xHKPzmXabyPP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2928)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 2928)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2928)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2928)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2928)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3156)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3844)
      • iexplore.exe (PID: 3156)
    • Checks supported languages

      • iexplore.exe (PID: 3156)
      • iexplore.exe (PID: 3844)
    • Application launched itself

      • iexplore.exe (PID: 3844)
    • Changes internet zones settings

      • iexplore.exe (PID: 3844)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3844)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3156)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3844)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3844"C:\Program Files\Internet Explorer\iexplore.exe" http://xq.g0ivq.laag.com.mx./#.aHR0cHM6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvL2U3ZjBkNWI2LTVkYTItNDI0Ny05OTY4LTE1NmFiM2RiYWUwNy1idWNrZXQvc2F2ZWQuaHRtbCNzYXJhaC5tZW5kb25jYUBwYXR0ZXJzb25kZW50YWwuY29tC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3156"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3844 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
10 790
Read events
9 711
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
13
Unknown types
2

Dropped files

PID
Process
Filename
Type
2928OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD41F.tmp.cvr
MD5:
SHA256:
2928OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2928OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:CBE6EBFF0079CD380E90FB92D6008767
SHA256:F5C8619F90D0405865B66CC624DD8339B44946DF102B186BB250EC3E1DED6F64
3844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:C00F21F4AAF14438CEBC5ADD235E02FD
SHA256:A50B0A88E498CA85C31C97CD9758F3105E27E8B12A048534476A1CC17B3CB7BD
3844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:9C0DCAFC76918B9362D5696B859E3396
SHA256:EEC5E5D9BFB829B950149FB67A352B73C9F929E30CEED7E0D2F81DA8587ECF30
2928OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_C4FCD2D21C1DE6479EE86DF9E0FE4357.datxml
MD5:BBCF400BD7AE536EB03054021D6A6398
SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD
3844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
2928OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_06255ABED5A961428D43FDEA162334C8.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
2928OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:7BBA783C7F8F4066179D48F39EA35AFA
SHA256:1BC6AB41EB4F18E090D542D3E238ABF980186686A963F767A00B504AA693FC9E
2928OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{C9557E5C-D292-4FC2-9314-0CD74388720F}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3844
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?511b9e0cd409ed12
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3844
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3844
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3844
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2928
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
xq.g0ivq.laag.com.mx
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info