analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_gcep_0.1.90-0.eml

Full analysis: https://app.any.run/tasks/f9933367-e592-4ff2-b329-4e1fe2d252a1
Verdict: Malicious activity
Analysis date: June 27, 2022, 07:25:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: SMTP mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

D57BD6840847EB32FA218718802DD8D6

SHA1:

CF4119809099A1F8F210AAFC5BECFB51ACF46F5A

SHA256:

C9DD8DBE91A2B8F90134D58349C7EEE838D89A848FBE544C931CC637A68DB100

SSDEEP:

384:R54/ZOX9AymZ876pwF5FIN0N2FjowbiyMTkj22U9zs6f4Lt8jTb:R5oOXiy97a0NKjowbVdj2Jf0Eb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2492)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 2492)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2492)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2492)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2492)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2780)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2780)
      • iexplore.exe (PID: 2328)
    • Reads the computer name

      • iexplore.exe (PID: 2328)
      • iexplore.exe (PID: 2780)
    • Changes internet zones settings

      • iexplore.exe (PID: 2328)
    • Application launched itself

      • iexplore.exe (PID: 2328)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2328)
      • iexplore.exe (PID: 2780)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2780)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2780)
      • iexplore.exe (PID: 2328)
    • Creates files in the user directory

      • iexplore.exe (PID: 2328)
      • iexplore.exe (PID: 2780)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2328)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2328)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 7) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_gcep_0.1.90-0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2328"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/photo/?fbid=1062443231071878&set=g.1055452531206265C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
2780"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2328 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
17 819
Read events
17 084
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
68
Unknown types
7

Dropped files

PID
Process
Filename
Type
2492OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR476B.tmp.cvr
MD5:
SHA256:
2492OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2492OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:B321CE6F46B9E0F188D7EC178429ED3A
SHA256:0D4BF2B8BBDE06FA29FC7C6DB69A583D3ED4EE007EDD49147C3995E70C736692
2780iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\photo[1].htmhtml
MD5:2FDAAA57E2CC656ED22EF8211A7B0803
SHA256:69E4654E56EC0D59112638B0DEC1B2AE52CA391C6261104EFF37C75C6E235D0A
2780iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABder
MD5:6D676CF8CC0E0E8C814461805E761CCA
SHA256:EFDFEA3D85CEA32051FDE431C7C5CAD519C0FD4803ECB466BD6282ADA744381F
2328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:F828053404D9D38B9FB525996562F990
SHA256:A36CAD36DC334EEA4FB2CD57700EE400EE78B7B5E212870D4AEEC798106297EE
2492OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_4491A36C3AF23045A61E0EB4A9028B5C.datxml
MD5:57F30B1BCA811C2FCB81F4C13F6A927B
SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
2780iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_F6AEED575576AAB1C000564B4EAAB5C7der
MD5:F8E35BD685C0A1A70D9F970633E71325
SHA256:BB94BD7D98D4D1EFC83A4EB1958B1308ABDB66A1839DD157732E6EEDB356C7C8
2492OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:E3491555A4CB3B42E7C2A7DB79205AAD
SHA256:0665F4E2DD8D15874C0E92B6FB00E11107782F604EC17AC42E8150EE758CF0F9
2780iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABbinary
MD5:917D240665C68B9E95D31F3F2343AE38
SHA256:EE7B2E58933A32BBEF75FD14F18119411E167A74BFD29DBA12CEB943365D8000
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
42
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2492
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2780
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2780
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEASPosIu%2FtdLiD6lffGYfhc%3D
US
der
471 b
whitelisted
2780
iexplore.exe
GET
200
67.26.137.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b1f94239ca983852
US
compressed
4.70 Kb
whitelisted
2780
iexplore.exe
GET
200
67.26.137.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bdc8767eb3ecc5e8
US
compressed
4.70 Kb
whitelisted
2780
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAjrhrQ1V0klR24V03mvDoM%3D
US
der
471 b
whitelisted
2328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2328
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2780
iexplore.exe
31.13.92.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
2780
iexplore.exe
67.26.137.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
malicious
2492
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2780
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2328
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2780
iexplore.exe
157.240.236.35:443
m.facebook.com
US
malicious
2328
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2780
iexplore.exe
185.60.216.35:443
facebook.com
Facebook, Inc.
IE
whitelisted
2328
iexplore.exe
31.13.92.14:443
static.xx.fbcdn.net
Facebook, Inc.
IE
whitelisted
2328
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
www.facebook.com
  • 31.13.92.36
whitelisted
ctldl.windowsupdate.com
  • 67.26.137.254
  • 67.27.159.126
  • 67.27.158.126
  • 8.248.119.254
  • 67.27.158.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
m.facebook.com
  • 157.240.236.35
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.22.200
  • 131.253.33.200
whitelisted
static.xx.fbcdn.net
  • 31.13.92.14
whitelisted
facebook.com
  • 185.60.216.35
whitelisted
fbcdn.net
  • 31.13.92.36
whitelisted

Threats

No threats detected
No debug info