analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Smart Webinar Invite.msg

Full analysis: https://app.any.run/tasks/7240dcd2-43c4-430d-b051-481853ec6916
Verdict: Malicious activity
Analysis date: January 17, 2020, 17:46:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

2091A05BF0783725120C091A99BAA126

SHA1:

EB20D44B6C244F8FEDA97B7E0298BBEDC5A3054B

SHA256:

CB5454203CC1D80A0AB276AD37CB7E5B66F84F686F8465CC2C5C9732F8C080AA

SSDEEP:

3072:vxypxOzwBblQlRH2vm21Gmd1HFrACm015lKNJMrACY7rPBl3:8/OzIfI7rr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2128)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2128)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2128)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2128)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 4012)
    • Creates files in the user directory

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 4012)
    • Changes internet zones settings

      • iexplore.exe (PID: 4012)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2128)
    • Reads internet explorer settings

      • iexplore.exe (PID: 912)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 4012)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 4012)
    • Changes settings of System certificates

      • iexplore.exe (PID: 4012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2128"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Smart Webinar Invite.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
4012"C:\Program Files\Internet Explorer\iexplore.exe" https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbit.ly%2F382mdou%3Felq_mid%3D2362%26sh%3D%26cmid%3D%26elqTrackId%3D4e0ad3fab578456fa3b8e7208dd56883%26elq%3D1c53c157df48441c95283c042c8afbcd%26elqaid%3D2362%26elqat%3D1%26elqCampaignId%3D&data=02%7C01%7Cfrank.gray%40indivior.com%7C4cb2c91637b440d2f02e08d79a7a0447%7Cbed52191489442999db948e4fb29646e%7C0%7C0%7C637147721180226416&sdata=8BrKbjgWkWXBkUvsNQ0fnIXnsuVbu8beM7qe6bINZgU%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
912"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4012 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 004
Read events
1 359
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
67
Unknown types
27

Dropped files

PID
Process
Filename
Type
2128OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA8BE.tmp.cvr
MD5:
SHA256:
4012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
4012iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2128OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:585A86D9D478E824E7194FB44C296637
SHA256:C2574B40401945F29F10701AB710DAB54C079D2877C37C589D44E72742B30A29
2128OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:47A5EF23E325F5EB1076A2C4518765BE
SHA256:E1992DB5A715FAD7418C65BBD9980639E7628416F6E4D8A40C46987484342BBA
912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:1A187F878F989A87631BE9D24AA09DBF
SHA256:1D8D1A7A1D0F77E42BAE6755258663D890CB1AA192A3B43B5645BF5AAE63D13C
912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ULZHK7AS\operational-success-for-oracle-customers-webinar[1].txt
MD5:
SHA256:
912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:89E8DEF868CF6B84AC3773E5F09CC135
SHA256:75C74983F9A09BE729EE0EB7AD6F7D87F5DD6129FA7A30C57D2106CB01946C70
2128OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A55CDAA8-2316-442B-B430-A6F26E8F5195}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
912iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:B78F69F03BD3E3A2E8C63C2440AA9B41
SHA256:1FA76625A4BB8598D5F3D10B4010724DEDB81022B8C3962F7B00B50D7EFA0277
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
37
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2128
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
912
iexplore.exe
GET
301
67.199.248.10:80
http://bit.ly/382mdou?elq_mid=2362&sh=&cmid=&elqTrackId=4e0ad3fab578456fa3b8e7208dd56883&elq=1c53c157df48441c95283c042c8afbcd&elqaid=2362&elqat=1&elqCampaignId=
US
html
160 b
shared
4012
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4012
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
912
iexplore.exe
104.17.130.180:443
info.rfsmart.com
Cloudflare Inc
US
shared
912
iexplore.exe
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
912
iexplore.exe
104.47.48.28:443
nam05.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
912
iexplore.exe
209.197.3.15:443
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2128
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
912
iexplore.exe
104.17.242.204:443
cdn2.hubspot.net
Cloudflare Inc
US
shared
912
iexplore.exe
23.38.53.224:443
use.typekit.net
Akamai International B.V.
NL
whitelisted
912
iexplore.exe
147.75.33.229:443
static.hotjar.com
Packet Host, Inc.
US
unknown
912
iexplore.exe
104.17.119.180:443
designers.hubspot.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
nam05.safelinks.protection.outlook.com
  • 104.47.48.28
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
info.rfsmart.com
  • 104.17.130.180
  • 104.17.129.180
  • 104.17.128.180
  • 104.17.127.180
  • 104.17.131.180
malicious
use.typekit.net
  • 23.38.53.224
whitelisted
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
cdn2.hubspot.net
  • 104.17.242.204
  • 104.17.244.204
  • 104.17.243.204
  • 104.17.240.204
  • 104.17.241.204
whitelisted
p.typekit.net
  • 23.38.53.224
shared
static.hotjar.com
  • 147.75.33.229
  • 147.75.32.105
  • 147.75.33.131
  • 147.75.84.39
  • 147.75.32.99
  • 147.75.102.135
  • 147.75.84.91
  • 147.75.102.231
whitelisted

Threats

No threats detected
No debug info