analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/0f8482b6-e2b9-4cf7-9747-a6bfe0a88d7d
Verdict: Malicious activity
Analysis date: January 24, 2022, 17:18:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

A66B59C95D25D78C5BBED0FDCA31036B

SHA1:

E49638AB75AA3215B43A5ACF40381284F25A8081

SHA256:

CD12D354E5F998B96929E323CCB4C30EA3EF8361D7BC67FF6585F7C727C2AC3E

SSDEEP:

384:U8CUcxL8RUOT60eYoRoT/pj/xHfonoR2bkCRVqx2dI2dMYZaH2pCRaWN1dYn:JCeN6Wt2a2R0Yn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3904)
      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2836)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 3904)
      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2836)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3904)
      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2836)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3904)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3904)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3504)
    • Executed via COM

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 2836)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3436)
      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3504)
    • Reads the computer name

      • iexplore.exe (PID: 3436)
      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3504)
    • Changes internet zones settings

      • iexplore.exe (PID: 3436)
    • Application launched itself

      • iexplore.exe (PID: 3436)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3436)
      • iexplore.exe (PID: 3504)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3436)
      • iexplore.exe (PID: 3504)
      • iexplore.exe (PID: 3456)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3504)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3904)
    • Reads CPU info

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3504)
    • Creates files in the user directory

      • iexplore.exe (PID: 3504)
      • iexplore.exe (PID: 3456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe flashutil32_32_0_0_453_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3904"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3436"C:\Program Files\Internet Explorer\iexplore.exe" https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.cascade.app%2Fe3t%2FBtc%2FZS%2B113%2FcBYBv04%2FMW0DXL94CTNVf5T9L1CdTkDW5DT7xy4DJc2bN3V8l9h3q3nJV1-WJV7CgBrTW5Dd0Ty8fGz3gN3JsyM2yT7mZN96Whbdhjv7NW6cLG6R4cRnS9W6Sqpvh75j7MWW2r9-VK87Qn5_W79mgGh627H4hVrCcSL3K79z0W5WdK396Q5Z-KW8sxs0m4vcncXW32gCtY5JP42xTf5bC36PDfCW7Dvd9b4RTtTXN88N9fwFQ9ZrW2nx_FD76Dh0RW1Z-fq51rfn1NW6n1qZC7z2pvzW1clTJP3shGbhW6PPVZl2sy0kpN2bg0MYyCLGLN6sztWzQ5zkbW6KSCTT6MHlzvW3PxqWR78scbQVqrWtB28nBkc3khs1&data=04%7C01%7Cleslie.rott%40phl.org%7C803ccc67c4074f5ba7f108d9df3bd98d%7C2182f890679042acab9758afd4eb2b6d%7C0%7C0%7C637786270429461941%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kjFnDxYHco8OJg0%2FNgRWv4W8PjA0yIMzjVXqUEFoJpM%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3456"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3504"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:202003 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
2836C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe� Flash� Player Installer/Uninstaller 32.0 r0
Version:
32,0,0,453
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_32_0_0_453_activex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
Total events
51 025
Read events
49 836
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
60
Text files
271
Unknown types
73

Dropped files

PID
Process
Filename
Type
3904OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE581.tmp.cvr
MD5:
SHA256:
3904OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3904OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:EFEC4FF812E0AC3B4953F96D01FC7475
SHA256:1DE81F6303BDCCE1FC25191BC86FAE9AABBB35AB5ED18A7C4F65D47A87E5309A
3904OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:0825F2E8B09633937F2139DECCBB546C
SHA256:939E7A80CFC5CF66EB8D620448C3CB9975E6FC93B28EA8AD829129402CFF4DD8
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:494A7483CEAF488A79CB45418E88ECCD
SHA256:9A65904F97742B3D8844EFAFCE7D9E9DA7C1B96A8FDE541E718768AE68293D50
3904OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_0074ED7F273F62439988DDF77A9BD760.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:DAC4619E319FD2C836D2FCEB1542D665
SHA256:B715BCE5A46505ECF3DF445B5427EBFCD74279271DA1F019C2CAC521D56B8EA3
3904OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_900B09412C69204E810729D082D11276.datxml
MD5:57F30B1BCA811C2FCB81F4C13F6A927B
SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1A313AB055DE56D639A0046B9FBDE0C1
SHA256:96FFE97E9A7566A408FF4BAAB98C37BF0B6B673FC05C0D1B33ED4FD35473F9A0
3456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\7HO9X1MF.htmhtml
MD5:B4328A295921878997F910E1A25FD52F
SHA256:C6F66A6C7448C4EEF8FA6DBBF0812A262C639CC45ED63E5FC5915DDBE42944D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
65
TCP/UDP connections
393
DNS requests
93
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3456
iexplore.exe
GET
143.204.101.124:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
shared
3436
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3904
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3456
iexplore.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHophRq39F1meVBmQbb%2F1x0%3D
US
der
1.40 Kb
whitelisted
3456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3504
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3456
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3504
iexplore.exe
GET
200
143.204.101.74:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAcU6FXlzkyB0IyouWSBENc%3D
US
der
471 b
whitelisted
3456
iexplore.exe
GET
200
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?677e3690ae312f31
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3904
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3456
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3436
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3436
iexplore.exe
23.32.238.201:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
3456
iexplore.exe
23.32.238.201:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
3504
iexplore.exe
104.47.64.28:443
gcc02.safelinks.protection.outlook.com
Microsoft Corporation
US
suspicious
3456
iexplore.exe
104.47.64.28:443
gcc02.safelinks.protection.outlook.com
Microsoft Corporation
US
suspicious
3456
iexplore.exe
199.60.103.29:443
mail.cascade.app
CA
suspicious
3456
iexplore.exe
151.101.2.110:443
fast.wistia.com
Fastly
US
suspicious
3456
iexplore.exe
104.18.21.226:80
ocsp2.globalsign.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
gcc02.safelinks.protection.outlook.com
  • 104.47.64.28
  • 104.47.65.28
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.201
  • 23.32.238.178
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
mail.cascade.app
  • 199.60.103.29
  • 199.60.103.227
suspicious
www.cascade.app
  • 199.60.103.29
  • 199.60.103.227
suspicious
sdk.customfit.ai
  • 143.204.98.31
  • 143.204.98.47
  • 143.204.98.62
  • 143.204.98.126
malicious
cdn2.hubspot.net
  • 104.17.244.204
  • 104.17.242.204
  • 104.17.241.204
  • 104.17.243.204
  • 104.17.240.204
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
No debug info