analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | RV Actualiza tus detalles de pago ahora Cuenta suspendida.msg |
| Full analysis: | https://app.any.run/tasks/15698165-6701-454d-8b10-28f2e47f8953 |
| Verdict: | Malicious activity |
| Analysis date: | August 13, 2019, 19:47:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/vnd.ms-outlook |
| File info: | CDFV2 Microsoft Outlook Message |
| MD5: | 31B889D85C49BF4B8DF85713014C8B00 |
| SHA1: | 8830F3752CED07543B56CDB2DD8ED8045301F737 |
| SHA256: | D0A9A82291186BC23E53218CC624B93B51F3F83CE1F616C7B61C797C4C5E570B |
| SSDEEP: | 1536:Zo1ZtZ+ZjaKNBcy/bWwrhgMcIrS10jkus+c+Za:Z1cyDWLIrSCK |
MALICIOUS
No malicious indicators.SUSPICIOUS
Creates files in the user directory
- OUTLOOK.EXE (PID: 3128)
Reads Internet Cache Settings
- OUTLOOK.EXE (PID: 3128)
INFO
Manual execution by user
- firefox.exe (PID: 2296)
Application launched itself
- firefox.exe (PID: 2296)
- firefox.exe (PID: 3816)
Reads CPU info
- firefox.exe (PID: 3816)
Writes to a desktop.ini file (may be used to cloak folders)
- firefox.exe (PID: 2136)
Reads Microsoft Office registry keys
- OUTLOOK.EXE (PID: 3128)
Creates files in the user directory
- firefox.exe (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msg | | | Outlook Message (58.9) |
|---|---|---|
| .oft | | | Outlook Form Template (34.4) |
Total processes
43
Monitored processes
7
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3128 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\RV Actualiza tus detalles de pago ahora Cuenta suspendida.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
| 2296 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
| 3816 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
| 3560 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3816.0.843080309\1379924399" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3816 "\\.\pipe\gecko-crash-server-pipe.3816" 1176 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
| 2136 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3816.3.1398158660\1748853950" -childID 1 -isForBrowser -prefsHandle 1680 -prefMapHandle 1676 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3816 "\\.\pipe\gecko-crash-server-pipe.3816" 1700 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
| 3468 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3816.13.2108678596\1706515736" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2816 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3816 "\\.\pipe\gecko-crash-server-pipe.3816" 2828 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
| 284 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3816.20.767265626\200265498" -childID 3 -isForBrowser -prefsHandle 3700 -prefMapHandle 3704 -prefsLen 7129 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3816 "\\.\pipe\gecko-crash-server-pipe.3816" 3720 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
Total events
2 037
Read events
1 619
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
76
Text files
64
Unknown types
60
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3128 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9E96.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3816 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
| 3816 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
| 3816 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
| 3816 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
| 3128 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:FEEDE2D9C07CD77BA733FAC510386FEF | SHA256:D4FFCFFAF74A29057DA98C7B37359914A70E447A19F965CB16BFFC2A64CCF5E6 | |||
| 3128 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_D93DC485786B59489D1C18E485E8DF5D.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD | |||
| 3816 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:354459382F30B8994109C88659DFA1F3 | SHA256:E3E8E2B7E7EECA231620D83C70FA5A926E8B9CE74C51F595F71191DC0B50527E | |||
| 3816 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:DE9496ACA551ADE408EF6466A11833A1 | SHA256:8F9C7FDB3E0BC01024E43A8E242468FC4DD4F74C725E32A883571635203DC10A | |||
| 3128 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
62
DNS requests
82
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | GET | 200 | 2.16.106.209:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3816 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3128 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3816 | firefox.exe | 52.88.112.58:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3816 | firefox.exe | 2.16.106.209:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
3816 | firefox.exe | 99.86.1.62:443 | snippets.cdn.mozilla.net | AT&T Services, Inc. | US | unknown |
3816 | firefox.exe | 52.27.126.151:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3816 | firefox.exe | 52.34.44.105:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3816 | firefox.exe | 216.58.205.227:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3816 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3816 | firefox.exe | 54.230.95.96:443 | content-signature-2.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
3816 | firefox.exe | 13.35.253.101:443 | firefox.settings.services.mozilla.com | — | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
drcwo519tnci7.cloudfront.net |
| shared |
tiles.services.mozilla.com |
| whitelisted |