analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW_ americold_com.msg

Full analysis: https://app.any.run/tasks/9b7e9457-6806-4563-bcb5-fc35af554be6
Verdict: Malicious activity
Analysis date: June 27, 2022, 13:10:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

3C62C8E1549064B6C5D6CF08BC036785

SHA1:

14553FF1249CE8D3124DAA1D466CC25359B504FD

SHA256:

D842FC0C07FB5042969368B356D0CD701BB173B33B3B782A0A3DACD361B71D2A

SSDEEP:

3072:p1E1xWNyK8rqx2qxgGZcDbvrQIff1Ro0devC/2Cnk:khqx2qxm7rQIl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2908)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2908)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 328)
  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 2908)
      • iexplore.exe (PID: 1040)
      • iexplore.exe (PID: 328)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 2908)
      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 1040)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2908)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2908)
    • Application launched itself

      • iexplore.exe (PID: 1040)
    • Changes internet zones settings

      • iexplore.exe (PID: 1040)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 1040)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 1040)
    • Reads internet explorer settings

      • iexplore.exe (PID: 328)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW_ americold_com.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1040"C:\Program Files\Internet Explorer\iexplore.exe" https://urldefense.com/v3/__https:/Americold.painfulwisdom.com/full.ca.che/mic*20(1)/mic*20(1)/mic/?e=Y2FybWVsLnJpenpvQGFtZXJpY29sZC5jb20=__;JSU!!OUOrReMY6FVk!eC9mTUxFZBWwO6Co1m66cF3smQFXZN-0R0VYeLLhtEgoicpM0Z_nLJMrI8GDPHHTaq1SaeJ6lAZhuTdLgPxGJXiAFQ$C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
328"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1040 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
14 276
Read events
13 198
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
19
Unknown types
6

Dropped files

PID
Process
Filename
Type
2908OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD354.tmp.cvr
MD5:
SHA256:
2908OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2908OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:125E55A3753DFDB1B1E1BF0B1DC1AFB2
SHA256:BC074F9D97B2F123DE604486A2BCB6FFDDA161ADAB99E6D4EAB529EA05B6E0CF
2908OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E4EA5799B53AAFB6FECB5D6B996DD69B
SHA256:663BB26E4F47E46E0F834F773E6C29365C0CAF699A469B24DD3202E5A1868642
328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9112BBA06F4B42FE2275BFAC574EB444
SHA256:AB1D0B97FE126DF4D242395876A7A289A948DBB2E0BA5C7E4D19016844DBBAC2
328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833Bbinary
MD5:682A150CFB0E07D1669165250A74479F
SHA256:34C5D6A6B2FB800BF6218E903D401F09B71B16C5CBE0A1C1C2250341AFE7BB82
2908OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_899580EB89DBE149983F476E3F030A10.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:F9F4B75EBF256C8CD508AC88A65AB59E
SHA256:C4141E809B54AE28605701E1EEF282FCC5AF6A6C64EECFB98024E50CFC42CDCF
2908OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2FFDDD8.datimage
MD5:ADD0DE96FF29DFE49C7534939D33E92A
SHA256:288E5A05F0917861BAEF677119334B2F02A60C27A7D14D6DA6939870DF8FD8B5
328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:1119697B5B0FD36E98C1A87BA5589482
SHA256:961666B8EEC2D9464F6AAEFD88332A3EFEC40E725FE457446BC113868E134CBD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
18
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
328
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
328
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEBBsbMdZKid6hcZfT6LpnsI%3D
US
der
471 b
whitelisted
328
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
US
der
727 b
whitelisted
1040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
328
iexplore.exe
GET
200
95.140.236.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ed065676fdc1fe0
GB
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
328
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
2908
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
328
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
328
iexplore.exe
95.140.236.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
whitelisted
328
iexplore.exe
52.71.28.102:443
urldefense.com
Amazon.com, Inc.
US
suspicious
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1040
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1040
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1040
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
urldefense.com
  • 52.6.56.188
  • 52.204.90.22
  • 52.71.28.102
shared
ctldl.windowsupdate.com
  • 95.140.236.0
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.sectigo.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info