analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.msg

Full analysis: https://app.any.run/tasks/d44aed0b-9419-4765-89e5-408de492210e
Verdict: Malicious activity
Analysis date: October 05, 2022, 00:18:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

FFF1A93B405170E7A1F8DD7DE8C56318

SHA1:

7FD159E8EBE90D21C87DAC6EA96EFA0B8A187A95

SHA256:

DC78F12FF892567EA7F5FB2C62D38F42C73BD78ADB8AE23C66CB0873A46E578D

SSDEEP:

6144:XrDYKFE6P/KlSwe1BBuCpFDk/mht1g+OQ9MKtL4TGDUHfEE562d21ko:gKFE6P/KlSwe1BBuCpFWWng+ONKn1x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 968)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 968)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 1576)

  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 968)
      • iexplore.exe (PID: 3388)
      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 1576)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 968)
      • iexplore.exe (PID: 3388)
      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 1576)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 968)
      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 3388)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 968)

    • Changes internet zones settings

      • iexplore.exe (PID: 3388)

    • Application launched itself

      • iexplore.exe (PID: 3388)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 1576)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 3388)
      • iexplore.exe (PID: 1576)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 3388)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 3388)
      • iexplore.exe (PID: 1576)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 968)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3388)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
968"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3388"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/LearnAboutSenderIdentificationC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3340"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3388 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1576"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3388 CREDAT:791823 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
Total events
31 308
Read events
30 532
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
103
Unknown types
16

Dropped files

PID
Process
Filename
Type
968OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRB093.tmp.cvr
MD5:
SHA256:
968OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
968OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:828B59948A20FC87F48BA4B200A67766
SHA256:AEB2C59BA33E5E91BDE0FD549D8414836CD6EE6405750B1F32617598CFD6369D
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:34F41FBB1BD2AAD387AA319FD0418233
SHA256:317F52DC8A24E18DCB02F647DE1D5C9BD923F079FCF58EE020F2B9AA5C119219
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53binary
MD5:7A3F9922D851B90ABC669AB3E40A6414
SHA256:8A5326A8A77B14924DBC6DCEDC2D08EBCAB857D9C1728D2578DD97530D50E9C0
968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_69916B1317A90744AF5276B3D43BE51B.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:E43DC8B37CB63C555B8DB715C181CFAB
SHA256:142364630BEBCFC6FB85EAA5E5AE1957AAC303FC1F4A4689BF1F68587BEF39D9
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\451025123A22EB28E59EC89C0BD4D0AC_9B7EC2A7658032C5E257DD7F9C9949C5binary
MD5:90C88A7B594A7CB7BE0E1C8C3D38E0AD
SHA256:799B1067CFA1F58BA06C8600C7D9AD2167931C258BAF6E6231A291675133D102
968OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:A2502889B7BF9E6D7DC325811C471F70
SHA256:AD78ED3A1CD6AE6167139C02AC3EF6046A40C65A3D68E5CE5052FC9D65825F50
3340iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\O61HLJBA.txttext
MD5:1BC7A73D5BC9023BF9007C7714793006
SHA256:2F0467960FD506E4AA81D53665F6D969792E687D29BFC14DBAB5CB940D0D001A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
92
DNS requests
51
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
968
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
3340
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e5ef9ecb88a87d91
US
compressed
4.70 Kb
whitelisted
3340
iexplore.exe
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRyOb3oPpcJ3XHZgxJCfx%2BuZbC%2FbAQUx7KcfxzjuFrv6WgaqF2UwSZSamgCEzMARi7CtsRpCUgtl%2BYAAABGLsI%3D
US
der
1.74 Kb
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
US
der
471 b
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D
US
der
1.47 Kb
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
968
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3340
iexplore.exe
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3340
iexplore.exe
23.210.252.208:443
support.microsoft.com
AKAMAI-AS
DE
malicious
3340
iexplore.exe
2.16.106.96:443
statics-marketingsites-neu-ms-com.akamaized.net
Akamai International B.V.
DE
whitelisted
3340
iexplore.exe
95.100.210.141:443
www.microsoft.com
AKAMAI-AS
DE
suspicious
3340
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3340
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3340
iexplore.exe
2.22.197.32:443
aka.ms
AKAMAI-AS
FR
unknown
3340
iexplore.exe
184.30.213.247:443
support.content.office.net
AKAMAI-AS
DE
suspicious
3340
iexplore.exe
13.107.246.61:443
js.monitor.azure.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
aka.ms
  • 2.22.197.32
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
support.microsoft.com
  • 23.210.252.208
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
www.microsoft.com
  • 95.100.210.141
whitelisted
statics-marketingsites-neu-ms-com.akamaized.net
  • 2.16.106.96
  • 2.16.106.74
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.106.105
  • 2.16.106.107
whitelisted
support.content.office.net
  • 184.30.213.247
whitelisted

Threats

PID
Process
Class
Message
3340
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3340
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
phish_alert_sp2_2.0.0.0.msg