analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_iocp_v1.4.85 (2).eml

Full analysis: https://app.any.run/tasks/ead3d657-7d99-4dcb-a16c-4d1fccc0fcce
Verdict: Malicious activity
Analysis date: January 14, 2022, 23:10:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

0CAB4514D5F13A54E7923521FDD834B9

SHA1:

5C462D1FA4566EDC323BDF40A8C0F548DFA34C98

SHA256:

DCEE44F20E1166960A8F60F6FDF0B0BACB2822D299D2E33011CF3895F18FFB16

SSDEEP:

192:/dMLUM9aLq+MkeSfx4SCRSCo4gtv05VmTbqphwTm5Bdll4RKVRHv+NdVNtth/HlB:+UMMLIqxDmV0qxlCKjedRthfljd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 1704)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 1704)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1704)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 1704)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1704)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3064)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2676)
      • iexplore.exe (PID: 3064)
    • Reads the computer name

      • iexplore.exe (PID: 2676)
      • iexplore.exe (PID: 3064)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3064)
      • iexplore.exe (PID: 2676)
    • Application launched itself

      • iexplore.exe (PID: 2676)
    • Changes internet zones settings

      • iexplore.exe (PID: 2676)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3064)
      • iexplore.exe (PID: 2676)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3064)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1704"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_iocp_v1.4.85 (2).eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
2676"C:\Program Files\Internet Explorer\iexplore.exe" https://protect-us.mimecast.com/s/kpNfCQWB2yfBo8gYTxoOpb?domain=slovenska-posta.sytes.netC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3064"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2676 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
16 474
Read events
15 764
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
25
Unknown types
8

Dropped files

PID
Process
Filename
Type
1704OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE571.tmp.cvr
MD5:
SHA256:
1704OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27der
MD5:51C61E62F7DF67812394C84FAC264ACC
SHA256:D9ECC56DE96E8338BEE8683C58D20A6588EA8FD2090A0E9C0FE0A6249F34BECF
3064iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2543B5AF7D46D42E6CEED21F85143F6A_741EF372FB528509D3ADCB1393C06EDFbinary
MD5:2ED1BEFD7D5BC12477D363D6F019F90D
SHA256:1831E52E16B4DA3FE13E833A1F10FEF5DD151213F6C2FD378B2137F3A619DD58
1704OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:386D4EDE82EF6174A95678F00154767C
SHA256:B884E0CFB9C7C38BF839AFB4A88A02FE00CDFDB4160050EC156FDAD7D23A770E
3064iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:B9CFF64E2DAB21047C4F218855A761EA
SHA256:496A56223973DB9684F4C329960974118046C9A3B4EBFF381568C2EAF50F8871
1704OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:F8D07BC1B6D790D88DF5D0F4C1943AA7
SHA256:0FDD7B1EF9D848AB0C1A86AF7AD0FE3D504167A1B1F32BC3B207F4B10DF6015C
2676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:1B53F5731B1F827B3D8E3F739270F011
SHA256:236CD62580CBEFF20D6A0F8122BFFD0F753BBB63A20AB66DEFAE224185B4D5A4
2676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC68ACF50745357D4EA92B214D9E7132
SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154
3064iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27binary
MD5:FC21C2C10F58671C0C7F1ED3DC120D99
SHA256:DBD20CD3E9D62699C82C8D33B6DA0AA4126614FBE46F820E29249A8103F2518E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
27
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1704
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3064
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAj8EtmP3tUuyPE3Fv2fV60%3D
US
der
471 b
whitelisted
2676
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2676
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3064
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
US
der
471 b
whitelisted
3064
iexplore.exe
GET
200
2.16.106.186:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c1aa275d9c0f58ce
unknown
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2676
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3064
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3064
iexplore.exe
207.211.31.110:443
security-us.mimecast.com
Navisite, Inc.
US
unknown
1704
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3064
iexplore.exe
2.16.106.186:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
3064
iexplore.exe
205.139.111.117:443
protect-us.mimecast.com
-Reserved AS-, ZZ
US
suspicious
2676
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2676
iexplore.exe
207.211.31.110:443
security-us.mimecast.com
Navisite, Inc.
US
unknown
2676
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3064
iexplore.exe
207.211.31.119:443
security-us.mimecast.com
Navisite, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
protect-us.mimecast.com
  • 205.139.111.117
  • 207.211.31.64
  • 207.211.31.113
  • 207.211.31.106
  • 205.139.111.12
  • 205.139.111.113
whitelisted
ctldl.windowsupdate.com
  • 2.16.106.186
  • 2.16.106.171
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
security-us.mimecast.com
  • 207.211.31.110
  • 207.211.31.119
  • 205.139.110.117
  • 207.211.31.14
  • 205.139.110.99
  • 205.139.110.113
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info