File name:

jinhwan t� LinkedIn �_ ��.eml

Full analysis: https://app.any.run/tasks/eb63f580-8149-4cad-8bff-a1dc5b58384b
Verdict: Malicious activity
Analysis date: December 06, 2022, 04:40:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

7066780C24D620DC90681C98D03A9FBA

SHA1:

888BBBC7B2531D6D6567A64894A5D11BD219BD5F

SHA256:

E12A17DF0529EA9F0EDC098FDE70C61F715A0291588FB01F7219893122A35871

SSDEEP:

384:yxmmrGp1RXbe1qPCdObKFjAK1EUHGCEE2dpGVsR0a2dBwV1E44NpW6ULl6QUPUP/:7mrGp19e1qPCdObKFjAK1EUHGCEE2dsg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • OUTLOOK.EXE (PID: 2436)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\jinhwan t� LinkedIn �_ ��.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3876"C:\Program Files\Internet Explorer\iexplore.exe" https://the2401kor.web.app/index2the.html#[email protected]C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2884"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
952"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:3675407 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1972"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:2364689 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
47 207
Read events
46 430
Write events
753
Delete events
24

Modification events

(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2436) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
16
Text files
32
Unknown types
14

Dropped files

PID
Process
Filename
Type
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF6F8.tmp.cvr
MD5:
SHA256:
2436OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_049A795FCDE4034DB05D86E650B1E847.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_69F8C583A83A284192DFF828FC443DA6.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_1789284CF55D234B83177AE717DF5D37.datxml
MD5:BBCF400BD7AE536EB03054021D6A6398
SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A3FCE98E-6EBB-4C1E-A689-FDE1CDEE69FC}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
2436OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:DC7622FD9ED7AE82B9C1D8FA2627E1CD
SHA256:28054EE0EB1419A23C71D2A83A21E39A53D273EC211594F8881E9F6941094EE6
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:E030AFB67779E56057996C22A2F74983
SHA256:411AFC89303FF44CFABC74C77BE2E0B169BFA60F4CCFCA9A05E518F7CB193421
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_96327ECC769EA34095388EE7A910D584.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
2436OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_60AA26829F56284E875F40F6591A75D7.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
58
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2436
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2884
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2884
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?574756e7b45d658d
US
compressed
4.70 Kb
whitelisted
2884
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D
US
der
724 b
whitelisted
2884
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
2884
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
2.18 Kb
whitelisted
3876
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2884
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0007a0df87f986f5
US
compressed
4.70 Kb
whitelisted
2884
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2884
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAlrgulzmZS6%2FVWwIdvHyL8%3D
US
der
280 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2884
iexplore.exe
142.250.74.195:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2884
iexplore.exe
104.18.11.207:443
stackpath.bootstrapcdn.com
CLOUDFLARENET
suspicious
2884
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2884
iexplore.exe
199.36.158.100:443
the2401kor.web.app
FASTLY
US
malicious
2436
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2884
iexplore.exe
69.16.175.42:443
code.jquery.com
STACKPATH-CDN
US
malicious
2884
iexplore.exe
104.17.24.14:443
cdnjs.cloudflare.com
CLOUDFLARENET
suspicious
3876
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3876
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2884
iexplore.exe
104.18.10.207:443
stackpath.bootstrapcdn.com
CLOUDFLARENET
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
the2401kor.web.app
  • 199.36.158.100
suspicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.pki.goog
  • 142.250.74.195
whitelisted
code.jquery.com
  • 69.16.175.42
  • 69.16.175.10
whitelisted
stackpath.bootstrapcdn.com
  • 104.18.11.207
  • 104.18.10.207
whitelisted
cdnjs.cloudflare.com
  • 104.17.24.14
  • 104.17.25.14
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted

Threats

No threats detected
No debug info