analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BEWARE_ Potential Virus Email_ .msg

Full analysis: https://app.any.run/tasks/3be62b89-149f-4ad6-af3a-a296bbb3a1df
Verdict: Malicious activity
Analysis date: December 06, 2019, 15:41:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

0BF283ABAA593A4A19C05236A16CCFE8

SHA1:

9D28293D5FDF686CAE65731BE3CE9AFEB3E9FC13

SHA256:

E4EE78003529F3E2FAC30D8FD8BA0001B0A96CD64927AEDA85305EF900E1B79B

SSDEEP:

768:K4GN9rrWsK5WsKfnc1pz6bthfV6WsKjWsK/b5jpjzR15y1dBpjb4WJt:WrWhW3czzw6WrWnjzOPjM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3336)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3336)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3336)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3336)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1932)

    • Application launched itself

      • iexplore.exe (PID: 1932)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3336)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1932)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1044)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1932)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1044)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3336"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\BEWARE_ Potential Virus Email_ .msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1932"C:\Program Files\Internet Explorer\iexplore.exe" https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwooodbridgegroup.com%2F%3F0nJHGJGHNSBDVHMDNBBGVVSNDBGNSBDNDBVNSMSGDheev99_________________________________________________________________________________________________________________________________________GNSBDNDBVNSsmnksjwjhddjfejhfksjhfjhsfhsjbagstuenbvxvffatruwsisubdgdgfwvfgytraereqtuoejmenbvdgftauavdfwhyejrjhhfbeejhuwfnewjjbejsjbvdhcjvdnkcieoepeirurhrgbensnsnnsbdhgsnbanhqgteyeiejhdndbvxvfzahgsjssdfgg5IV%3Dg.krzysiak%40criteo.com&data=02%7C01%7Cg.krzysiak%40criteo.com%7Cb1ff463d8e4546f48f0008d778e11752%7C2a35d8fd574d48e3927c8c398e225a01%7C1%7C1%7C637110780457179789&sdata=6IdJAKBQXmji0qRIcsBwxfOgeoRGJOtPBlpry5xfCfg%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1044"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1932 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 951
Read events
1 307
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
35
Unknown types
5

Dropped files

PID
Process
Filename
Type
3336OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR99D9.tmp.cvr
MD5:
SHA256:
1932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7FJN398K\eur03_safelinks_protection_outlook_com[1].txt
MD5:
SHA256:
3336OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:038A7364E9562CEFE3A4CE8C15E8C130
SHA256:E5F629E47561B6ED05F66EAE7431CBEF0477D8FB7324867404760380DE28400B
3336OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:211626599581ED9122FD5D1472735C11
SHA256:FF4C90B81C37C1FBEE357729DAE828ABFABEC71EBB5ABB33108DD3E9DC01CD73
3336OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_CDF8B6CA10E7FA43A1C921427A3CAFAD.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
1044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:18351473A8D38CDFC6EBC3F3D71DA86B
SHA256:726A2D4CA5460A9D23860ACA2154F1472D9E037B2BB4F9EC6E438599751ACC12
1044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7FJN398K\eur03_safelinks_protection_outlook_com[1].htmhtml
MD5:117B11625CC84F2C4EA4BAE4A88D80D5
SHA256:A08EE107D4ED5F01B4402C42747D5618E95D4653774A9E53EA086C2C027F94BF
3336OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A55CC5B8-2316-442B-B430-A6F27E885195}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3336
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1932
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3336
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1932
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1044
iexplore.exe
104.47.8.28:443
eur03.safelinks.protection.outlook.com
Microsoft Corporation
NL
whitelisted
1932
iexplore.exe
104.47.8.28:443
eur03.safelinks.protection.outlook.com
Microsoft Corporation
NL
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
eur03.safelinks.protection.outlook.com
  • 104.47.8.28
  • 104.47.10.28
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BEWARE_ Potential Virus Email_ .msg