analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Reporting of suspected spam messages.msg

Full analysis: https://app.any.run/tasks/610d6331-5a47-422a-885b-4ba53fd80b55
Verdict: Malicious activity
Analysis date: May 29, 2020, 23:03:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

81CF9BBFC8F9A78F48CFB6C1F41F51E5

SHA1:

910AE4F17921832480D2A0C03BBBCB1A32C80100

SHA256:

E6AA5227E1DEE73B53EF94F5AF5E90B243D40919BDC8F7DC8A43C53EF9605D8F

SSDEEP:

3072:n+NvRYDvdW0NMDiHd27hN54ooCP4OsNM/4TfkkpicCDL4fsP5473q26gmi2i+/A1:SWd3oR3PHkpicGP5g3vBV+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3044)
  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3044)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3044)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3728)
      • OUTLOOK.EXE (PID: 3044)
      • iexplore.exe (PID: 2732)
      • iexplore.exe (PID: 2776)
      • iexplore.exe (PID: 3128)
    • Changes internet zones settings

      • iexplore.exe (PID: 2732)
      • iexplore.exe (PID: 2776)
    • Application launched itself

      • iexplore.exe (PID: 2732)
      • iexplore.exe (PID: 2776)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3044)
    • Creates files in the user directory

      • iexplore.exe (PID: 3728)
      • iexplore.exe (PID: 3128)
      • iexplore.exe (PID: 2776)
      • iexplore.exe (PID: 2732)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3128)
      • iexplore.exe (PID: 3728)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3128)
      • iexplore.exe (PID: 3728)
      • iexplore.exe (PID: 2776)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2776)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Reporting of suspected spam messages.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2732"C:\Program Files\Internet Explorer\iexplore.exe" https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Frealestatebyc.com%2Fpic%2Fvendor%2Fslim%2Fslim%2FSlim%2Findex.php&data=02%7C01%7Ccontact%40raydius.de%7C23a8ce2626374ca33e1008d7f80a8e2a%7C4b4cca9cedaf42f38e219070c5d9d76b%7C0%7C0%7C637250596541715499&sdata=OoduI8lioNscUoK%2F7k0NecvX8tMoK6yrOcHMFEyfRg0%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2776"C:\Program Files\Internet Explorer\iexplore.exe" https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Frealestatebyc.com%2Fpic%2Fvendor%2Fslim%2Fslim%2FSlim%2Findex.php&data=02%7C01%7Ccontact%40raydius.de%7C23a8ce2626374ca33e1008d7f80a8e2a%7C4b4cca9cedaf42f38e219070c5d9d76b%7C0%7C0%7C637250596541715499&sdata=OoduI8lioNscUoK%2F7k0NecvX8tMoK6yrOcHMFEyfRg0%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3728"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2732 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3128"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2776 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
4 466
Read events
2 138
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
64
Text files
73
Unknown types
34

Dropped files

PID
Process
Filename
Type
3044OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRD451.tmp.cvr
MD5:
SHA256:
3728iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab2DDB.tmp
MD5:
SHA256:
3728iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar2DDC.tmp
MD5:
SHA256:
3128iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab30F8.tmp
MD5:
SHA256:
3128iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab30F9.tmp
MD5:
SHA256:
3128iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar30FB.tmp
MD5:
SHA256:
3128iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar30FA.tmp
MD5:
SHA256:
3044OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:78E7DFB93B8F87684F8A6201CDEA8199
SHA256:429E5FA22E254D1D8FAB4497EA9A8DA98474C567CEB543E14365861C17A1B13D
3044OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:0E3E61AA7645478755A0A68D43A86A5A
SHA256:482D9F36084E73423EAB77263D3C4D148C15D05885FA0EB511741893E3B9E7E8
3728iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49binary
MD5:5B76F083DBFDFC95E25D7E3FD185CE7E
SHA256:0C1F68A1FD054F90A9D0081687E7257782AB686D8921887E7E4F74A45D2561B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
74
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3128
iexplore.exe
GET
302
212.47.231.228:80
http://realestatebyc.com/pic/vendor/slim/slim/Slim/index.php
FR
malicious
3728
iexplore.exe
GET
302
212.47.231.228:80
http://realestatebyc.com/pic/vendor/slim/slim/Slim/index.php
FR
malicious
3728
iexplore.exe
GET
200
172.67.208.134:80
http://www.ppsspp.org/
US
html
4.58 Kb
whitelisted
3128
iexplore.exe
GET
304
172.67.208.134:80
http://www.ppsspp.org/
US
whitelisted
3728
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3728
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3728
iexplore.exe
GET
200
172.67.208.134:80
http://www.ppsspp.org/css/style.css
US
text
30.1 Kb
whitelisted
3728
iexplore.exe
GET
200
172.67.208.134:80
http://www.ppsspp.org/img/screenshots/projectdivaextend.jpg
US
image
37.4 Kb
whitelisted
3728
iexplore.exe
GET
200
172.67.208.134:80
http://www.ppsspp.org/img/screens/small/Final_Fantasy_Type-0_-_Drayano.jpg
US
image
48.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3044
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3728
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3728
iexplore.exe
172.67.208.134:80
www.ppsspp.org
US
unknown
3728
iexplore.exe
212.47.231.228:80
realestatebyc.com
Online S.a.s.
FR
malicious
3128
iexplore.exe
104.47.1.28:443
eur01.safelinks.protection.outlook.com
Microsoft Corporation
AT
whitelisted
3728
iexplore.exe
104.47.1.28:443
eur01.safelinks.protection.outlook.com
Microsoft Corporation
AT
whitelisted
212.47.231.228:80
realestatebyc.com
Online S.a.s.
FR
malicious
3128
iexplore.exe
172.67.208.134:80
www.ppsspp.org
US
unknown
3728
iexplore.exe
216.58.212.174:443
www.google-analytics.com
Google Inc.
US
whitelisted
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
eur01.safelinks.protection.outlook.com
  • 104.47.1.28
  • 104.47.0.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
realestatebyc.com
  • 212.47.231.228
malicious
www.ppsspp.org
  • 172.67.208.134
  • 104.27.166.71
  • 104.27.167.71
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
pagead2.googlesyndication.com
  • 108.177.119.155
  • 108.177.119.156
  • 108.177.119.157
  • 108.177.119.154
whitelisted
ajax.googleapis.com
  • 108.177.126.95
whitelisted
www.google-analytics.com
  • 216.58.212.174
whitelisted

Threats

No threats detected
No debug info