analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_DMARC_ Email Alerts #7539 -Account Update.msg

Full analysis: https://app.any.run/tasks/bdc696db-9a98-4c4b-a922-9e8d01a02e00
Verdict: Malicious activity
Analysis date: June 27, 2022, 06:51:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

DAB9F733D356598E3BC68A843B854A2F

SHA1:

A6FAC502DC7575B96D0D7EB7D5DE0800B7041CE3

SHA256:

E6D8D21DCBA5CFB3228C698AD8B58559AE621729029B23D833B0AA36102E3AB5

SSDEEP:

768:sbsAMePQsK5sK1ZQZWpw+VDzqdvRSH0l12Ypv:sIhrO+VyvRSG3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2604)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2604)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2996)
  • INFO

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2604)
      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 2996)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2604)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 2604)
      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 2996)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2604)
    • Changes internet zones settings

      • iexplore.exe (PID: 2756)
    • Application launched itself

      • iexplore.exe (PID: 2756)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 2996)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2996)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2996)
      • iexplore.exe (PID: 2756)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2604"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\_DMARC_ Email Alerts #7539 -Account Update.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
2756"C:\Program Files\Internet Explorer\iexplore.exe" https://eu-west-1.protection.sophos.com/?d=digitaloceanspaces.com&u=aHR0cHM6Ly9zZ3AxLmRpZ2l0YWxvY2VhbnNwYWNlcy5jb20vamFyZGltY2RwN3dlMGFpajE3emgxMC8lMjElMjYlMjElMjQlMjElMjYuai4lMjYlMjElMjYvJTIxJTI2JTIxJTI0JTIxJTI2JTIxai5kLiUyMSUyNiUyMS5odG1sI3ZleXNlbC5wb2xhdEBrb2tzYW4uY29t&i=NjI0ODIzNzZjYmUyYTgxZDg0YzY5NmU0&t=YjllQlVYNFV6YUo3N3h6RnNiVTZrS2d3L1RXV1lYT2d4bUNoL29vUXppST0=&h=06590a6ef6774aa7a53d939c55f0ec84C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2996"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2756 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrt4.dll
Total events
15 146
Read events
14 444
Write events
682
Delete events
20

Modification events

(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2604) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
18
Text files
21
Unknown types
16

Dropped files

PID
Process
Filename
Type
2604OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR5E63.tmp.cvr
MD5:
SHA256:
2604OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2604OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:9E6107021E992EE7E7D6B80419547687
SHA256:5A561EA4693FCD1D9B80364290E43C476DA13B10AEE8337C1FF84073D9C66402
2756iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
2996iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:2DF1C09B258EE29B8D3DC6286EE5BBEA
SHA256:84682DD546AD74CD8F599E17601B283DACE72AE1C520D81F19EFCD078CF4E01C
2756iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:34F1A0095D85883BB05785B37D566F5D
SHA256:1775B5F9285072C3BA329754698EA4816232D9601557DAE8A6332917E512E534
2604OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:3C4FFBF6645B72B79D3DEC47C03A0130
SHA256:7D097274EC4B6574E66BECECD2E969A6D0462968BB45E5337509F8E90CAE157F
2996iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:07BA3DF127658BC18359369B8427D8DD
SHA256:964CA5C2FDEF2383D8D4EB99203BEEC011C35391918F733948B349542018A0D0
2996iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:C7B33A5171B37E83B2AC6D3473E63BE3
SHA256:334F918A1C31E0077473B071BD772E41E445988FD3237E99DE91576DD604E0C1
2604OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_059556B24D7ED4478EF9A4E41AAEC333.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
45
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2996
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
2996
iexplore.exe
GET
200
143.204.101.74:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEA0%2FNyn77olIjRaHOEiiqEs%3D
US
der
471 b
whitelisted
2996
iexplore.exe
GET
200
143.204.101.74:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
2996
iexplore.exe
GET
200
143.204.101.99:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
2996
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAtOou%2Fya0LgTSgndht8JYM%3D
US
der
471 b
whitelisted
2756
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2996
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2996
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCqm%2FLZVwk%2FcRLv5CtSZANu
US
der
472 b
whitelisted
2756
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2996
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2604
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2756
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2996
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2996
iexplore.exe
143.204.101.74:80
ocsp.rootg2.amazontrust.com
US
whitelisted
2996
iexplore.exe
69.16.175.42:443
code.jquery.com
Highwinds Network Group, Inc.
US
malicious
2996
iexplore.exe
143.204.89.120:443
eu-west-1.protection.sophos.com
US
malicious
2996
iexplore.exe
143.204.101.99:80
o.ss2.us
US
suspicious
2996
iexplore.exe
103.253.144.208:443
sgp1.digitaloceanspaces.com
Digital Ocean, Inc.
SG
suspicious
2996
iexplore.exe
95.140.236.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
whitelisted
2756
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
eu-west-1.protection.sophos.com
  • 143.204.89.120
  • 143.204.89.16
  • 143.204.89.84
  • 143.204.89.77
whitelisted
ctldl.windowsupdate.com
  • 95.140.236.0
whitelisted
o.ss2.us
  • 143.204.101.99
  • 143.204.101.123
  • 143.204.101.195
  • 143.204.101.177
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.rootg2.amazontrust.com
  • 143.204.101.74
  • 143.204.101.42
  • 143.204.101.124
  • 143.204.101.190
whitelisted
ocsp.rootca1.amazontrust.com
  • 143.204.101.74
  • 143.204.101.124
  • 143.204.101.190
  • 143.204.101.42
shared
ocsp.sca1b.amazontrust.com
  • 143.204.101.74
  • 143.204.101.188
  • 143.204.101.52
  • 143.204.101.143
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
2756
iexplore.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
2756
iexplore.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
No debug info