analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

436869-original_file.msg

Full analysis: https://app.any.run/tasks/c66dc573-3297-486f-8491-03aa48972cbb
Verdict: Malicious activity
Analysis date: October 20, 2020, 07:55:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

95A02B936FEBB7EC8C85E419D26E35C0

SHA1:

081E18BF2BD756692C96C05B20382F1C2CB642CB

SHA256:

EA3ED2B86B9CC9B5C6E00ECAD7CE6106FD84ED9F93C7C0FB34BC9A42FC70DE2F

SSDEEP:

1536:4DrkYElmwR2DPIRMs4pQ0bD6hmKNWQ+WB/+OpXWL3/kKTTjuKiAS:4DtElLRDMppQ2WhmKRR8niA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2452)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2452)
  • INFO

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2452)
      • iexplore.exe (PID: 1924)
      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 3080)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2452)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2452)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3080)
      • iexplore.exe (PID: 924)
    • Application launched itself

      • iexplore.exe (PID: 1924)
    • Changes internet zones settings

      • iexplore.exe (PID: 1924)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1924)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1924)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2452"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\436869-original_file.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1924"C:\Program Files\Internet Explorer\iexplore.exe" https://c.services-btob.com/track/clic?&url=%7blid%3aRDRSWHVqL0QrSGM9%7d%7bcamp%3aaction-1-questionnaire-octobre-2020%7d&uid=FC57E2E982E5A43A129AB3B19491B3AF&pushid=7e333c47-585f-4a40-bf6b-d145054e2a87&rk=129c8fcd96e54e2d85df423408bc7a9c&versionid=c57d9945-60a2-4455-beb4-5b121c9ec642&lindex=0&dom=SMITHSDETECTION.COMC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3080"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1924 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
924"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1924 CREDAT:2168097 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 385
Read events
1 728
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
36
Unknown types
7

Dropped files

PID
Process
Filename
Type
2452OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4134.tmp.cvr
MD5:
SHA256:
3080iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7B30.tmp
MD5:
SHA256:
3080iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7B31.tmp
MD5:
SHA256:
2452OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:AF72C07975687F86821B4B35B76C3515
SHA256:02B07E798B3356CB431D50A0C409F6D2C4691F3628D084EB9F2323110653E0F2
2452OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:0D559D00D781CE6EE1DDC832B8DA3797
SHA256:3A0AE1768E1595212BB07AAB32CFC0327926FC83272372B3B421B4A511A9DBEB
3080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:5492E1429FE865D33BA1CCD8402CD74E
SHA256:B525C96525B82EC45CA8A435AA4213028F94F163131A2DBE516B1F63942C6F73
3080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:6BA86359E048A1814DFE2161AC0FD427
SHA256:3C52EDFEC03C2697CC6D21F5CA889ED75FE59FA4313FC664FC002EC06792E124
3080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D3DEEFE5750C3694B5869938E67F42C5_CFD5CF52026BBDE3945BEB5B9E90253Dbinary
MD5:FFC2A8FCD5F31DFDD9B0EF7654A8058A
SHA256:23FEF244C073C4C5D49DCA327447C2D31773CDFC8CA58A787A4CD7A0D172AB64
3080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:36CCD4F4EB5D5CABA32FF876CCC6DD40
SHA256:430D95E78346922E2DB34A4CED430E9538F870EE54EDF6B7C97FA7BCE4B0FC5B
3080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D3DEEFE5750C3694B5869938E67F42C5_CFD5CF52026BBDE3945BEB5B9E90253Dder
MD5:AB0A56ADA76D32FEE69DA944EAB41E87
SHA256:22305BB74CE9F7328561D1340D4AE3BD2F809E9F1C1CA8A6CA03B2BA7C1CAC28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
13
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2452
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3080
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
3080
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQDWZGlqmUNTkQ%3D%3D
US
der
1.74 Kb
whitelisted
1924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1924
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3080
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1924
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3080
iexplore.exe
192.124.249.36:80
ocsp.godaddy.com
Sucuri
US
suspicious
1924
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
924
iexplore.exe
13.69.68.12:443
c.services-btob.com
Microsoft Corporation
NL
unknown
3080
iexplore.exe
13.69.68.12:443
c.services-btob.com
Microsoft Corporation
NL
unknown
2452
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
c.services-btob.com
  • 13.69.68.12
unknown
ocsp.godaddy.com
  • 192.124.249.36
  • 192.124.249.23
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.41
whitelisted
www.hdav1.com
unknown
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info