analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ACH.msg

Full analysis: https://app.any.run/tasks/18e3da28-48e4-40b2-ba43-0125151d211d
Verdict: Malicious activity
Analysis date: July 18, 2019, 13:55:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
phish-microsoft
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

87DD1B73915F04133D9988F7C9C33254

SHA1:

46B387C319B423E9729E6E56800CA1DC2FDA4610

SHA256:

EA6682B2F715F7F4C94E4B39967CBB2DBD5875F17198344403D0D36F9B1F960D

SSDEEP:

3072:y2rd5RK79VRrKSHfH+TbBONCmQFN7XwEMLFG:y2PRK79VRmSfH+ZONCmQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3736)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3736)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3736)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3736)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2948)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2224)

    • Application launched itself

      • iexplore.exe (PID: 2224)
      • firefox.exe (PID: 2948)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3736)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3132)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3132)

    • Manual execution by user

      • firefox.exe (PID: 2948)
      • notepad.exe (PID: 124)

    • Reads CPU info

      • firefox.exe (PID: 2948)

    • Creates files in the user directory

      • firefox.exe (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3736"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\ACH.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2224"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\2T26KKA8\Copy_ACH_Payment_remit.htmC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3132"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2224 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2948"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\admin\Desktop\Copy_ACH_Payment_remit.htm"C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
1420"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2948.0.1907530705\712764201" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2948 "\\.\pipe\gecko-crash-server-pipe.2948" 1168 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
2032"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2948.3.1617119819\1716466796" -childID 1 -isForBrowser -prefsHandle 1676 -prefMapHandle 768 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2948 "\\.\pipe\gecko-crash-server-pipe.2948" 1592 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
2928"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2948.13.484476665\2053511600" -childID 2 -isForBrowser -prefsHandle 1984 -prefMapHandle 2560 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2948 "\\.\pipe\gecko-crash-server-pipe.2948" 2572 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
3412"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2948.20.1821322676\934673033" -childID 3 -isForBrowser -prefsHandle 3608 -prefMapHandle 3612 -prefsLen 6804 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2948 "\\.\pipe\gecko-crash-server-pipe.2948" 3624 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
1800"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2948.27.1950690154\1023321769" -childID 4 -isForBrowser -prefsHandle 3812 -prefMapHandle 3816 -prefsLen 6891 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2948 "\\.\pipe\gecko-crash-server-pipe.2948" 3832 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
67.0.4
3864"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2948.34.427215679\1720480050" -childID 5 -isForBrowser -prefsHandle 1780 -prefMapHandle 3864 -prefsLen 6891 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2948 "\\.\pipe\gecko-crash-server-pipe.2948" 3856 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Total events
2 753
Read events
2 222
Write events
508
Delete events
23

Modification events

(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
Operation:writeName:}3<
Value:
7D333C00980E0000010000000000000000000000
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
Operation:writeName:MTTT
Value:
980E0000385FDF86703DD50100000000
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
Operation:writeName:SQMSessionNumber
Value:
0
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
Operation:writeName:SQMSessionDate
Value:
220131360
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\0a0d020000000000c000000000000046
Operation:writeName:00030429
Value:
03000000
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
Operation:writeName:{ED475418-B0D6-11D2-8C3B-00104B2A6676}
Value:
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
Operation:writeName:LastChangeVer
Value:
1200000000000000
(PID) Process:(3736) OUTLOOK.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400000000000F01FEC\Usage
Operation:writeName:OutlookMAPI2Intl_1033
Value:
1324482581
Executable files
2
Suspicious files
138
Text files
94
Unknown types
98

Dropped files

PID
Process
Filename
Type
3736OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF7ED.tmp.cvr
MD5:
SHA256:
3736OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\2T26KKA8\Copy_ACH_Payment_remit (2).htm\:Zone.Identifier:$DATA
MD5:
SHA256:
3736OUTLOOK.EXEC:\Users\admin\Desktop\Copy_ACH_Payment_remit.htm\:Zone.Identifier:$DATA
MD5:
SHA256:
3736OUTLOOK.EXEC:\Users\admin\Desktop\Copy_ACH_Payment_remit.htmhtml
MD5:1544E73F867DF6D0F75C8A8020DCCDFB
SHA256:51741CC33780F0A230C0E2E9A4D6E6EEF4AE49AD9D6A62DBE2AC1A659B8E67C0
3736OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_659306A1E1FF0A40A0A068B498D46457.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
3736OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\2T26KKA8\Copy_ACH_Payment_remit (2).htmhtml
MD5:1544E73F867DF6D0F75C8A8020DCCDFB
SHA256:51741CC33780F0A230C0E2E9A4D6E6EEF4AE49AD9D6A62DBE2AC1A659B8E67C0
3736OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_08EC2A98D5B72440A67DC30249EA51EE.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
3736OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_87482E5D550E774F82F893788FA9454B.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3736OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E233D8AF6A6792DEF23629FF5AA300FE
SHA256:98799DB2B24752E4C5BB20E830C7A0AC396209FFC68F25AA7BBA741A7C81D7CE
2224iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
96
DNS requests
171
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2948
firefox.exe
POST
200
104.18.25.243:80
http://ocsp.msocsp.com/
US
der
1.79 Kb
whitelisted
3736
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2948
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2948
firefox.exe
POST
200
104.18.25.243:80
http://ocsp.msocsp.com/
US
der
1.79 Kb
whitelisted
2948
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2948
firefox.exe
POST
200
104.18.25.243:80
http://ocsp.msocsp.com/
US
der
1.79 Kb
whitelisted
2948
firefox.exe
POST
200
172.217.16.163:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2948
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2948
firefox.exe
POST
200
104.18.25.243:80
http://ocsp.msocsp.com/
US
der
1.79 Kb
whitelisted
2948
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3132
iexplore.exe
40.126.9.6:443
login.microsoftonline.com
Microsoft Corporation
US
unknown
2948
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2224
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3736
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3132
iexplore.exe
205.185.208.52:443
code.jquery.com
Highwinds Network Group, Inc.
US
unknown
3132
iexplore.exe
95.100.79.183:443
secure.aadcdn.microsoftonline-p.com
Akamai Technologies, Inc.
whitelisted
2948
firefox.exe
99.86.1.62:443
snippets.cdn.mozilla.net
AT&T Services, Inc.
US
unknown
2948
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2948
firefox.exe
34.209.86.85:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2948
firefox.exe
52.24.50.47:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
code.jquery.com
  • 205.185.208.52
whitelisted
secure.aadcdn.microsoftonline-p.com
  • 95.100.79.183
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
login.microsoftonline.com
  • 40.126.9.6
  • 40.126.9.66
  • 20.190.137.98
  • 40.126.9.8
  • 20.190.137.96
whitelisted
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
location.services.mozilla.com
  • 52.50.56.62
  • 108.128.247.43
  • 52.210.139.31
whitelisted
locprod1-elb-eu-west-1.prod.mozaws.net
  • 52.210.139.31
  • 108.128.247.43
  • 52.50.56.62
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ACH.msg