analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Error.msg

Full analysis: https://app.any.run/tasks/d218702d-c62b-4428-af3e-3da8de6ba40f
Verdict: Malicious activity
Analysis date: May 20, 2019, 10:43:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

10CD43189C6CEC2E9E278F1B261C1299

SHA1:

2AF7E10E3D506BB4D8A153A7554AFCC607DC9FA6

SHA256:

F24E7D0BC21EED9B0AD366D83EE1DB0A6EF35E3FA85D41637183FA4C4D259CB0

SSDEEP:

768:RAn6v+iuV2/+HNB7XNctrfMK/UL1nDEhjfap8NqhN3k+ypTD6E404e:3vPr+HStrECg5hN3k+y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2152)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2152)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2152)

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2152)

  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2152)

    • Changes internet zones settings

      • iexplore.exe (PID: 2304)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3640)

    • Creates files in the user directory

      • iexplore.exe (PID: 3640)

    • Application launched itself

      • iexplore.exe (PID: 2304)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2304)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3640)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2304)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Error.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2304"C:\Program Files\Internet Explorer\iexplore.exe" https://protect-eu.mimecast.com/s/WJLACJy9xU8z0q4IVPUE-?domain=forms.office.comC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3640"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2304 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 615
Read events
1 120
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
37
Unknown types
5

Dropped files

PID
Process
Filename
Type
2152OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR3F9C.tmp.cvr
MD5:
SHA256:
2304iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab5566.tmp
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar5567.tmp
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab5588.tmp
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar5589.tmp
MD5:
SHA256:
2152OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:6FC0229A3ABE12BF0B8F29EEC1DAB3BA
SHA256:5C896F2A01FFBDD686DE0A610A4272E993EA7AFE8CA36D1E78FFDE7764F13B30
2152OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
3640iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:A2F7F9717510504C01CD45013855F36E
SHA256:7DF0E8FE93413E7E9726F119264D7049FB5749EFC88BA0B348628C5184FC78D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3640
iexplore.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.1 Kb
whitelisted
2304
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2304
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3640
iexplore.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2152
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3640
iexplore.exe
195.130.217.187:443
protect-eu.mimecast.com
Mimecast Services Limited
GB
suspicious
3640
iexplore.exe
91.220.42.248:443
security-eu.mimecast.com
Telstra Europe Ltd
GB
unknown
2304
iexplore.exe
91.220.42.248:443
security-eu.mimecast.com
Telstra Europe Ltd
GB
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
protect-eu.mimecast.com
  • 195.130.217.187
  • 91.220.42.63
  • 91.220.42.215
  • 91.220.42.235
  • 195.130.217.73
  • 195.130.217.180
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted
security-eu.mimecast.com
  • 91.220.42.248
  • 91.220.42.249
  • 195.130.217.78
  • 195.130.217.193
  • 195.130.217.194
  • 91.220.42.76
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Error.msg