analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

phish_alert_sp2_2.0.0.0.eml

Full analysis: https://app.any.run/tasks/10b60981-cd00-433f-a8a3-24dbc868d5b1
Verdict: Malicious activity
Analysis date: January 14, 2022, 20:54:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

C0EB77F0C2A98C46CB499D55EA6DEC8B

SHA1:

85ABC729C841853FD39021E3EE321B5498C4D6FF

SHA256:

FA41D6CC5A43B30577BDC5672DE78ED5DA92CAFE17BECFDAF292F227060E3D3D

SSDEEP:

1536:orL7VaLya4tBL5T1b5DzvNjfiy1GvHH5i5YqWW3fy2oxIiLIG+IkGu:04Yb51bpzvBiy1GvHOFVvjyIi/+IW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3208)
    • Reads the computer name

      • OUTLOOK.EXE (PID: 3208)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3208)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3208)
    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3208)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3816)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2916)
      • iexplore.exe (PID: 3816)
    • Reads the computer name

      • iexplore.exe (PID: 2916)
      • iexplore.exe (PID: 3816)
    • Dropped object may contain Bitcoin addresses

      • OUTLOOK.EXE (PID: 3208)
      • iexplore.exe (PID: 2916)
    • Changes internet zones settings

      • iexplore.exe (PID: 2916)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2916)
      • iexplore.exe (PID: 3816)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3816)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3816)
      • iexplore.exe (PID: 2916)
    • Application launched itself

      • iexplore.exe (PID: 2916)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2916)
    • Creates files in the user directory

      • iexplore.exe (PID: 2916)
      • iexplore.exe (PID: 3816)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2916)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3208"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2916"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VROVX52M\SecureMessageAtt.htmlC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3816"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2916 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
14 748
Read events
14 019
Write events
707
Delete events
22

Modification events

(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(3208) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
9
Text files
44
Unknown types
7

Dropped files

PID
Process
Filename
Type
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE63D.tmp.cvr
MD5:
SHA256:
3208OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3208OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:CF0E07C333354F8568373F37FD6B2C6E
SHA256:3B4F96BAF2BFD1FDC8E47F567C77D7AD67FD7E2943888C8D76932C24EE565ED5
2916iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:04F51DA15B059AB0F23266E4146C12D0
SHA256:87B1CF6ECB5078E8AE1B8C3F324B01F73CEBA7E12AD1C6E3543496CA098CF04F
3816iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_9930CFFA1A8DC7DD2E91B8BAFFAF726Dbinary
MD5:271C53F968E2F5C8629B57705F974612
SHA256:B6D488607D3FB1D37B41A6EF595C462A914A3D6880FCBF14A6C359040B93FD39
3816iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_9930CFFA1A8DC7DD2E91B8BAFFAF726Dder
MD5:314158AA7FC6C8FB1479D3BE5D7FAF3A
SHA256:840D7CEBCA78437A6CDDFAAF7692991F213DD52AB04DBCECB8C37072DE89068F
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VROVX52M\SecureMessageAtt.htmlhtml
MD5:B909E6D1F209080702F36413D0318C14
SHA256:7EBAACAF7BB13042DB55FA693224D2A1EA329366A12E3D957B20EB6B705A3E8B
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_691552B7A2F8AA429426B38FE30115B7.datxml
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2
SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\VROVX52M\SecureMessageAtt.html:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3208OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_96754E707A121A49BB49E3B184F9F2B3.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2916
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3816
iexplore.exe
GET
200
104.89.37.9:80
http://ocsp.entrust.net/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCDA7pTMMAAAAAUdN3hQ%3D%3D
NL
der
1.55 Kb
whitelisted
3208
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3816
iexplore.exe
GET
200
104.89.37.9:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTMbSIc9rRVLC%2BHkV9a%2FvDh7s6DzAQUgqJwdN28Uz%2FPe9T3zX%2BnYMYKTL8CEEAqZWHfz1b7AAAAAFD%2BIJg%3D
NL
der
1.55 Kb
whitelisted
2916
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2916
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b5bca26b0ee0b89e
US
compressed
4.70 Kb
whitelisted
2916
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2916
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2916
iexplore.exe
13.107.4.50:80
ctldl.windowsupdate.com
Microsoft Corporation
US
whitelisted
3816
iexplore.exe
104.89.37.9:80
ocsp.entrust.net
Akamai Technologies, Inc.
NL
unknown
3816
iexplore.exe
148.163.147.65:443
securemail.state.co.us
Proofpoint, Inc.
US
unknown
2916
iexplore.exe
148.163.147.65:443
securemail.state.co.us
Proofpoint, Inc.
US
unknown
3208
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2916
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2916
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
148.163.147.65:443
securemail.state.co.us
Proofpoint, Inc.
US
unknown
2916
iexplore.exe
131.253.33.203:443
www.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
securemail.state.co.us
  • 148.163.147.65
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.entrust.net
  • 104.89.37.9
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

No threats detected
No debug info