analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

{Possible Spam } DX1 sales invoice numbered SIN023731.msg

Full analysis: https://app.any.run/tasks/51241a51-b03d-4e63-a795-b161625868e0
Verdict: Malicious activity
Analysis date: September 19, 2019, 10:28:05
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

C0DED4885F2A18F098B0C2469CEA6BFA

SHA1:

83C0B2A4F613360196FF30B8B2D57C70E5B53D92

SHA256:

AF4E8C39434C261A1C0BB0DEEEAD1D15AB8C609EBD4101CC5C82E2BE90EB0B0B

SSDEEP:

192:PthgzAM3zWoSyY3TAi/IARyuUuRuhu27jNR8R9+7RJ/3RsXhIjQxiA:Fh6AMDbmLY7ZR8R9mAhIjQIA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Environment values

      • OUTLOOK.EXE (PID: 5692)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 5692)

    • Executed via COM

      • MicrosoftEdge.exe (PID: 3864)
      • browser_broker.exe (PID: 2060)
      • OpenWith.exe (PID: 5856)
      • RuntimeBroker.exe (PID: 3308)
      • MicrosoftEdgeCP.exe (PID: 4924)
      • MicrosoftEdgeCP.exe (PID: 1932)
      • MicrosoftEdgeCP.exe (PID: 3060)
      • MicrosoftEdgeCP.exe (PID: 4856)
      • RuntimeBroker.exe (PID: 6340)
      • MicrosoftEdge.exe (PID: 468)
      • browser_broker.exe (PID: 6224)
      • MicrosoftEdgeCP.exe (PID: 3988)
      • MicrosoftEdgeCP.exe (PID: 6160)
      • RuntimeBroker.exe (PID: 6920)
      • MicrosoftEdgeCP.exe (PID: 1940)

    • Checks supported languages

      • OpenWith.exe (PID: 5856)
      • MicrosoftEdge.exe (PID: 3864)
      • MicrosoftEdge.exe (PID: 468)

    • Reads the machine GUID from the registry

      • MicrosoftEdge.exe (PID: 468)
      • MicrosoftEdgeCP.exe (PID: 6160)
      • MicrosoftEdgeCP.exe (PID: 1932)
      • browser_broker.exe (PID: 2060)

  • INFO

    • Reads settings of System Certificates

      • OUTLOOK.EXE (PID: 5692)
      • MicrosoftEdgeCP.exe (PID: 1932)
      • browser_broker.exe (PID: 2060)
      • MicrosoftEdge.exe (PID: 468)
      • MicrosoftEdgeCP.exe (PID: 6160)

    • Reads the software policy settings

      • OUTLOOK.EXE (PID: 5692)
      • MicrosoftEdgeCP.exe (PID: 1932)
      • browser_broker.exe (PID: 2060)
      • MicrosoftEdgeCP.exe (PID: 6160)
      • MicrosoftEdge.exe (PID: 468)

    • Reads the machine GUID from the registry

      • OUTLOOK.EXE (PID: 5692)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 5692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
16
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe openwith.exe no specs microsoftedge.exe no specs browser_broker.exe runtimebroker.exe no specs microsoftedgecp.exe no specs microsoftedgecp.exe no specs microsoftedgecp.exe no specs microsoftedgecp.exe no specs runtimebroker.exe no specs microsoftedge.exe no specs browser_broker.exe no specs microsoftedgecp.exe no specs microsoftedgecp.exe no specs runtimebroker.exe no specs microsoftedgecp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5692"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\{Possible Spam } DX1 sales invoice numbered SIN023731.msg"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.11328.20158
5856C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\WINDOWS\system32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
3864"C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mcaC:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
1
Version:
11.00.16299.402 (WinBuild.160101.0800)
2060C:\WINDOWS\system32\browser_broker.exe -EmbeddingC:\WINDOWS\system32\browser_broker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Browser_Broker
Exit code:
2147500037
Version:
11.00.16299.15 (WinBuild.160101.0800)
3308C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.16299.15 (WinBuild.160101.0800)
4856"C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge Content Process
Exit code:
0
Version:
11.00.16299.402 (WinBuild.160101.0800)
1932"C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge Content Process
Exit code:
1
Version:
11.00.16299.402 (WinBuild.160101.0800)
4924"C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge Content Process
Exit code:
0
Version:
11.00.16299.402 (WinBuild.160101.0800)
3060"C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mcaC:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge Content Process
Exit code:
0
Version:
11.00.16299.402 (WinBuild.160101.0800)
6340C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
8 365
Read events
7 368
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
142
Unknown types
12

Dropped files

PID
Process
Filename
Type
3864MicrosoftEdge.exeC:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5:
SHA256:
3864MicrosoftEdge.exeC:\Users\admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
MD5:
SHA256:
3864MicrosoftEdge.exeC:\Users\admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5:
SHA256:
5692OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\.session64binary
MD5:009421AB095EA93CB203D86BC0D3C271
SHA256:5F515070358AB278B2D83EABF5E95654FE250DB25A10D995FFF4AEEB215D3B92
1932MicrosoftEdgeCP.exeC:\Users\admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XFX9M9IP\EDJH21KJ.htmhtml
MD5:F4F07309889944887356724D85636A89
SHA256:54BDEC9710CD07F2FE1ECC84E821A5A15C87DB84FE2D23BECEE164614A5044B8
1932MicrosoftEdgeCP.exeC:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AD2SZ9CR\materialize.min[1].csstext
MD5:B26ACC100B5E8D84F6992D3E6574089F
SHA256:06FAB51359128393A5F3BD6F0E6E625B05EC10E61D74075FD37185FFC15FF8DD
5692OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:D5C55E74BDF199237AE8C3D308DB1B4A
SHA256:257A0AD8A32FFFD7BF6AE66506AEE645D39B5CB857319D1C054A284E50289B04
5692OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_DBE94A85F8649B4FBBEA7ED958BFE171.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
5692OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B3B1D48C-0BB4-4B94-B090-8ACB7C7CDFD0xml
MD5:0D84D45768BC47DB6E02CEA847391252
SHA256:46CCC4FE927BD7F4FE2333FFE83C96BA17ECB1A8BAC31C118BEDD65977DEDA3C
1932MicrosoftEdgeCP.exeC:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LCEF4J41\bootstrap[1].csstext
MD5:EA6EC4F237685BD28936CB2EC8B8061B
SHA256:3918856FA4F25004BEABBDB1B37AC553E8DA7A8BD4A2DD3186A66EC2C23C4A58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
106
TCP/UDP connections
93
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
31.192.213.23:80
http://es.kuvve.net/class.php
TR
unknown
5692
OUTLOOK.EXE
GET
200
13.107.3.128:443
https://config.edge.skype.com/config/v1/Office/16.0.11328.20158?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=outlook&Platform=win32&Version=16.0.11328.20158&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b873062D3-EFB2-4A70-AAF7-8E8A4BABAF1B%7d&LabMachine=false
US
text
56.6 Kb
whitelisted
2676
SearchProtocolHost.exe
GET
200
13.107.3.128:443
https://config.edge.skype.com/config/v1/Office/0.0.0.0?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=unknown_app&Platform=win32&Version=0.0.0.0&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x64&Language=en-US&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b4399FFDF-826C-432E-A216-9B40C1CE3029%7d&LabMachine=false
US
text
5.44 Kb
whitelisted
2676
SearchProtocolHost.exe
GET
204
52.109.8.20:443
https://nexusrules.officeapps.live.com/nexus/rules?Application=searchprotocolhost.exe&Version=7.0.16299.402&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=-2&AudienceName=Production&AudienceGroup=Production&AppVersion=7.0.16299.402&
US
whitelisted
GET
200
23.20.248.43:443
https://docparser.com/css/fontawesome5/fontawesome-pro-light.css
US
text
553 b
unknown
GET
200
23.20.248.43:443
https://docparser.com/
US
html
37.4 Kb
unknown
GET
200
23.20.248.43:443
https://docparser.com/css/fontawesome5/fontawesome-pro-regular.css
US
text
569 b
unknown
GET
200
23.20.248.43:443
https://docparser.com/img/logo.png
US
image
13.1 Kb
unknown
GET
200
23.20.248.43:443
https://docparser.com/css/fontawesome5/fontawesome-pro-core.css
US
text
36.8 Kb
unknown
GET
200
23.20.248.43:443
https://docparser.com/css/materialize.min.css
US
text
115 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2676
SearchProtocolHost.exe
52.109.8.20:443
nexusrules.officeapps.live.com
Microsoft Corporation
US
whitelisted
5692
OUTLOOK.EXE
52.114.158.53:443
self.events.data.microsoft.com
Microsoft Corporation
US
whitelisted
5692
OUTLOOK.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
5464
svchost.exe
40.90.137.124:443
login.live.com
Microsoft Corporation
US
unknown
31.192.213.23:80
es.kuvve.net
Netinternet Bilisim Teknolojileri AS
TR
unknown
2676
SearchProtocolHost.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
172.217.18.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
5692
OUTLOOK.EXE
52.109.8.20:443
nexusrules.officeapps.live.com
Microsoft Corporation
US
whitelisted
23.20.248.43:443
docparser.com
Amazon.com, Inc.
US
unknown
5692
OUTLOOK.EXE
52.109.76.6:443
officeclient.microsoft.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
whitelisted
login.live.com
  • 40.90.137.124
  • 40.90.23.154
  • 40.90.23.208
whitelisted
self.events.data.microsoft.com
  • 52.114.158.53
whitelisted
nexusrules.officeapps.live.com
  • 52.109.8.20
whitelisted
es.kuvve.net
  • 31.192.213.23
unknown
officeclient.microsoft.com
  • 52.109.76.6
whitelisted
docparser.com
  • 23.20.248.43
unknown
fonts.googleapis.com
  • 172.217.18.106
  • 172.217.21.234
whitelisted
fast.wistia.com
  • 151.101.2.110
  • 151.101.66.110
  • 151.101.130.110
  • 151.101.194.110
whitelisted
assets.capterra.com
  • 13.32.218.197
  • 13.32.218.243
  • 13.32.218.177
  • 13.32.218.119
shared

Threats

No threats detected
Process
Message
OUTLOOK.EXE
Reminder Queue Starts ===========================:
OUTLOOK.EXE
ReminderQueue: Hrinitialize hr = 0
OUTLOOK.EXE
ReminderQueueBase:InitializeTable hr=0
OUTLOOK.EXE
ReminderQueue: ProcessNotification: End<-----
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
{Possible Spam } DX1 sales invoice numbered SIN023731.msg