analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice 6469 from FourthLine.msg

Full analysis: https://app.any.run/tasks/3845a672-a1a5-4468-a71b-2a252c42e130
Verdict: Malicious activity
Analysis date: December 18, 2018, 11:57:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

A7D12A9A851688FD322D1662E9AAFFC9

SHA1:

C16B8C416A7F563C288EB72263D1EAD010826AA8

SHA256:

D438D5F996397B74B2F12BC0B0C5893D438CE0B3830739EC087E3908CB7F2B20

SSDEEP:

3072:7Hn+ZHKEfbwQUFtAMLBS2wQUFtAMJTZ9+cob:a5KK/+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 3468)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 3468)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3468)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3468)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3468)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3496)
    • Changes internet zones settings

      • iexplore.exe (PID: 2600)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3496)
    • Application launched itself

      • iexplore.exe (PID: 2600)
      • chrome.exe (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
17
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3468"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Invoice 6469 from FourthLine.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2600"C:\Program Files\Internet Explorer\iexplore.exe" https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fquickbooks.hhpd.com%2Fportal%2Fapp%2FCommerceNetwork%2Fview%2F751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be&data=02%7C01%7Csteph.chapman%40drax.com%7C4b0adc7205904c773cd008d664deb8a2%7C007c146d3d97467d849f6f4fe5a6a0f3%7C0%7C1%7C636807305077798930&sdata=i3%2Bh%2F1CqapTLYBHeani8ok22uSN2OxHibfGZvLkLKwM%3D&reserved=0C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3496"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2600 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2836"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x617000b0,0x617000c0,0x617000ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3060"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2840 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
2372"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=7344C6826B66CB417D4795696DB58BEA --mojo-platform-channel-handle=996 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
3576"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --service-pipe-token=0867C2974AC856107371D5E1C5396E00 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=0867C2974AC856107371D5E1C5396E00 --renderer-client-id=5 --mojo-platform-channel-handle=1916 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2164"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --service-pipe-token=54DD64743B2EE8ECAE4B6E9227634DD0 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=54DD64743B2EE8ECAE4B6E9227634DD0 --renderer-client-id=3 --mojo-platform-channel-handle=1536 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3112"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,14356425223872444567,6415075583914672076,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=3351BB9FF37D67DEF1A83E17415CE9C9 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3351BB9FF37D67DEF1A83E17415CE9C9 --renderer-client-id=6 --mojo-platform-channel-handle=3004 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
2 146
Read events
1 604
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
51
Text files
95
Unknown types
3

Dropped files

PID
Process
Filename
Type
3468OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA7BD.tmp.cvr
MD5:
SHA256:
2600iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2600iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3496iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be[1].txt
MD5:
SHA256:
2600iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].htm
MD5:
SHA256:
2600iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3468OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:4D8FCF0D4B6782895A731445D5EA31F3
SHA256:89DAAE4AD2879AC6B2CAD7A292BA50BA1D8284B918D3EA8D888E7604DECC47DF
3496iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be[1].htmhtml
MD5:B51BA749F9060866E40F38056E937D91
SHA256:5F5FD05C4C971CFDBD58A9AF797B014834054FB9973091E6A7C9F802A43F0E26
3496iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\icn[1].csshtml
MD5:B51BA749F9060866E40F38056E937D91
SHA256:5F5FD05C4C971CFDBD58A9AF797B014834054FB9973091E6A7C9F802A43F0E26
3468OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A106361D-517A-4F64-BEE0-72C65F3DF769}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
113
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3496
iexplore.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be
FR
html
30.6 Kb
unknown
2836
chrome.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/751dd1e8940f4bf0a3f58528e1cdaca9a7ed5cfb20a445d7b7ac973114d716a640d893994c3147469013d97ad94ec6be
FR
html
30.6 Kb
unknown
3468
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3496
iexplore.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn-secondary.css
FR
html
30.6 Kb
unknown
2600
iexplore.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/favicon.ico
FR
html
30.6 Kb
unknown
2836
chrome.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn.css
FR
html
30.6 Kb
unknown
3496
iexplore.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/hui.css
FR
html
30.6 Kb
unknown
2836
chrome.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/hui.css
FR
html
30.6 Kb
unknown
3496
iexplore.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn.css
FR
html
30.6 Kb
unknown
2836
chrome.exe
GET
200
91.121.222.18:80
http://quickbooks.hhpd.com/portal/app/CommerceNetwork/view/index_files/icn-secondary.css
FR
html
30.6 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3468
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2600
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3496
iexplore.exe
91.121.222.18:80
quickbooks.hhpd.com
OVH SAS
FR
unknown
3496
iexplore.exe
157.55.234.46:443
emea01.safelinks.protection.outlook.com
Microsoft Corporation
IE
whitelisted
3496
iexplore.exe
104.109.74.217:443
assets.intuitcdn.net
Akamai International B.V.
NL
whitelisted
3496
iexplore.exe
104.47.10.28:443
eur03.safelinks.protection.outlook.com
Microsoft Corporation
IE
whitelisted
2600
iexplore.exe
91.121.222.18:80
quickbooks.hhpd.com
OVH SAS
FR
unknown
2836
chrome.exe
216.58.215.234:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2836
chrome.exe
172.217.17.35:443
www.google.de
Google Inc.
US
whitelisted
2836
chrome.exe
172.217.168.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
emea01.safelinks.protection.outlook.com
  • 157.55.234.46
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
eur03.safelinks.protection.outlook.com
  • 104.47.10.28
  • 104.47.9.28
whitelisted
quickbooks.hhpd.com
  • 91.121.222.18
unknown
assets.intuitcdn.net
  • 104.109.74.217
unknown
www.google.de
  • 172.217.17.35
whitelisted
clientservices.googleapis.com
  • 172.217.168.35
whitelisted
www.gstatic.com
  • 172.217.168.35
whitelisted
safebrowsing.googleapis.com
  • 216.58.215.234
whitelisted

Threats

No threats detected
No debug info