Edit tour
Windows
Analysis Report
https://attachments.office.net/owa/tgibbs@Hensley.com/service.svc/s/GetAttachmentThumbnail?id=AAMkADgzNmFhNjQ5LTRlODktNDAwNC05YmNmLWY1YjBiOWY4YjVlZgBGAAAAAAAQyTkhQyDeRbmqEQP7YN7hBwCilU2fRgNGQ54Hblxt0RJhAAAYVNm4AAAYxQNzU2dnQrP86tSpYFIIAxlMIxl5AAABEgAQALQPWuNNA3JCl1e5%2Bp5B9H8%3D&thumbnailType=2&token
Overview
General Information
| Sample URL: | https://attachments.office.net/owa/tgibbs@Hensley.com/service.svc/s/GetAttachmentThumbnail?id=AAMkADgzNmFhNjQ5LTRlODktNDAwNC05YmNmLWY1YjBiOWY4YjVlZgBGAAAAAAAQyTkhQyDeRbmqEQP7YN7hBwCilU2fRgNGQ54Hblxt0R |
| Analysis ID: | 1315932 |
 | |
Detection
| Score: | 0 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
URL contains potential PII (phishing indication)
Classification
- System is w10x64_ra
chrome.exe (PID: 6124 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// attachment s.office.n et/owa/tgi bbs@Hensle y.com/serv ice.svc/s/ GetAttachm entThumbna il?id=AAMk ADgzNmFhNj Q5LTRlODkt NDAwNC05Ym NmLWY1YjBi OWY4YjVlZg BGAAAAAAAQ yTkhQyDeRb mqEQP7YN7h BwCilU2fRg NGQ54Hblxt 0RJhAAAYVN m4AAAYxQNz U2dnQrP86t SpYFIIAxlM Ixl5AAABEg AQALQPWuNN A3JCl1e5%2 Bp5B9H8%3D &thumbnail Type=2&tok en=eyJhbGc iOiJSUzI1N iIsImtpZCI 6IjczRkI5Q kJFRjYzNjc 4RDRGN0U4N EI0NDBCQUJ CMTJBMzM5R DlGOTgiLCJ 0eXAiOiJKV 1QiLCJ4NXQ iOiJjX3Vid nZZMmVOVDM 2RXRFQzZ1e EtqT2RuNWc ifQ.eyJvcm lnaW4iOiJo dHRwczovL2 91dGxvb2su b2ZmaWNlLm NvbSIsInVj IjoiYWY0Nj E0MDkyYmU1 NDM3Njk5Yz c0YWQ0ZGM1 YmY2NjQiLC J2ZXIiOiJF eGNoYW5nZS 5DYWxsYmFj ay5WMSIsIm FwcGN0eHNl bmRlciI6Ik 93YURvd25s b2FkQDdlYz g5NDIxLTRi OWQtNDQ0My 05ZTc0LTZl OGVkNGJkZW MxNiIsImlz c3JpbmciOi JXVyIsImFw cGN0eCI6In tcIm1zZXhj aHByb3RcIj pcIm93YVwi LFwicHVpZF wiOlwiMTE1 MzkwNjY2MD gzMzY4OTI5 MFwiLFwic2 NvcGVcIjpc Ik93YURvd2 5sb2FkXCIs XCJvaWRcIj pcIjY5Yzc5 YjhkLTU2OT YtNDI0OC04 M2EwLThhMz AxZjdhYzhm M1wiLFwicH JpbWFyeXNp ZFwiOlwiUy 0xLTUtMjEt MjE4MTAwNT I3OC0yMzEy MDgwODQyLT EzMzMxODQ4 MDctMzMyMj E3MFwifSIs Im5iZiI6MT Y5NTkxMjc1 NCwiZXhwIj oxNjk1OTEz MzU0LCJpc3 MiOiIwMDAw MDAwMi0wMD AwLTBmZjEt Y2UwMC0wMD AwMDAwMDAw MDBAN2VjOD k0MjEtNGI5 ZC00NDQzLT llNzQtNmU4 ZWQ0YmRlYz E2IiwiYXVk IjoiMDAwMD AwMDItMDAw MC0wZmYxLW NlMDAtMDAw MDAwMDAwMD AwL2F0dGFj aG1lbnRzLm 9mZmljZS5u ZXRAN2VjOD k0MjEtNGI5 ZC00NDQzLT llNzQtNmU4 ZWQ0YmRlYz E2IiwiaGFw cCI6Im93YS J9.Qm6T4kl UEX7x_SYyl oLIeJ-BAYA H1F1ilqhQI _pcqbMx0D_ -VUPoenRHq Umu5m4GFDl JztyvMiyFh cs4wJ0Br5o wMIaHhMwtv Y0h0j_U-9y CkOY987yl7 FxMDyuBGTA 7DrMJFydFf e68PziUxfh LWcn_JGoys TqXW6lYMim 1PFjTtQPkI QmrGYFGAVd HjxMPDdOX8 -dre7ZHpru SBVGM1ezVD v546cSsJ-t WTtdipIl9b ViVtuD2jfw iN10eN0ts3 QlbYtvFudn 3uJHEmGMU_ 8FvRDN7ddI FTS4i94bZs BmZBIkyRD6 pnnjZAUSzH BHNo1806sm DGbhzU8CX9 XhxVg&X-OW A-CANARY=M allLIVB50i C3YjN013a2 sCkMqsywNs Y_GoZ0PIfj tns9RLYHdW y20_KQBzI- Owi_hDoSZl rRP8.&owa= outlook.of fice.com&s criptVer=2 0230915006 .20&animat ion=true MD5: 7BC7B4AEDC055BB02BCB52710132E9E1) - chrome.exe (PID: 5756 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1592 --fi eld-trial- handle=180 0,i,712417 1202341282 985,811105 9264992029 13,131072 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints ,Optimizat ionTargetP rediction /prefetch: 8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
- cleanup
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • Phishing
- • Compliance
- • Networking
- • System Summary
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Sample URL: | ||
| Source: | Directory created: | ||
| Source: | DNS traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Classification label: | ||
| Source: | File created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | File created: | ||
| Source: | Window detected: | ||
| Source: | Directory created: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 3 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| SJC-efz.ms-acdc.office.com | 52.96.110.50 | true | false | high | |
| accounts.google.com | 142.250.68.109 | true | false | high | |
| www.google.com | 142.250.217.132 | true | false | high | |
| clients.l.google.com | 142.250.72.238 | true | false | high | |
| clients2.google.com | unknown | unknown | false | high | |
| attachments.office.net | unknown | unknown | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 9.9.9.9 | unknown | United States | 19281 | QUAD9-AS-1US | false | |
| 142.250.72.238 | clients.l.google.com | United States | 15169 | GOOGLEUS | false | |
| 172.217.12.131 | unknown | United States | 15169 | GOOGLEUS | false | |
| 1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
| 172.217.12.132 | unknown | United States | 15169 | GOOGLEUS | false | |
| 239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
| 142.250.68.109 | accounts.google.com | United States | 15169 | GOOGLEUS | false | |
| 52.96.110.50 | SJC-efz.ms-acdc.office.com | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 142.250.68.35 | unknown | United States | 15169 | GOOGLEUS | false | |
| 142.250.68.3 | unknown | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox Version: | 38.0.0 Beryl |
| Analysis ID: | 1315932 |
| Start date and time: | 2023-09-28 16:54:41 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Sample URL: | https://attachments.office.net/owa/tgibbs@Hensley.com/service.svc/s/GetAttachmentThumbnail?id=AAMkADgzNmFhNjQ5LTRlODktNDAwNC05YmNmLWY1YjBiOWY4YjVlZgBGAAAAAAAQyTkhQyDeRbmqEQP7YN7hBwCilU2fRgNGQ54Hblxt0RJhAAAYVNm4AAAYxQNzU2dnQrP86tSpYFIIAxlMIxl5AAABEgAQALQPWuNNA3JCl1e5%2Bp5B9H8%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjczRkI5QkJFRjYzNjc4RDRGN0U4NEI0NDBCQUJCMTJBMzM5RDlGOTgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjX3VidnZZMmVOVDM2RXRFQzZ1eEtqT2RuNWcifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiYWY0NjE0MDkyYmU1NDM3Njk5Yzc0YWQ0ZGM1YmY2NjQiLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDdlYzg5NDIxLTRiOWQtNDQ0My05ZTc0LTZlOGVkNGJkZWMxNiIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MDgzMzY4OTI5MFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjY5Yzc5YjhkLTU2OTYtNDI0OC04M2EwLThhMzAxZjdhYzhmM1wiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMjE4MTAwNTI3OC0yMzEyMDgwODQyLTEzMzMxODQ4MDctMzMyMjE3MFwifSIsIm5iZiI6MTY5NTkxMjc1NCwiZXhwIjoxNjk1OTEzMzU0LCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAN2VjODk0MjEtNGI5ZC00NDQzLTllNzQtNmU4ZWQ0YmRlYzE2IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAN2VjODk0MjEtNGI5ZC00NDQzLTllNzQtNmU4ZWQ0YmRlYzE2IiwiaGFwcCI6Im93YSJ9.Qm6T4klUEX7x_SYyloLIeJ-BAYAH1F1ilqhQI_pcqbMx0D_-VUPoenRHqUmu5m4GFDlJztyvMiyFhcs4wJ0Br5owMIaHhMwtvY0h0j_U-9yCkOY987yl7FxMDyuBGTA7DrMJFydFfe68PziUxfhLWcn_JGoysTqXW6lYMim1PFjTtQPkIQmrGYFGAVdHjxMPDdOX8-dre7ZHpruSBVGM1ezVDv546cSsJ-tWTtdipIl9bViVtuD2jfwiN10eN0ts3QlbYtvFudn3uJHEmGMU_8FvRDN7ddIFTS4i94bZsBmZBIkyRD6pnnjZAUSzHBHNo1806smDGbhzU8CX9XhxVg&X-OWA-CANARY=MallLIVB50iC3YjN013a2sCkMqsywNsY_GoZ0PIfjtns9RLYHdWy20_KQBzI-Owi_hDoSZlrRP8.&owa=outlook.office.com&scriΡtVer=20230915006.20&animation=true |
| Analysis system description: | Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip) |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | stream |
| Analysis stop reason: | Timeout |
| Detection: | CLEAN |
| Classification: | clean0.win@20/3@5/91 |
- Exclude process from analysis
(whitelisted): dllhost.exe, SI HClient.exe, SgrmBroker.exe, u socoreworker.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 142.250.68.3, 34.1 04.35.123 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, edgedl.me.gvt1.com, slscr. update.microsoft.com, clientse rvices.googleapis.com - Not all processes where analyz
ed, report is missing behavior information
| Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 43231 |
| Entropy (8bit): | 7.945641087526721 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | AB0C503774F985CFC9A7E808248F3898 |
| SHA1: | 23E63224C00DAE8B7FA2D6A1762BC4C8E48800F6 |
| SHA-256: | 1BA9F6B93FE640DF512015C02CF2C387902D361893410C21284DB4A752DE6006 |
| SHA-512: | A53AAB326634D49D9F641C3EACFDF15AB3A26F94D812DA88B6BFB4BB1A8BD5C04F793D3B3393B9501B0BA10AD074E490F23DAC04519437D94D09114F065E5807 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 69275 |
| Entropy (8bit): | 7.863711608516148 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | AB2881B058CD76F3A050B27E846352AF |
| SHA1: | EBEDA9344B670D1E30204632521CA715DE9EEEA7 |
| SHA-256: | BB5496FFE0EECC9266B3352E009B96AB1F8406DA068D2A971CFE615E38DB3260 |
| SHA-512: | D70F99DD98CA47A674DD95BC3C2FA1CFB088850F7E577C23BB143A7F39405894BD045DFD8431A152919688AC6CD80D80632D8DC6D21331E2C7929EBA35FD0B64 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 69275 |
| Entropy (8bit): | 7.863711608516148 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | AB2881B058CD76F3A050B27E846352AF |
| SHA1: | EBEDA9344B670D1E30204632521CA715DE9EEEA7 |
| SHA-256: | BB5496FFE0EECC9266B3352E009B96AB1F8406DA068D2A971CFE615E38DB3260 |
| SHA-512: | D70F99DD98CA47A674DD95BC3C2FA1CFB088850F7E577C23BB143A7F39405894BD045DFD8431A152919688AC6CD80D80632D8DC6D21331E2C7929EBA35FD0B64 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
⊘No static file info
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node
