Edit tour

Windows Analysis Report
EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml

Overview

General Information

Sample name:	EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml
Analysis ID:	1467264
MD5:	58872d238043f6de083d8187a835657e
SHA1:	f47fe286d4fad2622744e6b2a9d6304def01e69e
SHA256:	3cb8ecf93cb62afca17e83abea7bb83cd8fafbfddca9de3f52841307c3e1982e
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious e-Mail

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64native

OUTLOOK.EXE (PID: 8028 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml" MD5: 6BE14F2DEA2AB6B01387EC38C4977F4F)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: App_1720042306943924200_88C750A9-B7BA-47E5-811E-397EE006B11C.log.0.dr

String found in binary or memory: https://login.windows.net

Source: classification engine

Classification label: sus21.winEML@1/9@0/0

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_14326_20404-20240703T1731460820-8028.etl

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected suspicious e-Mail

Source: e-Mail

LLM: Score: 9 Reasons: The email impersonates Microsoft, a well-known brand, by using its logo and mentioning Microsoft services. The sender's email address (no-reply@microsoft.com) appears legitimate at first glance but could be spoofed. The subject line 'Microsoft account unusual sign-in activity' creates a sense of urgency, which is a common phishing tactic. The email body contains a warning about account problems and urges the recipient to review recent activity, which is designed to induce clicks on the provided hyperlink. The URL 'https://account.microsoft.com/security' appears legitimate but could be deceptive. Overall, the email exhibits multiple characteristics of a phishing attempt.

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 0

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation			Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	Path Interception	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Modify Registry	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://login.windows.net	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.net	App_1720042306943924200_88C750A9-B7BA-47E5-811E-397EE006B11C.log.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467264
Start date and time:	2024-07-03 23:29:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml
Detection:	SUS
Classification:	sus21.winEML@1/9@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 20.189.173.9
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, onedscolprdwus08.westus.cloudapp.azure.com, s-0005.s-msedge.net, self.events.data.microsoft.com, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, ecs-office.s-0005.s-msedge.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml

Input	Output
URL: e-Mail Model: gpt-4o	```json{ "riskscore": 9, "brand_impersonated": "Microsoft", "reasons": "The email impersonates Microsoft, a well-known brand, by using its logo and mentioning Microsoft services. The sender's email address (no-reply@microsoft.com) appears legitimate at first glance but could be spoofed. The subject line 'Microsoft account unusual sign-in activity' creates a sense of urgency, which is a common phishing tactic. The email body contains a warning about account problems and urges the recipient to review recent activity, which is designed to induce clicks on the provided hyperlink. The URL 'https://account.microsoft.com/security' appears legitimate but could be deceptive. Overall, the email exhibits multiple characteristics of a phishing attempt."}

URL: e-Mail Model: gpt-4o

```json{  "riskscore": 9,  "brand_impersonated": "Microsoft",  "reasons": "The email impersonates Microsoft, a well-known brand, by using its logo and mentioning Microsoft services. The sender's email address (no-reply@microsoft.com) appears legitimate at first glance but could be spoofed. The subject line 'Microsoft account unusual sign-in activity' creates a sense of urgency, which is a common phishing tactic. The email body contains a warning about account problems and urges the recipient to review recent activity, which is designed to induce clicks on the provided hyperlink. The URL 'https://account.microsoft.com/security' appears legitimate but could be deceptive. Overall, the email exhibits multiple characteristics of a phishing attempt."}

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	239628
Entropy (8bit):	4.285886731825563
Encrypted:	false
SSDEEP:	3072:8rgnB9gh+miGu2MqoQ7rt0FvwzaXL95T:82Xmi2Z9aXL95
MD5:	ABAF625F7454C73A5CF0A1C862E13351
SHA1:	7E3B470C3B95B3682470332AB2ABFA1C853E9622
SHA-256:	A7E6E97D7011A53F793E31F9FF0C36EBBAEF9CA50E0888EB4875D0EFF0E702D7
SHA-512:	0FED4FD6338F60B53B51F329440E62242080F8ABB6608677AE6119A68F5DCDF2AA874A7AD04627E7B8F757DA91388D7382086A8A8F4B61FE60FCF13D927D2EEC
Malicious:	false
Reputation:	low
Preview:	TH02...... ...b[........SM01(.........Y[............IPM.Activity...........h.......................h....................H..h............`.........h.........:..........H..h.... ..................h....0..................h.......................h......................h....@........K.........h.:..H................0....T.......................d.......p........2h.... ..................kc.o.........E.\.......!h...................... h............g+........#h....8.................$h............<........."h.............B.......'h..............S......1h....<.................0hhur\8.......Local\Te../h....l..............H..h....p........n.......-h.............7........+h.................................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..............1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(...

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04591939678467531
Encrypted:	false
SSDEEP:	3:Gtlxtjl+fiouLb3aLBPlxtjl+fiouLb3aLKlljR9//8l1lvlll1lllwlvlllglbG:GteCv3adPeCv3a+t9X01PH4l942wU
MD5:	B6DE07A65E266CC89AE469EB028267FE
SHA1:	391A126B374E2CC07B16C7AA302881A969E63AB6
SHA-256:	24DB455DCBC6B2A4EBE604EAAD76757A552A7B68A34266853513C7957263E697
SHA-512:	5DD5DF30E3578BF2AD6981971CBB0126293624DA6504B83F0EEA5FB858BF2EE4DBC2512C8164E42527CA651D61F4A2401144579C0A16D7D306B848900A79F4AA
Malicious:	false
Reputation:	low
Preview:	..-......................,...G.......O..~.Te@...-......................,...G.......O..~.Te@.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4841119383498932
Encrypted:	false
SSDEEP:	48:A8GQ1PR58Ull7DYMLq8zO8VFDYMkKkDO8VFDYML:AuVPll4hkjVG9KsjVGC
MD5:	E8640FDFB0DAC6A0FD59A74640A5884E
SHA1:	498152FF0B64DB5196FE51E35B459BA7C1AD19BC
SHA-256:	C509B1202E1760BB46F1A24E9CC6247B400AD00B172079A17CAD75840D111216
SHA-512:	1D595DE62B8416B30B784B5EAEE6E66CF7B88E8C66B927456FE1253073BBF1614296AAB0050A7837F21D31C536B08AD95CF7F39E121F56EDA46A5D72777947A4
Malicious:	false
Reputation:	low
Preview:	7....-...............O.....j5.r.............O.0H~.l"(.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App_1720042306943924200_88C750A9-B7BA-47E5-811E-397EE006B11C.log

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28042), with CRLF line terminators
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.1878977118236389
Encrypted:	false
SSDEEP:	1536:I4mtWQc9WINMdzcc4mTGJvVFldcPF2wN/IS/I+bobYvfp+OHXyBBODHaM/B/sJJT:fgWvrIK/b8J
MD5:	A68658B86137215E8992D991AF64A822
SHA1:	9619BAC01A8C810D48FB7E7763093551388C8EC0
SHA-256:	DAD2865A19D33DE2DD7D633A56BC7A85E3C7DC370682BF783DAAAE7112D1EDE1
SHA-512:	A6D40EDEEC38CFE529996B9607AB1FC73F7302AC4816D36E6AD66D4C80CFECDFF990600B0EEB0F149C72151A772EAB6EAFA135DE4DEFA6733D96330F4C93323D
Malicious:	false
Reputation:	low
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/03/2024 21:31:46.960.OUTLOOK (0x1F5C).0x1498.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":32,"Time":"2024-07-03T21:31:46.960Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 6, \"N\" : \"Microsoft.Office.Diagnostics.WerCrashDLLEnabled\", \"V\" : true, \"S\" : 11, \"P\" : 0, \"T\" : \"2024-07-03T21:31:46.8200372Z\", \"C\" : \"39\", \"Q\" : 4.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 6, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-07-03T21:31:46.8200372Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 6, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-07-03T21:31:46.8200372Z\", \"C\" : \"33\", \"Q\" : 6.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 6, \"N\" :

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App_1720042306944514700_88C750A9-B7BA-47E5-811E-397EE006B11C.log

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	2C7AB85A893283E98C931E9511ADD182
SHA1:	3B4417FC421CEE30A9AD0FD9319220A8DAE32DA2
SHA-256:	080ACF35A507AC9849CFCBA47DC2AD83E01B75663A516279C8B9D243B719643E
SHA-512:	7E208B53E5C541B23906EF8ED8F5E12E4F1B470FBD0D3E907B1FC0C0B8D78EB1BBFB5A77DCFD9535ACF6FA47F4AB956D188B770352C13B0AB7E0160690BAE896
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_14326_20404-20240703T1731460820-8028.etl

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 134217728.000000
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.4010301594635015
Encrypted:	false
SSDEEP:	768:FrbpJ15zgPNeHa/Y1MkQbJFCCmbTcxPTXWwkm7+cgIcKNB6rb+1gpbz/N/WSa05w:FfET1gMZ4gwq7kSW16iAGPlymfXESIW+
MD5:	989E11A5B70F1F87611CC7C548A678AB
SHA1:	92ACBAF5EC8CFE44C526D8D852FDB4D23EE1B73D
SHA-256:	3B30155B98A388BB23546AB4ECCC2C5363C343582444A660EB40AFD06021043F
SHA-512:	3917ECD170F14C3D75687E2996AD75FBAF3AC7505E732837D6EA0B5AED1F929A049253E13A449E5C42FDD69D23266650EC12EDCC2840AD5B87D8516ECA9FC8D5
Malicious:	false
Reputation:	low
Preview:	............................................................................l.......\.....5h....................bJ..............Zb..2...........................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@N..B.............5h............v.2._.O.U.T.L.O.O.K.:.1.f.5.c.:.8.7.3.c.f.b.5.2.4.1.6.2.4.9.d.1.9.b.8.9.c.e.5.3.3.a.a.b.5.f.9.1...C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.4.3.2.6._.2.0.4.0.4.-.2.0.2.4.0.7.0.3.T.1.7.3.1.4.6.0.8.2.0.-.8.0.2.8...e.t.l...........P.P.....\.....5h............................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	2.725480556997868
Encrypted:	false
SSDEEP:	3:Qkh1QNIl:Qk8W
MD5:	D1F4EBCAA7623D3DBFBF051D65AB1130
SHA1:	A51DDF1371C35784AA2AF44C5EE706285B378CF7
SHA-256:	A838F07E91D01FCF6874D4F5495F69B9E6AB483D367E0E188A809700DC0D0AAE
SHA-512:	EC32CB4736C75066947B9478B644F550D8B48510D98B4E2D065DFF2219F94D76E83AC886D9FEE795580C17C33388A8B7AA858F71754C97A34CAF976B21B17448
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..A.r.t.h.u.r.....

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.6224750367114247
Encrypted:	false
SSDEEP:	1536:O9QMSXhNTgGVERN0VH2eqtgyrEUgWa3jEpEHPvir9AwrWlwWa3jEpEHPvir9Awrp:Ov9QixvpDg/pD4
MD5:	05A4DAF024BF8669A2399F42714F41CB
SHA1:	0F3FAC08A9EEC113F140451D4EF8BCE7C897F5F7
SHA-256:	019CC5FC20C7B34A81A0BEE82619EDAEEB2012B19BEC8B2A3CB737410F1AEFB8
SHA-512:	77209B21BF95A2511FB6BA3CEB4F6A3707454DBCAC7704ADA0619AEBAEA570BD945F1CC0FDB7C611038464685AE232A4DEA3CAC65A84D154CD88D22D63C1E708
Malicious:	false
Reputation:	low
Preview:	!BDN...}SM......x...\.Q.................Y................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................p..........}.Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	3.365540774848081
Encrypted:	false
SSDEEP:	1536:vWa3jEpEHPvir9Awr1h3rEvnt2N0PH2e+Wa3jEpEHPvir9AwrLZFlzTPxA2:+pDdK4yHpDDF7
MD5:	DE5B2655D93F94890030F66B28F45316
SHA1:	78B99B2DFDD61DCB4CA40C656BCDDD7634343C8B
SHA-256:	32A65C54E91BEA02C620DEE6EB88FF3E40DA6E4CEFEE7DE07CFD23889BFBDAA6
SHA-512:	B65FF0D066EE7420C5EC27A4F7F8072B5C2D2E3A4AF2266B7BDB8111C5F7C1FC9B832594BF2A584CD08BD8A3BF04E7013E5CC0BA1F3C31A7A3F4396DEC74CB99
Malicious:	false
Reputation:	low
Preview:	..03C...k.......\......h......................#.!BDN...}SM......x...\.Q.................Y................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................p..........}.Q.....h.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	news or mail, ASCII text
Entropy (8bit):	5.421768764655938
TrID:
File name:	EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml
File size:	13'463 bytes
MD5:	58872d238043f6de083d8187a835657e
SHA1:	f47fe286d4fad2622744e6b2a9d6304def01e69e
SHA256:	3cb8ecf93cb62afca17e83abea7bb83cd8fafbfddca9de3f52841307c3e1982e
SHA512:	a93c196d3fcbec2354afbd744aeaf7b91e55bc0ad9fc29d5ec00ae4f35a8a774a61567c1de92613f736b71e82cd2f2b9abbf2e58455dfaf37e923b065e59960b
SSDEEP:	192:Z3Cwld4eZiGDstSB7ZW7sgO+Phohpvn7/EBxvBvL8GAl2:ZFCS3l+5ohZLEl8GAl2
TLSH:	0552D6E28C026F329774D94678ED87D7384CBB4F29F1105E0869DB49A391AFC94F12E8
File Content Preview:	From: e-Share Document <sharedonlinedocument@e-sign.com>.To: <kniechwiadowicz@alkegen.com>.Subject: Alkegen shared e-Sign Documents on July 3, 2024.Content-Type: multipart/related; boundary="cUvoCdrmTdAHRbPSeLUeBHtpeX".MIME-Version: 1.0..--cUvoCdrmTdAHRbP

Static Mail

General

Subject:	Alkegen shared e-Sign Documents on July 3, 2024
From:	e-Share Document <sharedonlinedocument@e-sign.com>
To:	kniechwiadowicz@alkegen.com
Cc:
BCC:
Date:
Communications:
Attachments:

Headers

Key	Value
From	e-Share Document <sharedonlinedocument@e-sign.com>
To	kniechwiadowicz@alkegen.com
Subject	Alkegen shared e-Sign Documents on July 3, 2024
Content-Type	multipart/related; boundary="cUvoCdrmTdAHRbPSeLUeBHtpeX"
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Target ID:	0
Start time:	17:31:46
Start date:	03/07/2024
Path:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml"
Imagebase:	0x7ff6aefc0000
File size:	42'157'856 bytes
MD5 hash:	6BE14F2DEA2AB6B01387EC38C4977F4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App_1720042306943924200_88C750A9-B7BA-47E5-811E-397EE006B11C.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App_1720042306944514700_88C750A9-B7BA-47E5-811E-397EE006B11C.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_14326_20404-20240703T1731460820-8028.etl

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: OUTLOOK.EXEPID: 8028, Parent PID: 5064

General

Chronological Activities

Disassembly

Windows Analysis Report
EonnKaIpwBCPoLqScMWqRnkpBnnPKyKpJxXKF.eml