Windows
Analysis Report
Priv_Kamrul Hasan invited you to access applications within their organization.msg
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- OUTLOOK.EXE (PID: 8000 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /f "C:\Users \user\Desk top\Priv_K amrul Hasa n invited you to acc ess applic ations wit hin their organizati on.msg" MD5: 91A5292942864110ED734005B7E005C0) - ai.exe (PID: 8164 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "5BD 4C67A-1450 -4BB0-82FE -4D9A19C40 EBD" "8FAB 2F7E-0513- 447A-86BE- 2FB5CE6623 DC" "8000" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 12 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1467978 |
Start date and time: | 2024-07-05 07:54:15 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Priv_Kamrul Hasan invited you to access applications within their organization.msg |
Detection: | CLEAN |
Classification: | clean1.winMSG@3/14@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 52.113.194.132, 184.28.90.27, 20.189.173.23
- Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, s-0005-office.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, e16604.g.akamaiedge.net, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, onedscolprdwus16.westus.cloudapp.azure.com, mobile.events.data.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Input | Output |
---|---|
URL: e-Mail Model: gpt-4o | ```json{ "riskscore": 6, "brand_impersonated": "Microsoft", "reasons": "The email appears to impersonate Microsoft by using their branding and mentioning Microsoft services. The sender's email address (priv_kamrul.hasan@mafinancial.com) does not match the domain it claims to represent (moelisaustralia.onmicrosoft.com), which is a red flag for spoofing. The subject line and body of the email create a sense of urgency by asking the recipient to accept an invitation. The URL provided (https://myapplications.microsoft.com/) appears legitimate, but it is important to verify the actual destination of the link by hovering over it or inspecting the HTML code. The email also includes a warning about potential fraudulent invitations, which could be a tactic to gain trust. Overall, the email has several indicators of phishing, including brand impersonation, mismatched sender information, and urgency tactics."} |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 231348 |
Entropy (8bit): | 4.394575923795854 |
Encrypted: | false |
SSDEEP: | 1536:HXYL3wgsa1inrCeTEgsgRNcAz79ysQqt2xPEGqoQm9rcm0Fvm0ty2GwcNvsy0o7K:wggqG1g7miGu2LqoQ0rt0FvKoMa74kJ |
MD5: | 23318054ABA83D39C37C18F4613AC517 |
SHA1: | 12808380994CE5A43C14641AF614DA8AEF1FE784 |
SHA-256: | 379F8B6929123799C95D65B785DA2E16F2F3840C1FB4E777B6E7F73318BB9E7A |
SHA-512: | 26BB2CF3D06B64739250A179E53C88E3A3EA076AF6232EE41541416C4C50BD9108A78FBE2BFBF02BAD9480D85ED60CEB2E353BC00A439B44A513DDF5E02AFF43 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 521377 |
Entropy (8bit): | 4.9084889265453135 |
Encrypted: | false |
SSDEEP: | 3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT |
MD5: | C37972CBD8748E2CA6DA205839B16444 |
SHA1: | 9834B46ACF560146DD7EE9086DB6019FBAC13B4E |
SHA-256: | D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7 |
SHA-512: | 02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 773040 |
Entropy (8bit): | 6.55939673749297 |
Encrypted: | false |
SSDEEP: | 12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2 |
MD5: | 4296A064B917926682E7EED650D4A745 |
SHA1: | 3953A6AA9100F652A6CA533C2E05895E52343718 |
SHA-256: | E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083 |
SHA-512: | A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.04522126193421007 |
Encrypted: | false |
SSDEEP: | 3:GtlxtjlGJV4e4oPlxtjlGJV4eg//l1R9//8l1lvlll1lllwlvlllglbelDbllAlU:Gtmb4eTPmb4egt9X01PH4l942wU |
MD5: | 00B74A27F308A251485B32ECC374A380 |
SHA1: | 0B22ECB7E5A71C06923279392C13F31DB8403936 |
SHA-256: | E6C2DCD13A0C7E66B30779CED8285265C34CA999B58E4CC21C73BB617F4640C6 |
SHA-512: | 106495F77BDB712BAFFBF6DBBD5F4D0057694744445DE8A8B41F95A24DCB98153EBD4FE58141B25EEB01AFA48E3746B03931673E36C75FECF4D32919DF31ECEE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 49472 |
Entropy (8bit): | 0.48135755039302425 |
Encrypted: | false |
SSDEEP: | 24:KQRnQ3zRD0yUll7DBtDi4kZERDc+yzqt8VtbDBtDi4kZERDhoBqt8VtbDBtDi4kC:dRnQ1tUll7DYMozO8VFDYM+BO8VFDYML |
MD5: | 1275E6C0507C2D5E855650759EE4A8BD |
SHA1: | F29FC623FFBB2BD82FFF15297EA83454D6E27C91 |
SHA-256: | 20609ADE126947017574E5EF81BE4048584508EAE8FC77D61A0F45C4024680AA |
SHA-512: | 1C45DB1EEBD11356B7226F9B827B42259DAA3B38A74781742DD4FD4A5D1E2D5BB8C77196B1811341DF3A9439B3E1D78E3A07B066AE34F87A50BCD70ED3BEE1BF |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 957 |
Entropy (8bit): | 7.319916557188864 |
Encrypted: | false |
SSDEEP: | 24:49YMWODGo0XxDuLHeOWXG4OZ7DAJuLHenX38dfLvABkChH35j:49YMXbuERA6fLvrCRJ |
MD5: | 7935C0850BBF939D7459C85F66C5A41E |
SHA1: | 31A086841E6D7913F511F7D5A3F4A1B7FD123DA3 |
SHA-256: | 70C91B22ADDEC0D24A5A4E9A8C58FFC0E67F06B9DCAD564E7FCB12E1E4B3E7E6 |
SHA-512: | AC9B8E638576F8F66C8CBB7C1EE6341003243B7692B3D9B2263822653D95F4697B9A8DB80A382CED27A9D01FF5EAFCEAE54C960F28AAAF01180AC87B472FDE5B |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6896B4E9-F21D-4A19-99E6-ABCD585CB25D}.tmp
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 19136 |
Entropy (8bit): | 3.726341814139971 |
Encrypted: | false |
SSDEEP: | 192:FbyZ9JjppCDFtStt9PGbIRRnL5gmJd9tamz710Wcm1xph9mGVjLmuHwImE9:cZ9J10DFtStt9PGyLr9tj102xpdHv9 |
MD5: | C868757D577F891417EB143C418D222E |
SHA1: | 93887F060CF31E8CE592A59FFAE36F72A6CBED86 |
SHA-256: | AF1031929646708150EDB2F584C98F3B9AA600D8366793C547B2FDF42A8CEADA |
SHA-512: | 4D2D6874B0D179A1B25559322C61809883BC32DB914B46DE5C65AC5BEDC2AB8B9BC34E939CB53BA115C812BBFB80BAFFB2C607EDEE20E1495C2EFF3D5A74276B |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720158927068610100_E961AD52-0EB9-4D13-AA63-E1BF13CB6B07.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.16253774969389825 |
Encrypted: | false |
SSDEEP: | 1536:9ZEoqfJ8TDtTOLB2cP6WvqrznRgKZjFSt3l5wy4LNHfYHgANHlESaj8aSEWeTU+w:2fmdTO1tCBls |
MD5: | 630B84F74BF88A34AA4BB660EA56E929 |
SHA1: | 03AC5068D56BE4B36B4F7F18883F9C4CBEECA1EA |
SHA-256: | 6855EDB4DB00D8D6764058DC33839DDDAFE7B8C3D7D7D3868AD1B6CABA8E05B2 |
SHA-512: | 9CC92D4DDAA421F7DF3A70FEBC2FC3868263E43D716F1C73B53182099B525C819C0C3A1151B08D69AA6BD8CDD34823489EE8CBD24122A746F2E0EAB1728F83B0 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720158927069116400_E961AD52-0EB9-4D13-AA63-E1BF13CB6B07.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240705T0155260830-8000.etl
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 94208 |
Entropy (8bit): | 4.445761817392753 |
Encrypted: | false |
SSDEEP: | 768:3oTN+M9YaZJR92k4m995WhQXrVuaJ6ERnYSW+WEWVW5:04m995WhQX6ERnx |
MD5: | 1A08016E12120FD7E8FF443DF6DDF511 |
SHA1: | C3CE36DB12FD43DCD53DEFF0B1D8078B73F7D962 |
SHA-256: | 82988322FA3613DF302AAEB80E1817A5AFB9428C924A3EC31637E9CE8C8CFF15 |
SHA-512: | 6FFD0C52400DA0E829EF646A40B2E0C0157C60D8723A9033BFEDCE0ADE8396F247167AE00A691930B0709F950E8752A4D68A97DEC4E6406FC81DD1EEE637FDE2 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 163840 |
Entropy (8bit): | 0.39086845629211203 |
Encrypted: | false |
SSDEEP: | 192:KvcS4JDT11qDgiOOqNoYTqEdotmpYAqx1u6rNgiXHWVOoSNh/:nS4r1qsiOO8Tqp9fAiXHVo |
MD5: | 726E152271A45916ADCE77D2C16CE6A6 |
SHA1: | 163A8C53F5B4ADDF7CB8A84E04EF7F8A20C1FF99 |
SHA-256: | FCE20A437B5FE3FBF42775EA4DB8C279392DC608FC318CDDAC39259439BD75B5 |
SHA-512: | ECA31915698A21F739F25B5374C39C5D8DB31D600D347F97AB75F7CFA95FDA1E407647EC50F06F31431685BBB5D59D3DCBBAF353DB25B4A00570B2E1D09CA609 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 30 |
Entropy (8bit): | 1.2389205950315936 |
Encrypted: | false |
SSDEEP: | 3:8elt:8e |
MD5: | 65D87B248CE8188262D41928BEC4D17A |
SHA1: | 474B2B55990139BF5CFB969938960FD9DF2DA6C2 |
SHA-256: | 4EF6D592C7D852977D545BA8889D3D031DFF724409AD6D3576D030D6EEB04375 |
SHA-512: | D257B19D013F2CD19F4A83AC4624526089A7ECD1FE6ABD938E1BA66D69F204631F056F418627D3DF4888FDB262A255F8F0669658BB35AA47D0B9AFF183A3C899 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 271360 |
Entropy (8bit): | 1.3282761130469638 |
Encrypted: | false |
SSDEEP: | 768:HtQcMxiBiDZFdrghZNLnSJAIZC8FTXtGB5iBfB8BUTIZRi:sXZH0NuZjfBeNZs |
MD5: | 97AC896241819B1ECE0AD5D0CF42F705 |
SHA1: | 1A2B9B755697D9764B66081725074F216EBD20ED |
SHA-256: | 881E3C94A68661FD1DEC8335D7A865C2E035C1E2D95A0E856F5B09B728DCF2F7 |
SHA-512: | 5F310BC03FFE2BAE42B68C8B5A5D9AA4456E28A39A8CB2A76BED94927CE79D921AD2D43C8DCBB9A976857E77CAB06FC9335C5203C83E75B1E80BF4B07B78A621 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 1.4618422230614536 |
Encrypted: | false |
SSDEEP: | 384:abNjTIXJkDenjqHYSVgmeTE/xNhpS4MY74tmTqXmColtGNGFaptMWDZG0yO4rCWF:iTIZkyiYSGmeOzX5vtGQgyBffy0 |
MD5: | 1BBF090C1F8D372186EC6A61DA32FA20 |
SHA1: | FF12C5B91B108511590BC6A274ADB07F61C74AFC |
SHA-256: | 1EB632E6FECEC732BEEB785CF7494847303B4E73E678E9C5828BBC99E602A07A |
SHA-512: | 7549C541E784F157AA28BE71953F7398258DC8D0897F5251D92364CE452BF1A904AA6C7557A3F8107432D4A641049291A12FB2FC883446DC2ADF8EBA4502C5C2 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 4.243463879051739 |
TrID: |
|
File name: | Priv_Kamrul Hasan invited you to access applications within their organization.msg |
File size: | 184'832 bytes |
MD5: | 0a67787c5da085d64b5d63d526426808 |
SHA1: | 562666408600c711a327f85c93b34ac81a21bca4 |
SHA256: | 1e976217ea9e2cde34a02572efb97477663908f02b621b937e5c238dcd840bf6 |
SHA512: | ed0b06b2c8dd46a1891f16f77c0c27a73dcad481a44abc039ff9c2576c11d34aaf533ddd3e049929a29dd8387d9d0040d179b1aadce988618974d27b61cc56a8 |
SSDEEP: | 3072:eiTasL2xiwlYVG1la8bF87LqSJmfr2L4gfgRR8rqrqFC41zM:KsL2xiHqG/iWSSz |
TLSH: | CD042F243AFA1119F2B39F354BE2509B8937FD626D38DA5E2091670D0672E41EC61F3B |
File Content Preview: | ........................>.......................................................r.............................................................................................................................................................................. |
Subject: | Priv_Kamrul Hasan invited you to access applications within their organization |
From: | Microsoft Invitations on behalf of Moelis Australia Operations Pty Ltd <invites@microsoft.com> |
To: | bcamargo@sn.com.au |
Cc: | |
BCC: | |
Date: | Fri, 05 Jul 2024 07:47:44 +0200 |
Communications: |
|
Attachments: |
|
Key | Value |
---|---|
Received | from outlook.office.com (2603:10b6:8:a4::6) by |
05 | 47:51 +0000 |
ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; |
ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; |
h=From | Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; |
ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=none; dmarc=none; |
by SY8PR01MB9205.ausprd01.prod.outlook.com (2603 | 10c6:10:22f::9) with |
2024 05 | 47:49 +0000 |
(2603 | 10c6:220:213::22) with Microsoft SMTP Server (version=TLS1_2, |
Transport; Fri, 5 Jul 2024 05 | 47:49 +0000 |
Authentication-Results | spf=pass (sender IP is 40.107.223.98) |
Received-SPF | Pass (protection.outlook.com: domain of microsoft.com designates |
15.20.7741.18 via Frontend Transport; Fri, 5 Jul 2024 05 | 47:48 +0000 |
DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; |
DS7PR06CA0002.NAMPRD06.PROD.OUTLOOK.COM; Fri, 5 Jul 2024 05 | 47:44 +0000 |
From | Microsoft Invitations on behalf of Moelis Australia Operations Pty Ltd |
Date | Thu, 04 Jul 2024 22:47:44 -0700 |
Subject | Priv_Kamrul Hasan invited you to access applications within their |
Message-Id | <E12P8YDRHNU4.NGR64A450CTF2@ds3pepf000016f8> |
To | bcamargo@sn.com.au |
Reply-To | priv_kamrul.hasan@mafinancial.com |
MIME-Version | 1.0 |
Content-Type | multipart/mixed; boundary="=-7z47+xKhAhkdo8qDfpNAsw==" |
client-request-id | 1761b701-8008-4d47-a9dc-33b9c72f60f4 |
request-id | 1761b701-8008-4d47-a9dc-33b9c72f60f4 |
Return-Path | invites@microsoft.com |
X-MS-TrafficTypeDiagnostic | DM4PR21MB3560:EE_IGANotification|ML1PEPF0000F178:EE_|SY8PR01MB9205:EE_|SY4PR01MB8360:EE_ |
X-MS-Exchange-SenderADCheck | 1 |
X-MS-Exchange-AntiSpam-Relay | 0 |
X-Microsoft-Antispam-Untrusted | BCL:0;ARA:13230040|376014|69100299015|1800799024; |
X-Microsoft-Antispam-Message-Info-Original | =?us-ascii?Q?BVtZU9efiXo3Q0GsJXFyr20s5srq3akcKufbiZnVw8PMj0n0HBOVgjZtOLrr?= |
X-Forefront-Antispam-Report-Untrusted | CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:;PTR:;CAT:NONE;SFS:(13230040)(376014)(69100299015)(1800799024);DIR:OUT;SFP:1102; |
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount | 1 |
X-MS-Exchange-AntiSpam-MessageData-Original-0 | xDHVp8y4h8F70DbBpbVFOEJrgrwloh4JqHYfuaVOQSHyYAZZgWBDpkdyVu9CcVLUrZQeUMRHzU+cvbmMcJEzt4FeLgv+naIRcCcH4TDvN6+mh6zYT6CIDWVrwPZ6gvh+JjttlZ9rGKmHCTsVs/qx8dzeUTMGKOcqpn0Ih3hU9yLyX3EFCU2M1TYRVDkfXIiVLWU0bxghvXi8IOOiKo/Dxk8zzkQpPIkcO3ek60AgfAtYQ+mAajbRPL2kN3wMOq5ct9cmGnwHzYowHoEsKAzP9tTwqqgeyg4bPY1vFgG0zzZv3HPnTgc/1u8hiema6/+DHrThyuRBC4m49rS/49eK8CSht/e9k6Sme8EAzhFvrQmWk4Ui9r1b+ctwLdV9CNdKAhRn0p6Le3rpT1g0hr0WFY0JR7YFzJKkjDnaNy2D6aY= |
X-MS-Exchange-Transport-CrossTenantHeadersStamped | SY8PR01MB9205 |
X-MS-Exchange-Organization-ExpirationStartTime | 05 Jul 2024 05:47:48.4849 |
X-MS-Exchange-Organization-ExpirationStartTimeReason | OriginalSubmit |
X-MS-Exchange-Organization-ExpirationInterval | 1:00:00:00.0000000 |
X-MS-Exchange-Organization-ExpirationIntervalReason | OriginalSubmit |
X-MS-Exchange-Organization-Network-Message-Id | 22fc8eca-295e-4568-5b4f-08dc9cb6006c |
X-EOPAttributedMessage | 0 |
X-EOPTenantAttributedMessage | c9ba5ff1-50fb-443a-aa51-f8a979e6e6d1:0 |
X-MS-Exchange-Organization-MessageDirectionality | Incoming |
X-MS-Exchange-Transport-CrossTenantHeadersStripped | ML1PEPF0000F178.ausprd01.prod.outlook.com |
X-MS-Exchange-Transport-CrossTenantHeadersPromoted | ML1PEPF0000F178.ausprd01.prod.outlook.com |
X-MS-PublicTrafficType | |
X-MS-Exchange-Organization-AuthSource | ML1PEPF0000F178.ausprd01.prod.outlook.com |
X-MS-Exchange-Organization-AuthAs | Anonymous |
X-MS-Office365-Filtering-Correlation-Id | 22fc8eca-295e-4568-5b4f-08dc9cb6006c |
X-MS-Exchange-AtpMessageProperties | SA|SL |
X-MS-Exchange-Organization-SCL | 1 |
X-Microsoft-Antispam | BCL:0;ARA:13230040|4073199012|5073199012|69100299015|2092899012|3072899012|3092899012|5062899012|13012899012|13102899012|12012899012; |
X-Forefront-Antispam-Report | CIP:40.107.223.98;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-DM6-obe.outbound.protection.outlook.com;PTR:mail-dm6nam11on2098.outbound.protection.outlook.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(4073199012)(5073199012)(69100299015)(2092899012)(3072899012)(3092899012)(5062899012)(13012899012)(13102899012)(12012899012);DIR:INB;SFTY:9.25; |
X-MS-Exchange-CrossTenant-OriginalArrivalTime | 05 Jul 2024 05:47:48.0787 |
X-MS-Exchange-CrossTenant-Network-Message-Id | 22fc8eca-295e-4568-5b4f-08dc9cb6006c |
X-MS-Exchange-CrossTenant-Id | c9ba5ff1-50fb-443a-aa51-f8a979e6e6d1 |
X-MS-Exchange-CrossTenant-AuthSource | ML1PEPF0000F178.ausprd01.prod.outlook.com |
X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
X-MS-Exchange-Transport-EndToEndLatency | 00:00:03.9191933 |
X-MS-Exchange-Processed-By-BccFoldering | 15.20.7741.016 |
X-Microsoft-Antispam-Mailbox-Delivery | dwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(831239)(255002)(410001)(930097)(140003)(1420198); |
X-Microsoft-Antispam-Message-Info | =?us-ascii?Q?wXGG3mciiVEP0eA3UUA6TE1w+QZ0Qlz9LkpfdpPAfeaqQ2AYh4HeayisXSlp?= |
date | Fri, 05 Jul 2024 07:47:44 +0200 |
Icon Hash: | c4e1928eacb280a2 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 01:55:26 |
Start date: | 05/07/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x640000 |
File size: | 34'446'744 bytes |
MD5 hash: | 91A5292942864110ED734005B7E005C0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 2 |
Start time: | 01:55:28 |
Start date: | 05/07/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7ed9c0000 |
File size: | 710'048 bytes |
MD5 hash: | EC652BEDD90E089D9406AFED89A8A8BD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |