Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Priv_Kamrul Hasan invited you to access applications within their organization.msg

Overview

General Information

Sample name:Priv_Kamrul Hasan invited you to access applications within their organization.msg
Analysis ID:1467978
MD5:0a67787c5da085d64b5d63d526426808
SHA1:562666408600c711a327f85c93b34ac81a21bca4
SHA256:1e976217ea9e2cde34a02572efb97477663908f02b621b937e5c238dcd840bf6
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8000 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Priv_Kamrul Hasan invited you to access applications within their organization.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 8164 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5BD4C67A-1450-4BB0-82FE-4D9A19C40EBD" "8FAB2F7E-0513-447A-86BE-2FB5CE6623DC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Priv_Kamrul Hasan invited you to access applications within their organization.msgString found in binary or memory: http://schema.org
Source: Priv_Kamrul Hasan invited you to access applications within their organization.msg, ~WRS{6896B4E9-F21D-4A19-99E6-ABCD585CB25D}.tmp.0.drString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: Priv_Kamrul Hasan invited you to access applications within their organization.msg, ~WRS{6896B4E9-F21D-4A19-99E6-ABCD585CB25D}.tmp.0.drString found in binary or memory: https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2Fredeem
Source: classification engineClassification label: clean1.winMSG@3/14@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240705T0155260830-8000.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Priv_Kamrul Hasan invited you to access applications within their organization.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5BD4C67A-1450-4BB0-82FE-4D9A19C40EBD" "8FAB2F7E-0513-447A-86BE-2FB5CE6623DC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5BD4C67A-1450-4BB0-82FE-4D9A19C40EBD" "8FAB2F7E-0513-447A-86BE-2FB5CE6623DC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1467978 Sample: Priv_Kamrul Hasan invited y... Startdate: 05/07/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 49 119 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schema.org0%URL Reputationsafe
http://schema.org0%URL Reputationsafe
https://aka.ms/LearnAboutSenderIdentification0%Avira URL Cloudsafe
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2Fredeem0%Avira URL Cloudsafe
https://aka.ms/LearnAboutSenderIdentification0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://schema.orgPriv_Kamrul Hasan invited you to access applications within their organization.msgfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2FredeemPriv_Kamrul Hasan invited you to access applications within their organization.msg, ~WRS{6896B4E9-F21D-4A19-99E6-ABCD585CB25D}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/LearnAboutSenderIdentificationPriv_Kamrul Hasan invited you to access applications within their organization.msg, ~WRS{6896B4E9-F21D-4A19-99E6-ABCD585CB25D}.tmp.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467978
Start date and time:2024-07-05 07:54:15 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Priv_Kamrul Hasan invited you to access applications within their organization.msg
Detection:CLEAN
Classification:clean1.winMSG@3/14@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .msg

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 52.113.194.132, 184.28.90.27, 20.189.173.23
  • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, s-0005-office.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, e16604.g.akamaiedge.net, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, onedscolprdwus16.westus.cloudapp.azure.com, mobile.events.data.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

LLM Input / Output

InputOutput
URL: e-Mail Model: gpt-4o
```json{  "riskscore": 6,  "brand_impersonated": "Microsoft",  "reasons": "The email appears to impersonate Microsoft by using their branding and mentioning Microsoft services. The sender's email address (priv_kamrul.hasan@mafinancial.com) does not match the domain it claims to represent (moelisaustralia.onmicrosoft.com), which is a red flag for spoofing. The subject line and body of the email create a sense of urgency by asking the recipient to accept an invitation. The URL provided (https://myapplications.microsoft.com/) appears legitimate, but it is important to verify the actual destination of the link by hovering over it or inspecting the HTML code. The email also includes a warning about potential fraudulent invitations, which could be a tactic to gain trust. Overall, the email has several indicators of phishing, including brand impersonation, mismatched sender information, and urgency tactics."}

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.394575923795854
Encrypted:false
SSDEEP:1536:HXYL3wgsa1inrCeTEgsgRNcAz79ysQqt2xPEGqoQm9rcm0Fvm0ty2GwcNvsy0o7K:wggqG1g7miGu2LqoQ0rt0FvKoMa74kJ
MD5:23318054ABA83D39C37C18F4613AC517
SHA1:12808380994CE5A43C14641AF614DA8AEF1FE784
SHA-256:379F8B6929123799C95D65B785DA2E16F2F3840C1FB4E777B6E7F73318BB9E7A
SHA-512:26BB2CF3D06B64739250A179E53C88E3A3EA076AF6232EE41541416C4C50BD9108A78FBE2BFBF02BAD9480D85ED60CEB2E353BC00A439B44A513DDF5E02AFF43
Malicious:false
Reputation:low
Preview:TH02...... ...........SM01X...,..................IPM.Activity...........h...............h............H..h........T.7...h.........Z..H..h\FRO ...1\Ap...h0E..0...8......h.Q.^...........h........_`Ck...h.V.^@...I.tw...h....H...8.Hk...0....T...............d.........2h...............k..............!h.............. h..L.....P.....#h....8.........$h.Z......8....."h.V.......Z....'h..............1h.Q.^<.........0h....4....Hk../h....h.....HkH..h.l..p........-h .......|.....+hWQ.^....................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:JSON data
Category:dropped
Size (bytes):521377
Entropy (8bit):4.9084889265453135
Encrypted:false
SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
MD5:C37972CBD8748E2CA6DA205839B16444
SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
Malicious:false
Reputation:moderate, very likely benign file
Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
Category:dropped
Size (bytes):773040
Entropy (8bit):6.55939673749297
Encrypted:false
SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
MD5:4296A064B917926682E7EED650D4A745
SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
Malicious:false
Reputation:moderate, very likely benign file
Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.04522126193421007
Encrypted:false
SSDEEP:3:GtlxtjlGJV4e4oPlxtjlGJV4eg//l1R9//8l1lvlll1lllwlvlllglbelDbllAlU:Gtmb4eTPmb4egt9X01PH4l942wU
MD5:00B74A27F308A251485B32ECC374A380
SHA1:0B22ECB7E5A71C06923279392C13F31DB8403936
SHA-256:E6C2DCD13A0C7E66B30779CED8285265C34CA999B58E4CC21C73BB617F4640C6
SHA-512:106495F77BDB712BAFFBF6DBBD5F4D0057694744445DE8A8B41F95A24DCB98153EBD4FE58141B25EEB01AFA48E3746B03931673E36C75FECF4D32919DF31ECEE
Malicious:false
Reputation:low
Preview:..-....................... ....2...K.b..Y....OA...-....................... ....2...K.b..Y....OA.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):49472
Entropy (8bit):0.48135755039302425
Encrypted:false
SSDEEP:24:KQRnQ3zRD0yUll7DBtDi4kZERDc+yzqt8VtbDBtDi4kZERDhoBqt8VtbDBtDi4kC:dRnQ1tUll7DYMozO8VFDYM+BO8VFDYML
MD5:1275E6C0507C2D5E855650759EE4A8BD
SHA1:F29FC623FFBB2BD82FFF15297EA83454D6E27C91
SHA-256:20609ADE126947017574E5EF81BE4048584508EAE8FC77D61A0F45C4024680AA
SHA-512:1C45DB1EEBD11356B7226F9B827B42259DAA3B38A74781742DD4FD4A5D1E2D5BB8C77196B1811341DF3A9439B3E1D78E3A07B066AE34F87A50BCD70ED3BEE1BF
Malicious:false
Reputation:low
Preview:7....-.............K.b.. ....6>G...........K.b......L...SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCD393E4.dat

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 60x60, components 3
Category:dropped
Size (bytes):957
Entropy (8bit):7.319916557188864
Encrypted:false
SSDEEP:24:49YMWODGo0XxDuLHeOWXG4OZ7DAJuLHenX38dfLvABkChH35j:49YMXbuERA6fLvrCRJ
MD5:7935C0850BBF939D7459C85F66C5A41E
SHA1:31A086841E6D7913F511F7D5A3F4A1B7FD123DA3
SHA-256:70C91B22ADDEC0D24A5A4E9A8C58FFC0E67F06B9DCAD564E7FCB12E1E4B3E7E6
SHA-512:AC9B8E638576F8F66C8CBB7C1EE6341003243B7692B3D9B2263822653D95F4697B9A8DB80A382CED27A9D01FF5EAFCEAE54C960F28AAAF01180AC87B472FDE5B
Malicious:false
Reputation:low
Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......<.<.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(......(...(...(...(......wE...q.BE1c.......6...]T..M.+1b..j..+&..OqZ.u.O...#....0.6.......B....:.Y:....g.qSi'....{..|.f...N...edb...8 .A..#J.X7..N.#8.r~a.U|K..#V..._...f.J...B._g...L.(....(..5.. ..Z...."..f...?......[.....\...=....E.<..w0xx:r..W..r.:Z..g.dv....5..u....].*{.%L.....Th.mni...=.[X(..e..Q@..Q@..Q@..Q@...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6896B4E9-F21D-4A19-99E6-ABCD585CB25D}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):19136
Entropy (8bit):3.726341814139971
Encrypted:false
SSDEEP:192:FbyZ9JjppCDFtStt9PGbIRRnL5gmJd9tamz710Wcm1xph9mGVjLmuHwImE9:cZ9J10DFtStt9PGyLr9tj102xpdHv9
MD5:C868757D577F891417EB143C418D222E
SHA1:93887F060CF31E8CE592A59FFAE36F72A6CBED86
SHA-256:AF1031929646708150EDB2F584C98F3B9AA600D8366793C547B2FDF42A8CEADA
SHA-512:4D2D6874B0D179A1B25559322C61809883BC32DB914B46DE5C65AC5BEDC2AB8B9BC34E939CB53BA115C812BBFB80BAFFB2C607EDEE20E1495C2EFF3D5A74276B
Malicious:false
Reputation:low
Preview:......Y.o.u. .d.o.n.'.t. .o.f.t.e.n. .g.e.t. .e.m.a.i.l. .f.r.o.m. .i.n.v.i.t.e.s.@.m.i.c.r.o.s.o.f.t...c.o.m... .H.Y.P.E.R.L.I.N.K. .".h.t.t.p.s.:././.a.k.a...m.s./.L.e.a.r.n.A.b.o.u.t.S.e.n.d.e.r.I.d.e.n.t.i.f.i.c.a.t.i.o.n.".............................................................................................................................................................................................................................................................................................................~...............................................................................................................................................................................................................................................................................................................................................$..$.If....:V.......t.....6......4........4........a.........$.a$.*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720158927068610100_E961AD52-0EB9-4D13-AA63-E1BF13CB6B07.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28771), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.16253774969389825
Encrypted:false
SSDEEP:1536:9ZEoqfJ8TDtTOLB2cP6WvqrznRgKZjFSt3l5wy4LNHfYHgANHlESaj8aSEWeTU+w:2fmdTO1tCBls
MD5:630B84F74BF88A34AA4BB660EA56E929
SHA1:03AC5068D56BE4B36B4F7F18883F9C4CBEECA1EA
SHA-256:6855EDB4DB00D8D6764058DC33839DDDAFE7B8C3D7D7D3868AD1B6CABA8E05B2
SHA-512:9CC92D4DDAA421F7DF3A70FEBC2FC3868263E43D716F1C73B53182099B525C819C0C3A1151B08D69AA6BD8CDD34823489EE8CBD24122A746F2E0EAB1728F83B0
Malicious:false
Reputation:low
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..07/05/2024 05:55:27.096.OUTLOOK (0x1F40).0x1F44.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":26,"Time":"2024-07-05T05:55:27.096Z","Contract":"Office.System.Activity","Activity.CV":"Uq1h6bkOE02qY+G/E8trBw.4.11","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...07/05/2024 05:55:27.111.OUTLOOK (0x1F40).0x1F44.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":28,"Time":"2024-07-05T05:55:27.111Z","Contract":"Office.System.Activity","Activity.CV":"Uq1h6bkOE02qY+G/E8trBw.4.12","Activity.Duration":10203,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajor

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1720158927069116400_E961AD52-0EB9-4D13-AA63-E1BF13CB6B07.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Reputation:high, very likely benign file
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240705T0155260830-8000.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):94208
Entropy (8bit):4.445761817392753
Encrypted:false
SSDEEP:768:3oTN+M9YaZJR92k4m995WhQXrVuaJ6ERnYSW+WEWVW5:04m995WhQX6ERnx
MD5:1A08016E12120FD7E8FF443DF6DDF511
SHA1:C3CE36DB12FD43DCD53DEFF0B1D8078B73F7D962
SHA-256:82988322FA3613DF302AAEB80E1817A5AFB9428C924A3EC31637E9CE8C8CFF15
SHA-512:6FFD0C52400DA0E829EF646A40B2E0C0157C60D8723A9033BFEDCE0ADE8396F247167AE00A691930B0709F950E8752A4D68A97DEC4E6406FC81DD1EEE637FDE2
Malicious:false
Preview:............................................................................h...D...@....Q'....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@o.,V............Q'............v.2._.O.U.T.L.O.O.K.:.1.f.4.0.:.5.5.e.f.c.4.2.6.c.7.c.d.4.9.b.4.b.7.0.5.6.1.3.4.c.1.f.d.9.f.9.4...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.7.0.5.T.0.1.5.5.2.6.0.8.3.0.-.8.0.0.0...e.t.l.......P.P.D...@....)....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF34FE4403C5B46F54.TMP

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):163840
Entropy (8bit):0.39086845629211203
Encrypted:false
SSDEEP:192:KvcS4JDT11qDgiOOqNoYTqEdotmpYAqx1u6rNgiXHWVOoSNh/:nS4r1qsiOO8Tqp9fAiXHVo
MD5:726E152271A45916ADCE77D2C16CE6A6
SHA1:163A8C53F5B4ADDF7CB8A84E04EF7F8A20C1FF99
SHA-256:FCE20A437B5FE3FBF42775EA4DB8C279392DC608FC318CDDAC39259439BD75B5
SHA-512:ECA31915698A21F739F25B5374C39C5D8DB31D600D347F97AB75F7CFA95FDA1E407647EC50F06F31431685BBB5D59D3DCBBAF353DB25B4A00570B2E1D09CA609
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:8elt:8e
MD5:65D87B248CE8188262D41928BEC4D17A
SHA1:474B2B55990139BF5CFB969938960FD9DF2DA6C2
SHA-256:4EF6D592C7D852977D545BA8889D3D031DFF724409AD6D3576D030D6EEB04375
SHA-512:D257B19D013F2CD19F4A83AC4624526089A7ECD1FE6ABD938E1BA66D69F204631F056F418627D3DF4888FDB262A255F8F0669658BB35AA47D0B9AFF183A3C899
Malicious:false
Preview:.....#........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):1.3282761130469638
Encrypted:false
SSDEEP:768:HtQcMxiBiDZFdrghZNLnSJAIZC8FTXtGB5iBfB8BUTIZRi:sXZH0NuZjfBeNZs
MD5:97AC896241819B1ECE0AD5D0CF42F705
SHA1:1A2B9B755697D9764B66081725074F216EBD20ED
SHA-256:881E3C94A68661FD1DEC8335D7A865C2E035C1E2D95A0E856F5B09B728DCF2F7
SHA-512:5F310BC03FFE2BAE42B68C8B5A5D9AA4456E28A39A8CB2A76BED94927CE79D921AD2D43C8DCBB9A976857E77CAB06FC9335C5203C83E75B1E80BF4B07B78A621
Malicious:false
Preview:!BDN,..0SM......\...I!..........9.......U................@...........@...@...................................@...........................................................................$.......D.......L..............5...............8...................................................................................................................................................................................................................................................................................................Z;._.W......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):1.4618422230614536
Encrypted:false
SSDEEP:384:abNjTIXJkDenjqHYSVgmeTE/xNhpS4MY74tmTqXmColtGNGFaptMWDZG0yO4rCWF:iTIZkyiYSGmeOzX5vtGQgyBffy0
MD5:1BBF090C1F8D372186EC6A61DA32FA20
SHA1:FF12C5B91B108511590BC6A274ADB07F61C74AFC
SHA-256:1EB632E6FECEC732BEEB785CF7494847303B4E73E678E9C5828BBC99E602A07A
SHA-512:7549C541E784F157AA28BE71953F7398258DC8D0897F5251D92364CE452BF1A904AA6C7557A3F8107432D4A641049291A12FB2FC883446DC2ADF8EBA4502C5C2
Malicious:false
Preview:..H.0...Z.......@...............D............#...........?......?........................................................?.........................................................................................................................................................................................................................................................................................................................................................................................................................................xh<..D..........0...[.......@...............B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:CDFV2 Microsoft Outlook Message
Entropy (8bit):4.243463879051739
TrID:
  • Outlook Message (71009/1) 58.92%
  • Outlook Form Template (41509/1) 34.44%
  • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:Priv_Kamrul Hasan invited you to access applications within their organization.msg
File size:184'832 bytes
MD5:0a67787c5da085d64b5d63d526426808
SHA1:562666408600c711a327f85c93b34ac81a21bca4
SHA256:1e976217ea9e2cde34a02572efb97477663908f02b621b937e5c238dcd840bf6
SHA512:ed0b06b2c8dd46a1891f16f77c0c27a73dcad481a44abc039ff9c2576c11d34aaf533ddd3e049929a29dd8387d9d0040d179b1aadce988618974d27b61cc56a8
SSDEEP:3072:eiTasL2xiwlYVG1la8bF87LqSJmfr2L4gfgRR8rqrqFC41zM:KsL2xiHqG/iWSSz
TLSH:CD042F243AFA1119F2B39F354BE2509B8937FD626D38DA5E2091670D0672E41EC61F3B
File Content Preview:........................>.......................................................r..............................................................................................................................................................................

Static Mail

General

Subject:Priv_Kamrul Hasan invited you to access applications within their organization
From:Microsoft Invitations on behalf of Moelis Australia Operations Pty Ltd <invites@microsoft.com>
To:bcamargo@sn.com.au
Cc:
BCC:
Date:Fri, 05 Jul 2024 07:47:44 +0200
Communications:
  • You don't often get email from invites@microsoft.com. Learn why this is important <https://aka.ms/LearnAboutSenderIdentification> <https://invitations.microsoft.com/Content/Images/PixelWarning.png> Please only act on this email if you trust the individual and organization represented below. In rare cases, individuals may receive fraudulent invitations from bad actors posing as legitimate companies. If you were not expecting this invitation, proceed with caution. Sender: Priv_Kamrul Hasan (priv_kamrul.hasan@mafinancial.com <mailto:priv_kamrul.hasan@mafinancial.com> ) Organization: Moelis Australia Operations Pty Ltd Domain: moelisaustralia.onmicrosoft.com <https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmoelisaustralia.onmicrosoft.com%2F&data=05%7C02%7Cbcamargo%40sn.com.au%7C22fc8eca295e45685b4f08dc9cb6006c%7Cc9ba5ff150fb443aaa51f8a979e6e6d1%7C0%7C0%7C638557552720984773%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oT7YmHMirNV3Ug9q7D3ci0RLa3UIJ0ApmYRP17z%2FdYs%3D&reserved=0> This message was provided by the sender and is not from Microsoft Corporation. Message from Priv_Kamrul Hasan: Welcome to MA Financial. Please accept the invite to access resource shared by MA. If you accept this invitation, youll be sent to https://myapplications.microsoft.com/ <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyapplications.microsoft.com%2F&data=05%7C02%7Cbcamargo%40sn.com.au%7C22fc8eca295e45685b4f08dc9cb6006c%7Cc9ba5ff150fb443aaa51f8a979e6e6d1%7C0%7C0%7C638557552721000254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=cqg1Pe5FKzm%2B3vhJq0siisB%2F%2BmME5K37%2FEmcS9TcTWE%3D&reserved=0> . Accept invitation <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2Fredeem%3Frd%3Dhttps%253a%252f%252finvitations.microsoft.com%252fredeem%252f%253ftenant%253d7a9750ee-d899-4e0b-a918-0354d6e9bd54%2526user%253dde37d9b6-9558-4507-b8df-4bc030c87842%2526ticket%253dUmwrGGO4UuftwId90I5%2525252fJs8%2525252bYJEcRpuijXi%2525252bIvbY318%2525253d%2526ver%253d2.0&data=05%7C02%7Cbcamargo%40sn.com.au%7C22fc8eca295e45685b4f08dc9cb6006c%7Cc9ba5ff150fb443aaa51f8a979e6e6d1%7C0%7C0%7C638557552721009496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=tfiSZbJZKIyWixEEfVg%2FqFq0DMAADKh7tEDWp%2Fx5f4k%3D&reserved=0> This invitation email is from Moelis Australia Operations Pty Ltd (moelisaustralia.onmicrosoft.com <https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmoelisaustralia.onmicrosoft.com%2F&data=05%7C02%7Cbcamargo%40sn.com.au%7C22fc8eca295e45685b4f08dc9cb6006c%7Cc9ba5ff150fb443aaa51f8a979e6e6d1%7C0%7C0%7C638557552721017028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Ggrq27H45d2Fr4r7xpf2v2AtHckWs4Pozc19FrPDVcA%3D&reserved=0> ) and may include advertising content. Moelis Australia Operations Pty Ltd has not provided a link to their privacy statement for you to review. Microsoft Corporation facilitated sending this email but did not validate the sender or the message. Microsoft respects your privacy. To learn more, please read the Microsoft Privacy Statement <https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D521839&data=05%7C02%7Cbcamargo%40sn.com.au%7C22fc8eca295e45685b4f08dc9cb6006c%7Cc9ba5ff150fb443aaa51f8a979e6e6d1%7C0%7C0%7C638557552721022942%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=4cnu%2Bqyla7tcNb4St4yY%2B6nqRMwnOVXqr6%2F32k3Q2uQ%3D&reserved=0> . Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 <https://invitations.microsoft.com/Content/Images/microsoftlogo.png>
Attachments:
  • ATT00001.jpg

Headers

Key Value
Receivedfrom outlook.office.com (2603:10b6:8:a4::6) by
0547:51 +0000
ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
h=FromDate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=none; dmarc=none;
by SY8PR01MB9205.ausprd01.prod.outlook.com (260310c6:10:22f::9) with
2024 0547:49 +0000
(260310c6:220:213::22) with Microsoft SMTP Server (version=TLS1_2,
Transport; Fri, 5 Jul 2024 0547:49 +0000
Authentication-Resultsspf=pass (sender IP is 40.107.223.98)
Received-SPFPass (protection.outlook.com: domain of microsoft.com designates
15.20.7741.18 via Frontend Transport; Fri, 5 Jul 2024 0547:48 +0000
DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
DS7PR06CA0002.NAMPRD06.PROD.OUTLOOK.COM; Fri, 5 Jul 2024 0547:44 +0000
FromMicrosoft Invitations on behalf of Moelis Australia Operations Pty Ltd
DateThu, 04 Jul 2024 22:47:44 -0700
SubjectPriv_Kamrul Hasan invited you to access applications within their
Message-Id<E12P8YDRHNU4.NGR64A450CTF2@ds3pepf000016f8>
Tobcamargo@sn.com.au
Reply-Topriv_kamrul.hasan@mafinancial.com
MIME-Version1.0
Content-Typemultipart/mixed; boundary="=-7z47+xKhAhkdo8qDfpNAsw=="
client-request-id1761b701-8008-4d47-a9dc-33b9c72f60f4
request-id1761b701-8008-4d47-a9dc-33b9c72f60f4
Return-Pathinvites@microsoft.com
X-MS-TrafficTypeDiagnosticDM4PR21MB3560:EE_IGANotification|ML1PEPF0000F178:EE_|SY8PR01MB9205:EE_|SY4PR01MB8360:EE_
X-MS-Exchange-SenderADCheck1
X-MS-Exchange-AntiSpam-Relay0
X-Microsoft-Antispam-UntrustedBCL:0;ARA:13230040|376014|69100299015|1800799024;
X-Microsoft-Antispam-Message-Info-Original=?us-ascii?Q?BVtZU9efiXo3Q0GsJXFyr20s5srq3akcKufbiZnVw8PMj0n0HBOVgjZtOLrr?=
X-Forefront-Antispam-Report-UntrustedCIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:;PTR:;CAT:NONE;SFS:(13230040)(376014)(69100299015)(1800799024);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount1
X-MS-Exchange-AntiSpam-MessageData-Original-0xDHVp8y4h8F70DbBpbVFOEJrgrwloh4JqHYfuaVOQSHyYAZZgWBDpkdyVu9CcVLUrZQeUMRHzU+cvbmMcJEzt4FeLgv+naIRcCcH4TDvN6+mh6zYT6CIDWVrwPZ6gvh+JjttlZ9rGKmHCTsVs/qx8dzeUTMGKOcqpn0Ih3hU9yLyX3EFCU2M1TYRVDkfXIiVLWU0bxghvXi8IOOiKo/Dxk8zzkQpPIkcO3ek60AgfAtYQ+mAajbRPL2kN3wMOq5ct9cmGnwHzYowHoEsKAzP9tTwqqgeyg4bPY1vFgG0zzZv3HPnTgc/1u8hiema6/+DHrThyuRBC4m49rS/49eK8CSht/e9k6Sme8EAzhFvrQmWk4Ui9r1b+ctwLdV9CNdKAhRn0p6Le3rpT1g0hr0WFY0JR7YFzJKkjDnaNy2D6aY=
X-MS-Exchange-Transport-CrossTenantHeadersStampedSY8PR01MB9205
X-MS-Exchange-Organization-ExpirationStartTime05 Jul 2024 05:47:48.4849
X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id22fc8eca-295e-4568-5b4f-08dc9cb6006c
X-EOPAttributedMessage0
X-EOPTenantAttributedMessagec9ba5ff1-50fb-443a-aa51-f8a979e6e6d1:0
X-MS-Exchange-Organization-MessageDirectionalityIncoming
X-MS-Exchange-Transport-CrossTenantHeadersStrippedML1PEPF0000F178.ausprd01.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromotedML1PEPF0000F178.ausprd01.prod.outlook.com
X-MS-PublicTrafficTypeEmail
X-MS-Exchange-Organization-AuthSourceML1PEPF0000F178.ausprd01.prod.outlook.com
X-MS-Exchange-Organization-AuthAsAnonymous
X-MS-Office365-Filtering-Correlation-Id22fc8eca-295e-4568-5b4f-08dc9cb6006c
X-MS-Exchange-AtpMessagePropertiesSA|SL
X-MS-Exchange-Organization-SCL1
X-Microsoft-AntispamBCL:0;ARA:13230040|4073199012|5073199012|69100299015|2092899012|3072899012|3092899012|5062899012|13012899012|13102899012|12012899012;
X-Forefront-Antispam-ReportCIP:40.107.223.98;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-DM6-obe.outbound.protection.outlook.com;PTR:mail-dm6nam11on2098.outbound.protection.outlook.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(4073199012)(5073199012)(69100299015)(2092899012)(3072899012)(3092899012)(5062899012)(13012899012)(13102899012)(12012899012);DIR:INB;SFTY:9.25;
X-MS-Exchange-CrossTenant-OriginalArrivalTime05 Jul 2024 05:47:48.0787
X-MS-Exchange-CrossTenant-Network-Message-Id22fc8eca-295e-4568-5b4f-08dc9cb6006c
X-MS-Exchange-CrossTenant-Idc9ba5ff1-50fb-443a-aa51-f8a979e6e6d1
X-MS-Exchange-CrossTenant-AuthSourceML1PEPF0000F178.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAsAnonymous
X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
X-MS-Exchange-Transport-EndToEndLatency00:00:03.9191933
X-MS-Exchange-Processed-By-BccFoldering15.20.7741.016
X-Microsoft-Antispam-Mailbox-Deliverydwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(831239)(255002)(410001)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info=?us-ascii?Q?wXGG3mciiVEP0eA3UUA6TE1w+QZ0Qlz9LkpfdpPAfeaqQ2AYh4HeayisXSlp?=
dateFri, 05 Jul 2024 07:47:44 +0200

File Icon

Icon Hash:c4e1928eacb280a2

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:01:55:26
Start date:05/07/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Priv_Kamrul Hasan invited you to access applications within their organization.msg"
Imagebase:0x640000
File size:34'446'744 bytes
MD5 hash:91A5292942864110ED734005B7E005C0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:2
Start time:01:55:28
Start date:05/07/2024
Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5BD4C67A-1450-4BB0-82FE-4D9A19C40EBD" "8FAB2F7E-0513-447A-86BE-2FB5CE6623DC" "8000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:0x7ff7ed9c0000
File size:710'048 bytes
MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly