Edit tour

Windows Analysis Report
Message_2604337.eml

Overview

General Information

Sample name:	Message_2604337.eml
Analysis ID:	1560851
MD5:	7fd30e219be63bb9ecc1fcde0c93857f
SHA1:	173ac5134314de2f5ea516041507e921565e67e4
SHA256:	d039995511ef353213999f3df77b19bb19991068b098dafcc22863e9111cc568
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores files to the Windows start menu directory

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 7152 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Message_2604337.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6252 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "18656E1F-CC26-40D7-B08C-AEE9664C69CE" "9D45F24E-2324-45C1-B5CE-D1FD88284483" "7152" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 5504 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.benefitt.best/representaton.aspx?sets=Kzo2WUY7VCFSOUcsTjxHNCA= MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3660 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1944,i,7014618369789109582,11394782824861895470,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8064 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.benefitt.best/representaton.aspx?sets=Kzo2WUY7VCFSOUcsTjxHNCA= MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1948,i,15485599689338901972,10989529630386925692,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7152, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected potential phishing Email

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email contains repetitive, nonsensical text patterns that are typical of spam/phishing attempts. The sender domain 'marylandchildcares.com' doesn't match with the purported Teams-related content. The email contains a suspicious URL with an unusual domain 'benefitt.best' and encoded parameters

Source: unknown	HTTPS traffic detected: 20.190.177.83:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.177.83:443 -> 192.168.2.16:49715 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.177.83

Source: global traffic	DNS traffic detected: DNS query: accounts.benefitt.best
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 20.190.177.83:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.177.83:443 -> 192.168.2.16:49715 version: TLS 1.2

Source: classification engine

Classification label: sus22.winEML@33/27@12/190