Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Automatisation Microsoft 365.msg

Overview

General Information

Sample name:Automatisation Microsoft 365.msg
Analysis ID:1583778
MD5:92d5535060bbdd8eb827d820addcdcdf
SHA1:57f957b04340e278e16f43a5e192dcd307fd4c03
SHA256:dacde3640a13fc86fdf528e0c21f4b9b436befd8d98b34d295ced9eb4d0b9452
Infos:

Detection

unknown
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected potential phishing Email
Email provider (Gateway / MTA) detected MSG / EML as spam/phishing/malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7976 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Automatisation Microsoft 365.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7292 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B4F7424D-FBC7-4E47-915A-ECCA77FC39CF" "3132605C-3EE8-448F-9E5C-F2836C5087CA" "7976" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7976, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains inconsistent sender information - shows two different email addresses (julie@digi-prem.com and contact@exceloco.com). The unsubscribe link uses a suspicious domain (vmtapz.fr) unrelated to the business domains mentioned. Contains typical mass-marketing/spam characteristics with vague business services and request for referral
Email provider (Gateway / MTA) detected MSG / EML as spam/phishing/malware
Source: Automatisation Microsoft 365.msgEmail attachment header: X-Microsoft-Antispam: BCL:9;ARA:13230040|5062899012|2092899012|3072899012|3092899012|13102899012|13012899012|12012899012|5073199012|69100299015|8096899003|4076899003;
Source: EmailClassification: unknown
Source: Automatisation Microsoft 365.msgString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: Automatisation Microsoft 365.msgString found in binary or memory: https://www.exceloco.com
Source: Automatisation Microsoft 365.msgString found in binary or memory: https://www.vmtapz.fr/HIMEADJG/847802/ceRvW/5185
Source: Automatisation Microsoft 365.msgString found in binary or memory: https://www.vmtapz.fr/STZOWQRP847802S95611.png
Source: classification engineClassification label: mal48.winMSG@3/4@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250103T0908310859-7976.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Automatisation Microsoft 365.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B4F7424D-FBC7-4E47-915A-ECCA77FC39CF" "3132605C-3EE8-448F-9E5C-F2836C5087CA" "7976" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B4F7424D-FBC7-4E47-915A-ECCA77FC39CF" "3132605C-3EE8-448F-9E5C-F2836C5087CA" "7976" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.exceloco.com0%Avira URL Cloudsafe
https://www.vmtapz.fr/HIMEADJG/847802/ceRvW/51850%Avira URL Cloudsafe
https://www.vmtapz.fr/STZOWQRP847802S95611.png0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://www.vmtapz.fr/HIMEADJG/847802/ceRvW/5185Automatisation Microsoft 365.msgfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.exceloco.comAutomatisation Microsoft 365.msgfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.vmtapz.fr/STZOWQRP847802S95611.pngAutomatisation Microsoft 365.msgfalse
    • Avira URL Cloud: safe
    		unknown
    https://aka.ms/LearnAboutSenderIdentificationAutomatisation Microsoft 365.msgfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1583778
      Start date and time:2025-01-03 15:07:20 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 16s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Automatisation Microsoft 365.msg
      Detection:MAL
      Classification:mal48.winMSG@3/4@0/0
      Cookbook Comments:
      • Found application associated with file extension: .msg

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.68.129, 2.16.168.101, 2.16.168.119, 13.69.239.77, 13.107.246.45, 20.12.23.50, 40.126.32.133, 23.56.254.165, 4.175.87.197
      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, storeedgefd.dsx.mp.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, onedscolprdneu09.northeurope.cloudapp.azure.com, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-part-0017.t-0009.t-msedge.nethttp://www.klim.comGet hashmaliciousUnknownBrowse
      • 13.107.246.45
      Reparto Trabajo TP4.xlsmGet hashmaliciousUnknownBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45
      file.exeGet hashmaliciousXRedBrowse
      • 13.107.246.45

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250103T0908310859-7976.etl

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):94208
      Entropy (8bit):4.434762154076388
      Encrypted:false
      SSDEEP:768:LQvn2IsZVoJLKlcifTdz4aW/7y9y7mWVXMrPp1WyW/F6uFF4:LQvSa+4ah9y7nVXkKy
      MD5:7AA0E7EF96A2946A4D2CD5DF5FE0A7FF
      SHA1:18A33E3D19062A92614873D7ED7169799884A0FE
      SHA-256:27B7D551FB53176C8FF9F6A60393C6A4D59D55281136A5A19F7BADC6D9516A30
      SHA-512:1F74EAE4669F74AF2CAF407187FF776BD095086F4638FECF982238486D33FCB0C8645AABDCC522B5ACE6ADB34621AAE180C3FD27EC7A253998E1C224E58CA5A7
      Malicious:false
      Reputation:low
      Preview:............................................................................h...,...(.....c..]..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................S.)R.............c..]..........v.2._.O.U.T.L.O.O.K.:.1.f.2.8.:.9.d.8.2.a.1.8.8.9.6.e.e.4.b.5.e.8.9.a.9.c.a.0.5.4.4.5.d.6.2.7.6...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.0.3.T.0.9.0.8.3.1.0.8.5.9.-.7.9.7.6...e.t.l.......P.P.,...(.....c..]..................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\~DF3BD9C189898A3C37.TMP

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):163840
      Entropy (8bit):0.3786553992394212
      Encrypted:false
      SSDEEP:384:62ITIM+dyKrNWo0smBM0UOs07iXHOoqM:6CdRrkoAMus07iXHO5M
      MD5:DAB3DED58BF9F331628AE68D7271928A
      SHA1:55E35849B733AEB27CB2BEB394BF67944AFD1511
      SHA-256:8A2E6ED31EFC8225833E0C5DFE53A8DC33B07E9B363D57EA56DBE41052E3740F
      SHA-512:5508B68B53E0E07C5C92FB984BD32CC7ECCC3EFD47C3BD0ABC82BA9FE05ABD8D72402BC2C12463BC5974583AFAA86188FC3AE325158BAB285A47E090D56C2064
      Malicious:false
      Reputation:low
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Outlook email folder (>=2003)
      Category:dropped
      Size (bytes):271360
      Entropy (8bit):1.5323511812698858
      Encrypted:false
      SSDEEP:768:EQclSzJvsHqygHpQpFKs3oLnGb8Bfv8BUTIZ:hdiqBHpWTbefveNZ
      MD5:68F3A0A4870CEE75308DE9FADB6858B5
      SHA1:036B79B5BA8D37F5C4D9DF010EF66435E2CDB22B
      SHA-256:1A2F7795097D2EC36B898A866DC3B1B9EF08EDF1E0A0D1C78B4177FB94212A68
      SHA-512:2F3F0965CFCD7BB9C4ECB20CF81680F0AED9DDA1AEA4CCACA02C2F339443EF54DC1F3D20337DC561D368F8116381F0D3BED38659DC2B6AA28B66431DCE1F7D8A
      Malicious:true
      Reputation:low
      Preview:!BDN..m.SM......\....$..................\................@...........@...@...................................@...........................................................................$.......D......@:..........................................................................................................................................................................................................................................................................................................................H.......9.XUz.|.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.7953073105214025
      Encrypted:false
      SSDEEP:192:ixlzCHf1L9xPrMctotLqGsl7IDyW4Ni1R434Nvz:FHfZPrZWOl7uyWV1Rl
      MD5:F2EB55A46A2DC1F12F1E51D3CE0363EB
      SHA1:B1600754A96930BD5F05602EAD8F4BF94293E968
      SHA-256:14F8073832539F2B43306F4B00B83C58CB5D5F7C60C514DAA4F5672153FE3287
      SHA-512:81DE7CDA6A7961C4942A55BFBA53779A9CE7911E7259B73588FA6A4631064D1FFDBB3EC3B348F349A657B0B2C2F5A6AD9029967A99F5836547BA5947D46A350E
      Malicious:true
      Reputation:low
      Preview:...C...S.......(...Q...]....................#.!BDN..m.SM......\....$..................\................@...........@...@...................................@...........................................................................$.......D......@:..........................................................................................................................................................................................................................................................................................................................H.......9.XUz.|.Q...].......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:CDFV2 Microsoft Outlook Message
      Entropy (8bit):4.276726200606895
      TrID:
      • Outlook Message (71009/1) 58.92%
      • Outlook Form Template (41509/1) 34.44%
      • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
      File name:Automatisation Microsoft 365.msg
      File size:73'216 bytes
      MD5:92d5535060bbdd8eb827d820addcdcdf
      SHA1:57f957b04340e278e16f43a5e192dcd307fd4c03
      SHA256:dacde3640a13fc86fdf528e0c21f4b9b436befd8d98b34d295ced9eb4d0b9452
      SHA512:81c3d0b334d172bf1ff4ec5a098a54bfa9d2106df85117b1b4b7c94d7d0a35ac76cd471f5c891c2b3a303bb0bc4d4184c40e8d9d040ed322084572a4232f7a3c
      SSDEEP:768:rB52D7nkcYg4BXZ/CgY3DWsKHWsKQ2XXvYB4NP3/WsK76FsxwDNhA1xdOlmX1Wsh:d52HkLg4XZ/QzWfWEavWmFsOlmlWV
      TLSH:7C63552136FA5115F2B7AF314EF690938937BDD2AD25C55F3181334E0AB2941D8A2B3B
      File Content Preview:........................>......................................................................................................................................................................................................................................

      Static Mail

      General

      Subject:Automatisation Microsoft 365
      From:Julie Bellet <julie@digi-prem.com>
      To:"imad.tayaa@sanef.com" <imad.tayaa@sanef.com>
      Cc:
      BCC:
      Date:Sat, 21 Dec 2024 13:20:23 +0100
      Communications:
      • Vous nobtenez pas souvent de-mail partir de julie@digi-prem.com. Pourquoi cest important <https://aka.ms/LearnAboutSenderIdentification> [COURRIEL EXTERNE] NE CLIQUEZ PAS sur les liens ou les pices jointes moins de reconnatre l'expditeur et de vrifier que le contenu est sr. Bonjour, Nous sommes spcialiss dans la cration de tableaux de bord et macro pour Excel, VBA, Microsoft 365, Access...mais galement en automatisation no code. Voici quelques exemples d'utilisations possibles : -Automatisation de processus -Organisation des formations salaris -Reporting financier & Gestion -Tableau de gestion de personnel & charges -Cration de base de donnes -Tableaux croiss dynamiques -Tableau de gestion de stocks & d'actifs -Consolidation de donnes de sources diffrentes -Analyse, rcupration et saisie de donnes -Gestion et pilotage d'activit commerciale -Analyse financire (Calcul de Ratios, Trsorerie, SIG...) -Projection des ventes par secteur -Reporting automatis -Simple ajout de Formules Tous est possible avec les bases de donnes ! Avez-vous des besoins dans ce sens ? Si je n'tais pas au bon endroit, pourriez-vous m'orienter vers un.e collgue qui pourrait avoir ce type de besoins ? Vous souhaitant une belle journe, Julie Dveloppement commercial contact@exceloco.com https://www.exceloco.com 01 87 65 14 00 Pour vous dsinscrire, suivez ce lien <https://www.vmtapz.fr/HIMEADJG/847802/ceRvW/5185> . <https://www.vmtapz.fr/STZOWQRP847802S95611.png>
      Attachments:

        Headers

        Key Value
        Receivedby srv1.vmtapz.fr id hcqpae1tkgoq for <imad.tayaa@sanef.com>; Sat, 21 Dec 2024 13:20:22 +0100 (envelope-from <julie@digi-prem.com>)
        PR0P264MB3882.FRAP264.PROD.OUTLOOK.COM with HTTPS; Sat, 21 Dec 2024 1221:43
        by MR1P264MB2004.FRAP264.PROD.OUTLOOK.COM (260310a6:501:2::11) with
        2024 1220:56 +0000
        (260310a6:102:2ce::8) with Microsoft SMTP Server (version=TLS1_3,
        21 Dec 2024 1220:56 +0000
        Authentication-Resultsspf=pass (sender IP is 91.209.245.197)
        Received-SPFPass (protection.outlook.com: domain of digi-prem.com designates
        15.20.8251.15 via Frontend Transport; Sat, 21 Dec 2024 1220:56 +0000
        DKIM-Signaturev=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=digi-prem.com;
        h=DateTo:From:Reply-to:Subject:Message-ID:MIME-Version:Content-Transfer-Encoding:Content-Type; i=julie@digi-prem.com;
        DomainKey-Signaturea=rsa-sha1; c=nofws; q=dns; s=key1; d=digi-prem.com;
        DateSat, 21 Dec 2024 13:20:23 +0100
        Return-Pathjulie@digi-prem.com
        To"imad.tayaa@sanef.com" <imad.tayaa@sanef.com>
        FromJulie Bellet <julie@digi-prem.com>
        Reply-toJulie Bellet <julie@digi-prem.com>
        SubjectAutomatisation Microsoft 365
        Message-ID<219896e573416624d0968ffc2a87d7ec@localhost.localdomain>
        Importancenormal
        MIME-Version1.0
        Content-Transfer-Encodingbase64
        Content-Typetext/html; charset="utf-8"
        X-MS-Exchange-Organization-ExpirationStartTime21 Dec 2024 12:20:56.3273
        X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
        X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
        X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
        X-MS-Exchange-Organization-Network-Message-Id19207ed7-4a9f-40ee-3871-08dd21b9ebaf
        X-EOPAttributedMessage0
        X-EOPTenantAttributedMessage37e2c3f8-d936-4d6a-af0f-922879a4b5de:0
        X-MS-Exchange-Organization-MessageDirectionalityIncoming
        X-MS-PublicTrafficTypeEmail
        X-MS-TrafficTypeDiagnosticPA3PEPF000089BA:EE_|MR1P264MB2004:EE_|PR0P264MB3882:EE_
        X-MS-Exchange-Organization-AuthSourcePA3PEPF000089BA.FRAP264.PROD.OUTLOOK.COM
        X-MS-Exchange-Organization-AuthAsAnonymous
        X-MS-Office365-Filtering-Correlation-Id19207ed7-4a9f-40ee-3871-08dd21b9ebaf
        X-MS-Exchange-AtpMessagePropertiesSA|SL
        X-MS-Exchange-Organization-SCL5
        X-Forefront-Antispam-ReportCIP:91.209.245.197;CTRY:FR;LANG:fr;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:srv2.vmtapz.fr;PTR:srv2.vmtapz.fr;CAT:SPM;SFTY:9.25;SFS:(13230040)(5062899012)(2092899012)(3072899012)(3092899012)(13102899012)(13012899012)(12012899012)(5073199012)(69100299015)(8096899003)(4076899003);DIR:INB;SFTY:9.25;
        X-Microsoft-AntispamBCL:9;ARA:13230040|5062899012|2092899012|3072899012|3092899012|13102899012|13012899012|12012899012|5073199012|69100299015|8096899003|4076899003;
        X-MS-Exchange-CrossTenant-OriginalArrivalTime21 Dec 2024 12:20:56.3117
        X-MS-Exchange-CrossTenant-Network-Message-Id19207ed7-4a9f-40ee-3871-08dd21b9ebaf
        X-MS-Exchange-CrossTenant-Id37e2c3f8-d936-4d6a-af0f-922879a4b5de
        X-MS-Exchange-CrossTenant-AuthSourcePA3PEPF000089BA.FRAP264.PROD.OUTLOOK.COM
        X-MS-Exchange-CrossTenant-AuthAsAnonymous
        X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
        X-MS-Exchange-Transport-CrossTenantHeadersStampedMR1P264MB2004
        X-MS-Exchange-Transport-EndToEndLatency00:00:47.0048054
        X-MS-Exchange-Processed-By-BccFoldering15.20.8272.000
        X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506478)(944626604)(920097)(930097)(3100021)(140003);RF:JunkEmail;
        X-Microsoft-Antispam-Message-Info=?us-ascii?Q?AyVzuVCuzLBSRoTH9ARiSaeR7yoqbyKtLdHuTvSPJU/d4/bTCD9tV3Y/IZl+?=
        dateSat, 21 Dec 2024 13:20:23 +0100

        File Icon

        Icon Hash:c4e1928eacb280a2

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jan 3, 2025 15:08:25.353312016 CET1.1.1.1192.168.2.70x8d32No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
        Jan 3, 2025 15:08:25.353312016 CET1.1.1.1192.168.2.70x8d32No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:1
        Start time:09:08:27
        Start date:03/01/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Automatisation Microsoft 365.msg"
        Imagebase:0xd00000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:2
        Start time:09:08:34
        Start date:03/01/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B4F7424D-FBC7-4E47-915A-ECCA77FC39CF" "3132605C-3EE8-448F-9E5C-F2836C5087CA" "7976" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff724db0000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Disassembly

        No disassembly