Edit tour

Windows Analysis Report
original.eml

Overview

General Information

Sample name:	original.eml
Analysis ID:	1590925
MD5:	96c43f66e14e2fa5782d19584b26f335
SHA1:	3e56151ad9584754141986f6374fac15afe157e0
SHA256:	44c374171a3dfc7380266297d4952b51e3c81980fdcf9c17b8a61278198fffca

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected suspicious elements in Email content

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Classification

Process Tree

System is w11x64_office

OpenWith.exe (PID: 3352 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: 2FBBFE3E8211307BC4124357A9A9951B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: Email

Joe Sandbox AI: Email contains prominent button: 'signer le rapport'

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email contains suspicious URLs with access tokens and auth tokens that are common in phishing attempts. The recipient address contains 'phisher.knowbe4.com' which indicates this is likely a phishing simulation. The email attempts to get the user to click on links to 'sign a report' which is a common phishing tactic

Source: Email

Classification: Credential Stealer

Source: classification engine

Classification label: mal48.winEML@1/0@0/0

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.internal.openwithhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wincorlib.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiamanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directxdatabasehelper.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: winuicohabitation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.xaml.controls.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cfgmgr32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.energy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.graphics.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: starttiledata.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: rtmediaframe.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pfclient.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Windows\System32\OpenWith.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults data

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\SegUIVar.ttf VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	21 Browser Extensions	1 DLL Side-Loading	1 Modify Registry	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590925
Start date and time:	2025-01-14 15:39:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	original.eml
Detection:	MAL
Classification:	mal48.winEML@1/0@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "The email contains suspicious URLs with access tokens and auth tokens that are common in phishing attempts", "The recipient address contains 'phisher.knowbe4.com' which indicates this is likely a phishing simulation", "The email attempts to get the user to click on links to 'sign a report' which is a common phishing tactic" ], "phishing": true, "confidence": 9, "generated_by_ai": false }
{ "date": "Tue, 14 Jan 2025 14:24:57 +0000", "subject": "[Phish Alert] BT154296 Rapport", "communications": [ "Vous nobtenez pas souvent de-mail partir de shamil@techlift.ca. Pourquoi cest important<https://aka.ms/LearnAboutSenderIdentification>\n\nAvertissement: Ce courriel provient d'un expditeur externe. Ne cliquez sur aucun lien et n'ouvrez pas de pice jointe, sauf si vous connaissez l'expditeur et si le contenu est fiable\n\nVotre Tche\nBT154296 [TECHLIFT (SIGE SOCIAL)]\n________________________________\n\nCher METALUS PLAN VICTORIAVILLE,\n\nVoici le rapport de notre intervention sur site.\n\n\nSigner le rapport <http://www.techlift.ca/my/task/166767/worksheet/fsm?access_token=b8f79f62-9a1a-4f0f-8b02-ad8868e93ff6>\n\nN'hsitez pas nous contacter si vous avez des questions.\n\n\nCordialement,\n\n\nVoir Tche <http://www.techlift.ca/mail/view?model=project.task&res_id=166767&access_token=b8f79f62-9a1a-4f0f-8b02-ad8868e93ff6&auth_signup_token=eTAQ1X91NMP6dRJVqneq>\n________________________________\nTECHLIFT (SIGE SOCIAL)\n1 833 Techlift \| web@techlift.ca<mailto:web@techlift.ca> \| http://www.techlift.ca <http://www.techlift.ca/>\nFourni par Odoo<https://www.odoo.com/?utm_source=db&utm_medium=email>\n\nDany Ratte\n\nDirecteur des achats\n819-475-3114 #226\n\nVictoriaville, QC\n\n[https://raw.githubusercontent.com/Metalus-Inc/signature/main/logocarteMetalusBleuWhiteSmall.png]\n[https://raw.githubusercontent.com/Metalus-Inc/signature/main/logofacebooksmall.png]<https://www.facebook.com/MetalusInc/> [https://raw.githubusercontent.com/Metalus-Inc/signature/main/logolinkedsmall.png] <https://ca.linkedin.com/company/m-talus> [https://raw.githubusercontent.com/Metalus-Inc/signature/main/logoinstasmall.png] <https://www.instagram.com/metalusinc/>\n[https://raw.githubusercontent.com/Metalus-Inc/signature/main/FR-SCEAU%20300%20PME%20-%202024.png]\n" ], "from": "Dany Ratte <dany.ratte@metalus.qc.ca>", "to": "\"c9025caf-ebfb-4a55-8a88-3cf1915dac7c@ca.phisher.knowbe4.com\" <c9025caf-ebfb-4a55-8a88-3cf1915dac7c@ca.phisher.knowbe4.com>", "attachements": [ "Worksheet BT154296 - METALUS PLAN VICTORIAVILLE.pdf", "phish_alert_sp2_2.0.0.0.eml" ] }
URL: email Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": [ "SPF check passed for the domain metalus.qc.ca", "Email sent through legitimate Microsoft Office 365 infrastructure", "Low spam scores (SCL:1, BCL:0) from Microsoft's filtering", "Consistent internal Microsoft Exchange headers", "Valid DKIM signature from metalusinc.onmicrosoft.com", "Message routing through official Microsoft Exchange servers", "Return-path matches sender domain", "While DMARC shows 'none', this is common with Office 365 tenants" ] }
Date: Tue, 14 Jan 2025 14:24:57 +0000 Key: mime-version Value: 1.0 Key: x-ms-exchange-crosstenant-authas Value: Internal Key: return-path Value: <dany.ratte@metalus.qc.ca> Key: x-microsoft-antispam-message-info Value: zKeCm3TVVekPyy24gv9kqkqwTB8j9HKUdeQso/WtTY/DNTjvTNgLVIqJ5ToucI0jhTJhoKzi3+X2sKcntCNGaR2O1I2sJtGlD/s9RobZLYvLXzrv/wg03R6xUbILys4xxxnfHQoQQ9UrQOv3gI84BPOFogeIus3lfcgcSq1imcIbk9E2IWySaEXM4AvkF8OIQ3Uo+5H98XnB43tF6K6uNPPSsT3RyVmYq9Uiu/ZIcAvChvyoDXJlaowhMOpap5M96LBD17toqcWbbcohi2G2EqFJR5kTR8lxher63jGnNihC7bHT9VxQszm8b9i9+6JbPBuZqgWcSFzekBVb5xT1aBRH6l4Xsnb0QGnP8YDrVdkOHSRTcXdtyiFIC3+RI1r8itHNp7p1Wi3j9W30uQUCDNyR66afCcnTlkDPKb0DSQYSGC+JCmoY4bHIygOWWq2558kdSMd3BBzzXJgshw3iaCL5MbDNbhsne1LOARZ+bJ8QguM8XFFdpLNA77Kj94NACuzfhfexxPxhAxO13ayyqxE94ZCvwnNZrMwlVKoUvBZP1k7vdAYe7tQoCQoZJhPLzb6On4HvoPsmBvAtYcwloD2cISzRJT0hFQJr8NxI9YegEP650QWZvmFrf2v+p7mrS3bq01bLBvEEiQiI3fJtmpIQdL3+5n5wtq2IUUqQSXl3lyjd4GxMPgwnJo/7030H7L/g0mkpFXJ2zymu4goR8/Qe3QWZQVy4rv2WGj4u4Daz6LCZOxTFqcX1Mr6lTkcFr/bxgLnvfc+oNINfwZfSy22vnTZPOO6J/4J/UrF6G+nDv0cKtG8JquITkzYv9F05Li7BLfA1ZedDQv6kH20GWOAG1a65PBG928K4V+q5yM1ZqLbSicAwvvN0ZaRKYVnWHG6TecY7CzZPxPIV6cTPoZ41EvYG7ZcULKDrXzotDr+5eYKYpcpVdeIdspcx1SNJbaZ+x8TCFn6m+KWm3QWC48yQy1Ra1ekj1GQ6IeQ/EA2F9roPiksoSrp2tNsIWBuzl/c4JfekjzU0g3oKIYZlhMQr4AHYCPHQJPuwq3cI5nCsw5PZextfF/9FwuvABkfZVwYMvfWgqN5XYT8y/3HuWk7dUg2DpyOBQkdhtn7TUTGs3JpgBIDt/423Ojd7XbjmlMg48u5xD7Zpf6L0gPOxvyjQ6etbS+ogEI6apcekSxiTw4YS03ELk6DSiR3XR7E3AA6G1ChHR24YoFvDH6RtiObZAcY+gzdgJOq3v1GWvrAvdm4PtPXpoKepGiVifqzcnZf930GRupPLFa4I6R3G061DdX9sRb8GGt9Xwn3Wq5x9j7VBG2Iy8/pZaoz9E2cs Key: x-ms-exchange-crosstenant-originalarrivaltime Value: 14 Jan 2025 14:24:57.6486 (UTC) Key: received-spf Value: pass (spfCheck: domain of metalus.qc.ca designates 52.101.189.103 as permitted sender) client-ip=52.101.189.103; envelope-from=dany.ratte@metalus.qc.ca; helo=YT3PR01CU008.outbound.protection.outlook.com; Key: message-id Value: <YT2PR01MB5902B2566F657096A055BC3AD7182@YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM> Key: content-type Value: multipart/mixed; boundary="_005_YT2PR01MB5902B2566F657096A055BC3AD7182YT2PR01MB5902CANP_" Key: authentication-results Value: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=metalus.qc.ca; Key: x-ms-exchange-senderadcheck Value: 1 Key: dkim-signature Value: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metalusinc.onmicrosoft.com; s=selector1-metalusinc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TTvxgXKer2vt3XR3QBQ2lY0QCes2bNnZ1xyXDUZyLfw=; b=ZoXXaANQ7dGqf0efAYt1YGblpEzpD1pHwD4X0novC7z1wqRFmAs5jaBgWxnKy5Tg//d+V3eLBYOjWKVzc56M4t16vMGw8QlwFIzLt6t/3omSHU5nuf6u6/50XKIbPba10neNanV+BenNc3KdXRb0oD12P+u2rF9PBX5o3bAMYW0= Key: x-forefront-antispam-report Value: CIP:255.255.255.255;CTRY:;LANG:fr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(69100299015)(376014)(1800799024)(366016)(8096899003)(38070700018);DIR:OUT;SFP:1102; Key: received Value: from YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM ([fe80::7c97:a276:a7af:a379]) by YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM ([fe80::7c97:a276:a7af:a379%3]) with mapi id 15.20.8356.010; Tue, 14 Jan 2025 14:24:57 +0000 Key: x-microsoft-antispam Value: BCL:0;ARA:13230040\|69100299015\|376014\|1800799024\|366016\|8096899003\|38070700018;
URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Voici le rapport de notre intervention sur site.", "prominent_button_name": "Signer le rapport", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: PDF document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "groover les tire arrieres et ajuster le cinch pedal", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Email Model: Joe Sandbox AI	{ "brands": [ "Techlift" ] }
	{ "brands": [ "Techlift" ] }
URL: PDF document Model: Joe Sandbox AI	{ "brands": [ "Techlift" ] }
	{ "brands": [ "Techlift" ] }
URL: Email Model: Joe Sandbox AI	{"classification":"Credential Stealer"}
Email: Detected potential phishing email: The email contains suspicious URLs with access tokens and auth tokens that are common in phishing attempts. The recipient address contains 'phisher.knowbe4.com' which indicates this is likely a phishing simulation. The email attempts to get the user to click on links to 'sign a report' which is a common phishing tactic	{"classification":"Credential Stealer"}

File type:	SMTP mail, ASCII text, with very long lines (459), with CRLF line terminators
Entropy (8bit):	6.047194286417916
TrID:	E-Mail message (Var. 1) (20512/2) 100.00%
File name:	original.eml
File size:	243'555 bytes
MD5:	96c43f66e14e2fa5782d19584b26f335
SHA1:	3e56151ad9584754141986f6374fac15afe157e0
SHA256:	44c374171a3dfc7380266297d4952b51e3c81980fdcf9c17b8a61278198fffca
SHA512:	0790b3e18b9d5de82245545286cf8bcb60ddfcd05b5299be51fbdb9414c7fc6f27a8b5dd81cc536f6ff67a62c1f4094092cf2905b40b4a4ae66658cec66295be
SSDEEP:	6144:h4ISuDv4U4ArXuT4PVNR58c4cdX9OiZxdlyeghmUpd0gFs/Xz:h4IShAXu0Vp4AgiZxfyegP2z
TLSH:	E534CE37938029A4CB55492BD017767E3FB41BC7CDB128FD279ABE2B978CCB29194148
File Content Preview:	Return-Path: <dany.ratte@metalus.qc.ca>..Received: from YT3PR01CU008.outbound.protection.outlook.com (mail-canadacentralazon11020103.outbound.protection.outlook.com [52.101.189.103]).. by inbound-smtp.us-east-1.amazonaws.com with SMTP id 4ipabbfal85lj03ot

Static Mail

General

Subject:	[Phish Alert] BT154296 Rapport
From:	Dany Ratte <dany.ratte@metalus.qc.ca>
To:	"c9025caf-ebfb-4a55-8a88-3cf1915dac7c@ca.phisher.knowbe4.com" <c9025caf-ebfb-4a55-8a88-3cf1915dac7c@ca.phisher.knowbe4.com>
Cc:
BCC:
Date:	Tue, 14 Jan 2025 14:24:57 +0000
Communications:	Vous nobtenez pas souvent de-mail partir de shamil@techlift.ca. Pourquoi cest important<https://aka.ms/LearnAboutSenderIdentification> Avertissement: Ce courriel provient d'un expditeur externe. Ne cliquez sur aucun lien et n'ouvrez pas de pice jointe, sauf si vous connaissez l'expditeur et si le contenu est fiable Votre Tche BT154296 [TECHLIFT (SIGE SOCIAL)] ________________________________ Cher METALUS PLAN VICTORIAVILLE, Voici le rapport de notre intervention sur site. Signer le rapport <http://www.techlift.ca/my/task/166767/worksheet/fsm?access_token=b8f79f62-9a1a-4f0f-8b02-ad8868e93ff6> N'hsitez pas nous contacter si vous avez des questions. Cordialement, Voir Tche <http://www.techlift.ca/mail/view?model=project.task&res_id=166767&access_token=b8f79f62-9a1a-4f0f-8b02-ad8868e93ff6&auth_signup_token=eTAQ1X91NMP6dRJVqneq> ________________________________ TECHLIFT (SIGE SOCIAL) 1 833 Techlift \| web@techlift.ca<mailto:web@techlift.ca> \| http://www.techlift.ca <http://www.techlift.ca/> Fourni par Odoo<https://www.odoo.com/?utm_source=db&utm_medium=email> Dany Ratte Directeur des achats 819-475-3114 #226 Victoriaville, QC [https://raw.githubusercontent.com/Metalus-Inc/signature/main/logocarteMetalusBleuWhiteSmall.png] [https://raw.githubusercontent.com/Metalus-Inc/signature/main/logofacebooksmall.png]<https://www.facebook.com/MetalusInc/> [https://raw.githubusercontent.com/Metalus-Inc/signature/main/logolinkedsmall.png] <https://ca.linkedin.com/company/m-talus> [https://raw.githubusercontent.com/Metalus-Inc/signature/main/logoinstasmall.png] <https://www.instagram.com/metalusinc/> [https://raw.githubusercontent.com/Metalus-Inc/signature/main/FR-SCEAU%20300%20PME%20-%202024.png]
Attachments:	Worksheet BT154296 - METALUS PLAN VICTORIAVILLE.pdf phish_alert_sp2_2.0.0.0.eml

Headers

Key	Value
Return-Path	<dany.ratte@metalus.qc.ca>
Received	from YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM ([fe80::7c97:a276:a7af:a379]) by YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM ([fe80::7c97:a276:a7af:a379%3]) with mapi id 15.20.8356.010; Tue, 14 Jan 2025 14:24:57 +0000
Received-SPF	pass (spfCheck: domain of metalus.qc.ca designates 52.101.189.103 as permitted sender) client-ip=52.101.189.103; envelope-from=dany.ratte@metalus.qc.ca; helo=YT3PR01CU008.outbound.protection.outlook.com;
Authentication-Results	amazonses.com; spf=pass (spfCheck: domain of metalus.qc.ca designates 52.101.189.103 as permitted sender) client-ip=52.101.189.103; envelope-from=dany.ratte@metalus.qc.ca; helo=YT3PR01CU008.outbound.protection.outlook.com; dkim=pass header.i=@metalusinc.onmicrosoft.com; dmarc=pass header.from=metalus.qc.ca;
X-SES-RECEIPT	AEFBQUFBQUFBQUFHOEJJUFYzRGdUbllNKzAyd01zYktMek12RGZmK1Y4RWdUZnpzQlhZdzlWOUhhQjRzSTVubFIyOEVwMXgvUjR0aHdkbnJXYnU1S0o1RUl4emczaW5hcXpZQXdBK2d5TzBBQ0J2UWwwT1ROT0dVcWhPRVh5clErRnpicWhIYWJDdnNaQ1hnTlpYSG5XRHdLSEF3WWY2dXRjd1I4cjd0RFN6UndTWkd1M2I5V2FvUStLM2M2K252VzE5WXVieUNkRU5VSGZxemV0NGI2TkMvekZPTFhmdGFlRWsrVnN1Wkg0bTJIRzJGQkZMazBtSlpzOUVDZjlOTnZab1JRUkJjZmFMY0hjUzhpbTVtQUk2bXZUejgyck84eURQdXQwYnVpRWQ5cE1GempMdW9sMEd2eEJ2aHdQR0ZHeFVGa3g4Z3RmV3c9
X-SES-DKIM-SIGNATURE	a=rsa-sha256; q=dns/txt; b=a/HwiU/9Q2iVkMK+VNMVQNgZ01t9vohBrpXbuQcZ9wiypqc3W6NU5ySAc4Sr2RPq1dolZUhBssVJ7p8XreRo3GL7BgoFt7MBZXtANJwe0yC1GK0JaIQVjWGOUmnIqeCNcjwgBxzB5QoAvJkn4joEmTN/w5yIeZF5eIcud+UFr4U=; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1736864700; v=1; bh=t9kFyp28PrA5e3fk1kxLQvNefk4qwS57j8ftKdOH3QM=; h=From:To:Cc:Bcc:Subject:Date:Message-ID:MIME-Version:Content-Type:X-SES-RECEIPT;
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=El0G4FvrH760NU28wmyNovNH0lU6fLgXZlbPPwNVc/uaOuoO0FW69KI8R0hZmHD0D5KU6sBL+8f7y5hhTE5ULqCFGcFh5Zulm+1RYA14JtuAFKesV057zQBN2apxleXd9TdPTnug1XsFO9xSZwsN7cwHY0bTq9BWcRTM+9TPtSjgzhKCKtAHm/z90fOvZz0Yt80pv0nTyhxMxcGVCnNhm/il+btt3tHS6lE79tzQv4wUSmrMYVrzcijhGlPbYHRp31Qa6X76y/g7+xblHVCn2EIzmCf8ROZIZ9MjQd9lnmL5KUd7aTyEB09cHzPx/WD/wr+5q3JG+B/A8Inh7+Lj5A==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TTvxgXKer2vt3XR3QBQ2lY0QCes2bNnZ1xyXDUZyLfw=; b=KMf9/MyQecVbmIUiF06jW3cArGeWsRNIJK4Ya8hfMpvYNPSjI4pLYXkSLhB6yzF2B+k6+eHeqN8zeSWdHRT/0Zhedyt6Ojqt8Noxo5ISfyWnEO4PywixjWE1tsujgR5qCe3iiysra8Hr1S3gIOdJ5nwRNa4Nf4TH6EOsXXJ56OTfBxpPF2vW8uE+v9nL8jjyC6lpQhfjrhROXTvw6BYMBmDBvxO6dhRoqTrrd+wAL3nR2qtwZR5B1AvBv3vzrfeztoXOdbnu97wzUXebKKMzztE/KTvTFL/E1Z01CVTQQLYFv6odgeiI9HApGnP06XsLcaKWCXXMOAJfY6sypUNuzw==
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=metalus.qc.ca; dmarc=pass action=none header.from=metalus.qc.ca; dkim=pass header.d=metalus.qc.ca; arc=none
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=metalusinc.onmicrosoft.com; s=selector1-metalusinc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TTvxgXKer2vt3XR3QBQ2lY0QCes2bNnZ1xyXDUZyLfw=; b=ZoXXaANQ7dGqf0efAYt1YGblpEzpD1pHwD4X0novC7z1wqRFmAs5jaBgWxnKy5Tg//d+V3eLBYOjWKVzc56M4t16vMGw8QlwFIzLt6t/3omSHU5nuf6u6/50XKIbPba10neNanV+BenNc3KdXRb0oD12P+u2rF9PBX5o3bAMYW0=
From	Dany Ratte <dany.ratte@metalus.qc.ca>
To	"c9025caf-ebfb-4a55-8a88-3cf1915dac7c@ca.phisher.knowbe4.com" <c9025caf-ebfb-4a55-8a88-3cf1915dac7c@ca.phisher.knowbe4.com>
Subject	[Phish Alert] BT154296 Rapport
Thread-Topic	[Phish Alert] BT154296 Rapport
Thread-Index	AQHbZomhBVA7VOSlu0GGLkLPjHc6OLMWUxnb
Date	Tue, 14 Jan 2025 14:24:57 +0000
Message-ID	<YT2PR01MB5902B2566F657096A055BC3AD7182@YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM>
References	<321142741700100.1736519291.417025327682495-openerp-166767-project.task@ampv177> <213102271628307.1736861886.346633911132812-openerp-166767-project.task@ampv177> <213102271628307.1736861886.346633911132812-openerp-166767-project.task@ampv177>
In-Reply-To	<213102271628307.1736861886.346633911132812-openerp-166767-project.task@ampv177>
Accept-Language	fr-FR, en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-TNEF-Correlator
authentication-results	dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=metalus.qc.ca;
x-ms-publictraffictype	Email
x-ms-traffictypediagnostic	YT2PR01MB5902:EE_\|YT2PR01MB8261:EE_
x-ms-office365-filtering-correlation-id	e2b568eb-63a8-48bd-4559-08dd34a73901
x-ms-exchange-atpmessageproperties	SA
x-ms-exchange-senderadcheck	1
x-ms-exchange-antispam-relay	0
x-microsoft-antispam	BCL:0;ARA:13230040\|69100299015\|376014\|1800799024\|366016\|8096899003\|38070700018;
x-microsoft-antispam-message-info	zKeCm3TVVekPyy24gv9kqkqwTB8j9HKUdeQso/WtTY/DNTjvTNgLVIqJ5ToucI0jhTJhoKzi3+X2sKcntCNGaR2O1I2sJtGlD/s9RobZLYvLXzrv/wg03R6xUbILys4xxxnfHQoQQ9UrQOv3gI84BPOFogeIus3lfcgcSq1imcIbk9E2IWySaEXM4AvkF8OIQ3Uo+5H98XnB43tF6K6uNPPSsT3RyVmYq9Uiu/ZIcAvChvyoDXJlaowhMOpap5M96LBD17toqcWbbcohi2G2EqFJR5kTR8lxher63jGnNihC7bHT9VxQszm8b9i9+6JbPBuZqgWcSFzekBVb5xT1aBRH6l4Xsnb0QGnP8YDrVdkOHSRTcXdtyiFIC3+RI1r8itHNp7p1Wi3j9W30uQUCDNyR66afCcnTlkDPKb0DSQYSGC+JCmoY4bHIygOWWq2558kdSMd3BBzzXJgshw3iaCL5MbDNbhsne1LOARZ+bJ8QguM8XFFdpLNA77Kj94NACuzfhfexxPxhAxO13ayyqxE94ZCvwnNZrMwlVKoUvBZP1k7vdAYe7tQoCQoZJhPLzb6On4HvoPsmBvAtYcwloD2cISzRJT0hFQJr8NxI9YegEP650QWZvmFrf2v+p7mrS3bq01bLBvEEiQiI3fJtmpIQdL3+5n5wtq2IUUqQSXl3lyjd4GxMPgwnJo/7030H7L/g0mkpFXJ2zymu4goR8/Qe3QWZQVy4rv2WGj4u4Daz6LCZOxTFqcX1Mr6lTkcFr/bxgLnvfc+oNINfwZfSy22vnTZPOO6J/4J/UrF6G+nDv0cKtG8JquITkzYv9F05Li7BLfA1ZedDQv6kH20GWOAG1a65PBG928K4V+q5yM1ZqLbSicAwvvN0ZaRKYVnWHG6TecY7CzZPxPIV6cTPoZ41EvYG7ZcULKDrXzotDr+5eYKYpcpVdeIdspcx1SNJbaZ+x8TCFn6m+KWm3QWC48yQy1Ra1ekj1GQ6IeQ/EA2F9roPiksoSrp2tNsIWBuzl/c4JfekjzU0g3oKIYZlhMQr4AHYCPHQJPuwq3cI5nCsw5PZextfF/9FwuvABkfZVwYMvfWgqN5XYT8y/3HuWk7dUg2DpyOBQkdhtn7TUTGs3JpgBIDt/423Ojd7XbjmlMg48u5xD7Zpf6L0gPOxvyjQ6etbS+ogEI6apcekSxiTw4YS03ELk6DSiR3XR7E3AA6G1ChHR24YoFvDH6RtiObZAcY+gzdgJOq3v1GWvrAvdm4PtPXpoKepGiVifqzcnZf930GRupPLFa4I6R3G061DdX9sRb8GGt9Xwn3Wq5x9j7VBG2Iy8/pZaoz9E2cs
x-forefront-antispam-report	CIP:255.255.255.255;CTRY:;LANG:fr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(69100299015)(376014)(1800799024)(366016)(8096899003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount	1
x-ms-exchange-antispam-messagedata-0	RiZCk2rOMJ5lZnrVs1WFZ46BrmJGRgEu1bktH0qMGcH78JDthdHr48LsO8/0uETCpvvxep4Da8FvQUxp9RSr/9z5jY+CPiReA9cb1o6Ej8ujOML4tQZyLnggedkJt+DXOAZWUsML7ZwNVlfkzVVCQZ6jJ7w9GRl5QlqK8MlFUQslvDWokIXlYc54arbfd+FE4X34MXR7TIoC5PiV6UkUC0B0DT9t3pAfIgUVrP5XLHONEctN5ZgtIXGDTDm9Zs3XfTExrSDuO1DSFBecgqzO7FjIk8CVHbYEJOGs71MvfpaW8y92ZFvvY8hGW18ODS09dz5eT1Fezdt0WDL4oc8k8Cdu9PJhn8gdrz07o2d6fvHRUf/HQUYqN4UHubAis5MVg/eppW5DjTB+UtwYJ3vPwYmY0yLhyeocbWETTzHfjZQQ4czTf67kIgwUjxyWXc9d3tIlfCqMFZjKFR01Wr3FCDxy5kQjrLtCQ4h8ERzQAPh1H2O4MTDA9aljySA3SkRU1GknpX4cReBLMs9uwmvZTxUbFLCsZU6F7OvCyURk9iJjzxdr6lNDFAWvNDns3HdMzWZS4pgnR8fUD4vkleZRBkPdO8DfHb2MwL83mHFtF5j6Sq8CrIHoNIhkzuDlenmX34QioFiA3nVsQaYmgs/MdNFCig2/IBlmK+GFmwu53Wwp72q3PxN2I3Z0avpEXJ7F9nBM16ZBOSLxqlfh4yHPp/ME8ur0jzrMXASWHk5U/Z0vlP81RlLphphz+OW0PHAWucK+BXvIJ29aFoSrN+ar+u1bZWfm+hXphAsvvNmhT76yz7WPTgIEliPAoQx9ImoMGhX9No5+4lNWNBTYa0+qL53gGoxw6DmgGMPZLFrsGh0QjNfhtXJx1nzOR4aolRFXMRPtCYWUdP10ktlTw7h71XWZaal9lv85jMqipVWx/aPfLDkHR0haFYUAjsW/cunq17VwKSTIx6Mf6qX9sEk5RA2DZLqG9za1GuZpWvbE4wpIXmAN1EPizWX8BreW9YUOm9k2yc7MZIyyE8E0+LRKkvApqccqdF8H39FeyBjcyQBreZR9Dg53Gj65KtZ/AfK2JAVb7qegAKoLqe+RCd6JUPQ9Dzn8BLFQ4RV818T2lyo8PpZgcUeiv4ZJSjG379xy3HLbnmb7pZUAx4r/cSMFpipsWzDMaWSEkGEGXZzTZnv9ZbDahnyKXXopiBd5QNFvwH3zCxBONX9GSqw1A7nov8C4T/TBU/foBUbMpb35YnVo0DLDvqs6wsFeDS61DQBN70DUh0Krbwdu+lyJxV66OX0e5o2VfS3FeA8NQxc9tfjERv4Jp3IOaqY+DqGpG/rciLL+1uSpatyhr/WVg674nftOQB2maf6fsrXP7A6DQ4NAnsJWw671tVRPjY0DpbNxgeVFWAiDrfe/QI6oXVQQ6hLFObuof/EDk/w1cJ823TRI3oK0c59F6opVZcTtipNvspsBSH34phlOdPKuBF9bGzzWQxhv5Pg30LMHGWtxxNxuJI4v2sRikY0Kex/j1H5Butw3WtrPDPS8yMltp7s+DQekVsKA/CVMn2J7VCWQqs+R/F0nMB1J9tZtREKKbEHY
Content-Type	multipart/mixed; boundary="_005_YT2PR01MB5902B2566F657096A055BC3AD7182YT2PR01MB5902CANP_"
MIME-Version	1.0
X-OriginatorOrg	metalus.qc.ca
X-MS-Exchange-CrossTenant-AuthAs	Internal
X-MS-Exchange-CrossTenant-AuthSource	YT2PR01MB5902.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id	e2b568eb-63a8-48bd-4559-08dd34a73901
X-MS-Exchange-CrossTenant-originalarrivaltime	14 Jan 2025 14:24:57.6486 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader	Hosted
X-MS-Exchange-CrossTenant-id	4f85cc14-eaa8-4e0b-8291-93aab6969f78
X-MS-Exchange-CrossTenant-mailboxtype	HOSTED
X-MS-Exchange-CrossTenant-userprincipalname	J+sxeTeNY4LpToO6eFGPQYdgqL+S0PDgIu9QPdBFa7nDqZIWO5itjefT4ynlUe8lt8oZdHgjBjx3367P/jCyH2k7DSv5vhVcSKDaNf2bC2k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped	YT2PR01MB8261

File Icon


Icon Hash:	36f4b282a2a28082

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report original.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

LLM Input / Output

Created / dropped Files

Static File Info

General

Static Mail

General

Headers

File Icon

Windows Analysis Report
original.eml