Edit tour

Windows Analysis Report
FW_ _EXTERNAL_ Important Reminder____Contract Agreement Pending disclosure 2330385.msg

Overview

General Information

Sample name:	FW_ _EXTERNAL_ Important Reminder____Contract Agreement Pending disclosure 2330385.msg
Analysis ID:	1643099
MD5:	56d3b3629b4832359e037343db7c16a7
SHA1:	bc68b67bc3ab343c2d60a69144b8574cc1ba5a2b
SHA256:	33dcf5a38c54b95371819e309ed4d2e996b982c707c1b90fb3c494810c01f848
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected suspicious elements in Email content

Creates files inside the system directory

Deletes files inside the Windows folder

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 3248 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW_ _EXTERNAL_ Important Reminder____Contract Agreement Pending disclosure 2330385.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 1216 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "89F47284-3158-45B5-9676-9B9280F7E0A3" "32085137-F992-437B-82A8-3D7AC008157F" "3248" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 5892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhughes.na1.adobesign.com%2Fpublic%2FviewAgreement%3Ftsid%3DCBFCIBAACBSCTBABDUAAABACAABAAKDp200Gp3NXQX63PgZK6x0gyb7vhipc_T7OGd4psoq8FGPBn45I5ANAoDkcCgCbNDNQxkYjK7JUOCze4FtNsdUkiBfQ5Jy6OtYZd9Zh2wL9yerblPQtcVEj4aKCUq65L%26&data=05%7C02%7Cjperez%40olgoonik.com%7Ce7f909c527ef4ce4f7a708dd66e83d10%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638779869828653911%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=mWcv3IuKcU%2Fx3Nm6%2BHKEwDITkRU2MB6tleU2hYZx%2B7M%3D&reserved=0 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --subproc-heap-profiling --field-trial-handle=2060,i,15369932657491829457,17244718480380725638,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3248, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: Email

Joe Sandbox AI: Email contains prominent button: 'open agreement'

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email contains suspicious Adobe Sign links that attempt to appear legitimate but are likely phishing. The sender 'Steve Bass' from 'itresults.com' is not affiliated with Adobe but tries to impersonate Adobe Sign services. The email creates urgency around a contract agreement while being vague about details, a common phishing tactic

Source: Email

Classification: Credential Stealer

Source: unknown

HTTPS traffic detected: 104.47.73.28:443 -> 192.168.2.16:49713 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 24MB later: 33MB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /?url=https%3A%2F%2Fhughes.na1.adobesign.com%2Fpublic%2FviewAgreement%3Ftsid%3DCBFCIBAACBSCTBABDUAAABACAABAAKDp200Gp3NXQX63PgZK6x0gyb7vhipc_T7OGd4psoq8FGPBn45I5ANAoDkcCgCbNDNQxkYjK7JUOCze4FtNsdUkiBfQ5Jy6OtYZd9Zh2wL9yerblPQtcVEj4aKCUq65L%26&data=05%7C02%7Cjperez%40olgoonik.com%7Ce7f909c527ef4ce4f7a708dd66e83d10%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638779869828653911%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=mWcv3IuKcU%2Fx3Nm6%2BHKEwDITkRU2MB6tleU2hYZx%2B7M%3D&reserved=0 HTTP/1.1Host: nam04.safelinks.protection.outlook.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic

DNS traffic detected: DNS query: nam04.safelinks.protection.outlook.com

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 104.47.73.28:443 -> 192.168.2.16:49713 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir5892_1916583468

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir5892_1916583468

Source: classification engine

Classification label: mal48.winMSG@23/8@2/195