Edit tour

Windows Analysis Report
Overdue Invoice 93589 (672Ko).msg

Overview

General Information

Sample name:Overdue Invoice 93589 (672Ko).msg
Analysis ID:1648069
MD5:b6305a17be0e2b1f02d268db124f0df9
SHA1:c4d9a4de8118374717c4625de2cc95b9f56ab32c
SHA256:b787100fa1d9e1a1f05260654118cbeabaf900951709e859dbb6bfb1b4573348
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • OUTLOOK.EXE (PID: 8016 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Overdue Invoice 93589 (672Ko).msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5452 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7B2AFB87-71B1-403D-8874-3F4F0C64D185" "6542CA54-3297-43D8-9107-AABE7B6D5483" "8016" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup
No configs have been found
No yara matches
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8016, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: EmailJoe Sandbox AI: Detected potential phishing email: Sender domain 'deeepfast.com' does not match the claimed company 'chantiers-atlantique.com'. Email contains mismatched and suspicious email addresses in signature (different from sender). Generic urgency-based subject and content about overdue invoice is a common phishing tactic
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Email claims to originate from localhost (127.0.0.1), which is highly suspicious for legitimate external email. Message-ID domain 'deeepfast.com' appears suspicious with intentional misspelling. Minimal headers present, suggesting possible header manipulation or stripping. SCL score of -1 is unusual and could indicate bypass attempts. Local sending IP (127.0.0.1) suggests potential internal system compromise or malicious script
Source: EmailClassification: Invoice Scam
Source: Overdue Invoice 93589 (672Ko).msgString found in binary or memory: https://antiphishing.vadesecure.com/v4?f=NFZ1OXFVNUpJaXhxbWN3aw79TqTxGVr5HS_rj8xy-Dtt3WuOYgiNsT7kSrC
Source: OUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drString found in binary or memory: https://login.windows.locale.OR
Source: OUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drString found in binary or memory: https://login.windows.localm
Source: OUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drString found in binary or memory: https://login.windows.localnull
Source: OUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drString found in binary or memory: https://login.windows.localnullffi
Source: classification engineClassification label: mal48.winMSG@3/4@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Overdue Invoice 93589 (672Ko).msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7B2AFB87-71B1-403D-8874-3F4F0C64D185" "6542CA54-3297-43D8-9107-AABE7B6D5483" "8016" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7B2AFB87-71B1-403D-8874-3F4F0C64D185" "6542CA54-3297-43D8-9107-AABE7B6D5483" "8016" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions
1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
1
Modify Registry
LSASS Memory12
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1648069 Sample: Overdue Invoice 93589 (672Ko).msg Startdate: 25/03/2025 Architecture: WINDOWS Score: 48 15 AI detected suspicious elements in Email header 2->15 17 AI detected suspicious elements in Email content 2->17 6 OUTLOOK.EXE 124 57 2->6         started        process3 file4 11 C:\...\~Outlook Data File - NoEmail.pst.tmp, data 6->11 dropped 13 C:\Users\...\Outlook Data File - NoEmail.pst, Microsoft 6->13 dropped 9 ai.exe 6->9         started        process5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://antiphishing.vadesecure.com/v4?f=NFZ1OXFVNUpJaXhxbWN3aw79TqTxGVr5HS_rj8xy-Dtt3WuOYgiNsT7kSrC0%Avira URL Cloudsafe
https://login.windows.localnullffi0%Avira URL Cloudsafe
https://login.windows.locale.OR0%Avira URL Cloudsafe
https://login.windows.localm0%Avira URL Cloudsafe
https://login.windows.localnull0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://login.windows.localnullOUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drfalse
    • Avira URL Cloud: safe
    unknown
    https://login.windows.locale.OROUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drfalse
    • Avira URL Cloud: safe
    unknown
    https://antiphishing.vadesecure.com/v4?f=NFZ1OXFVNUpJaXhxbWN3aw79TqTxGVr5HS_rj8xy-Dtt3WuOYgiNsT7kSrCOverdue Invoice 93589 (672Ko).msgfalse
    • Avira URL Cloud: safe
    unknown
    https://login.windows.localnullffiOUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drfalse
    • Avira URL Cloud: safe
    unknown
    https://login.windows.localmOUTLOOK_16_0_16827_20130-20250325T0926080442-8016.etl.1.drfalse
    • Avira URL Cloud: safe
    unknown
    No contacted IP infos
    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1648069
    Start date and time:2025-03-25 14:24:58 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 28s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:18
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Overdue Invoice 93589 (672Ko).msg
    Detection:MAL
    Classification:mal48.winMSG@3/4@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .msg
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.6.53, 20.189.173.26, 184.31.69.3, 20.12.23.50, 52.123.128.14, 20.109.210.53
    • Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, onedscolprdwus19.westus.cloudapp.azure.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, dual-s-0005-office.config.skype.com, ocsp.digicert.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, eus2-azsc-config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-0005.dual-s-msedge.netsuspectTelling clean needful (78.2 KB).msgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
    • 52.123.129.14
    https://1drv.ms/o/c/8fc032da5fada757/EgEHU26Ga4FAl_1Su2lfpkUBqQItqpp0mP4_5cipPDmMcg?e=PyJVMiGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    ProLab TT COPY for Proforma Invoice PLDS24344.docxGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    quotation_1.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    Sales Contract_1.docxGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    ProLab TT COPY for Proforma Invoice PLDS24344.docxGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    quotation_1.xlsxGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    Sales Contract_1.docxGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    No context
    No context
    No context
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):118784
    Entropy (8bit):4.702930009612555
    Encrypted:false
    SSDEEP:768:ZAeEof6VWn0NpgxmE+4PN9a0+/PXoTWnWHVdmJMPFTcAmd4MUAXSuXrJpZk4:vYpeU4PN9a0NHTcAmdEAXSuXra4
    MD5:EED94A5124B70788E18D1A017C7E6703
    SHA1:A4D4E7A15506391ECFB70E8168A673C017776A9F
    SHA-256:48D09A6DA12BC81074D30F65B015DE8B64BF191FCAFEB2B295E99B834B676832
    SHA-512:8AB62F1F10F1AE5A18F6E445B89D647813435CBFE7C6DB70764B5685D0B01B7911829104AE28A9B7ECEB57015BA1F178711C4A4AB33085A8E12F7D5A863A553B
    Malicious:false
    Reputation:low
    Preview:............................................................................b...T...P......w....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................=..............w............v.2._.O.U.T.L.O.O.K.:.1.f.5.0.:.3.d.7.1.d.0.a.6.9.c.b.a.4.6.a.0.a.5.a.8.9.3.6.3.d.3.7.b.8.5.e.6...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.2.5.T.0.9.2.6.0.8.0.4.4.2.-.8.0.1.6...e.t.l.............P.P.T...P...Kx.w....................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):163840
    Entropy (8bit):0.31355869872046715
    Encrypted:false
    SSDEEP:192:epZNayCYHeoQso93jmp5ArIMPWNgz0XHWQOAIAbAn/:oZYOHyZ9wArIY5z0XHOAIM
    MD5:D4D70EA2CA91C20A21C8AC7215E07942
    SHA1:8BCD865AE087D09241B7C2E3E6347427EEA347B0
    SHA-256:858D75986B2EE799DE9CB865CDFD4951C5F746342778A506911593169A8EC2CE
    SHA-512:3DCEB5636C1577B25F9A440D33653A8664C84B096CC108D9B0E249E0AB7DFDBD5783E9069269EFBC6BC2C341298C7FFA6A5B642D91E719A9F2965945B2F24080
    Malicious:false
    Reputation:low
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):271360
    Entropy (8bit):1.333489141495998
    Encrypted:false
    SSDEEP:1536:IvtgcmTLU8gAOhRRUMf2U8cXQ8cXGDM6fkeNZ:AAMfv1fpf
    MD5:1FB9DC628B24B5DB0E03C35CAC12BFFD
    SHA1:80ECB7C2B1917B686CA44DF23EEDB6EC14989897
    SHA-256:A2B031BC42AAD430EDEEDFE8189685E9BBBA7C1E6C34A0EC44476956090968BB
    SHA-512:0565AB758D57127A33BE26C2502331C9F3A38CD44B5D8DD40D45089F97536A0D94C06D3F67495BCAA0D49786277A4C7FC88B13439347C968C8B9AAB9E9902C46
    Malicious:true
    Reputation:low
    Preview:!BDN....SM......\...............4.......W................@...........@...@...................................@...........................................................................$.......D.......L..............2........|....../........p...........................................................................................................................................................................................................................................................................................2.Z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.8400699692551074
    Encrypted:false
    SSDEEP:192:89xUhVtQF32W8cXWAhRjdCZNftoOL6uyeg47IYi1R434wMrNz:MeeF3n8cXWAhRjdCZNfWIVg47a1RYMr
    MD5:34C218AD66830D0D767570619CD7B40D
    SHA1:69A3A1644E0429D688CC82109ED98AC021919F29
    SHA-256:567EB22489066B57FE5692C254CCCFB6363DFC5B8D9442207682FF0DA1D22728
    SHA-512:0EF340BDA6EC19939DF3E5908E33AFECAE359C51E24A966BE56B9FC7E7C7F8661A8390F6AE82B6615DC16934E8E0B067AE5D92671AB954515C89C773608217C8
    Malicious:true
    Reputation:low
    Preview:.pE.C...s.......P...7.lu......................#.!BDN....SM......\...............4.......W................@...........@...@...................................@...........................................................................$.......D.......L..............2........|....../........p...........................................................................................................................................................................................................................................................................................2.Z....7.lu.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................
    File type:CDFV2 Microsoft Outlook Message
    Entropy (8bit):4.404579119943127
    TrID:
    • Outlook Message (71009/1) 58.92%
    • Outlook Form Template (41509/1) 34.44%
    • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
    File name:Overdue Invoice 93589 (672Ko).msg
    File size:27'136 bytes
    MD5:b6305a17be0e2b1f02d268db124f0df9
    SHA1:c4d9a4de8118374717c4625de2cc95b9f56ab32c
    SHA256:b787100fa1d9e1a1f05260654118cbeabaf900951709e859dbb6bfb1b4573348
    SHA512:a2ea5864ec3390113475849d06a97357f1fc219c1b97171f37dda0d5ffb2bf738d449ffa300538e490ddfc427258104826f14f291eb6881d717f12cebd535e0a
    SSDEEP:384:cRy7+h9pD7f4s2T9hqRl9NX6jPN15k63i5y+/k0i5:YwcTDENT9hqRl9NX6jPNXri5y+E5
    TLSH:E2C2D02536ED4615F2BBAF351DF1809789367C82ED34C78F3281735E09B1980A9B1B2B
    File Content Preview:........................>......................................................................................................................................................................................................................................
    Subject:Overdue Invoice 93589
    From:Account Receivable <admin@deeepfast.com>
    To:"Regnault; Xavier" <Xavier.Regnault@chantiers-atlantique.com>
    Cc:
    BCC:
    Date:Tue, 25 Mar 2025 12:55:30 +0100
    Communications:
    • AVERTISSEMENT: Cet e-mail provient de lextrieur de lorganisation. Ne cliquez pas sur des liens ou nouvrez pas de pices jointes moins de reconnatre lexpditeur et de savoir que le contenu est sr. <https://antiphishing.vadesecure.com/v4?f=NFZ1OXFVNUpJaXhxbWN3aw79TqTxGVr5HS_rj8xy-Dtt3WuOYgiNsT7kSrCL4neS&i=dnZZY1BRdGVud2p5a3J2MkXgKVQslibyjliaROaA9Kc&k=ylKZ&r=eVhRazAzQWpzQlVhVVRabfl7Btopt7tCs6Jhtvvo_JQliQyVoVTnThNthFfLLOv7XziSix9lmqfR7qqdZtpsOw&s=427052c2cb55a4ea4f9c70929c499bda58414514c5d12af8c66341946b20b817&u=https%3A%2F%2Fzmk5ybt5uw.us-east-1.awsapprunner.com%2F%23Xavier.Regnault%40chantiers-atlantique.com> Hello, Find attached over due invoice, This invoice has been long overdue, Please can you review and confirm a payment date. Thanks. Account receivable Email: Xavier.Regnault@chantiers-atlantique.com <mailto:florence.michoux@ulmann.com> Website: chantiers-atlantique.com Disclaimer: This email has been scanned for viruses and malware, and may have been automatically archived by a leader in email security and cyber resilience. integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.
    Attachments:
    • overdue invoice.png
    Key Value
    Receivedfrom [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)
    14.3.498.0; Tue, 25 Mar 2025 1255:33 +0100
    <Xavier.Regnault@chantiers-atlantique.com>; Tue, 25 Mar 2025 1255:33 +0100
    Tue, 25 Mar 2025 1155:30 +0000 (UTC)
    FromAccount Receivable <admin@deeepfast.com>
    To"Regnault, Xavier" <Xavier.Regnault@chantiers-atlantique.com>
    SubjectOverdue Invoice 93589
    Thread-TopicOverdue Invoice 93589
    Thread-IndexAQHbnXzQ3XYgih1BIEqnNhRUr/Oeuw==
    DateTue, 25 Mar 2025 12:55:30 +0100
    Message-ID<25302025035512BB8D6B302B$0DFB2051D7@deeepfast.com>
    Reply-To"erolsinian@gmail.com" <erolsinian@gmail.com>
    Content-Languagefr-FR
    X-MS-Exchange-Organization-AuthAsAnonymous
    X-MS-Exchange-Organization-AuthSourcel0-cashub01.casn.net
    X-MS-Has-Attachyes
    X-MS-Exchange-Organization-SCL-1
    X-MS-TNEF-CorrelatorContent-Type: multipart/related;
    MIME-Version1.0
    dateTue, 25 Mar 2025 12:55:30 +0100

    Icon Hash:c4e1928eacb280a2
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 25, 2025 14:26:22.357404947 CET1.1.1.1192.168.2.40x56eaNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
    Mar 25, 2025 14:26:22.357404947 CET1.1.1.1192.168.2.40x56eaNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
    Mar 25, 2025 14:26:22.357404947 CET1.1.1.1192.168.2.40x56eaNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
    050100s020406080100

    Click to jump to process

    050100s0.0050100MB

    Click to jump to process

    • File
    • Registry

    Click to dive into process behavior distribution

    Click to jump to process

    Target ID:1
    Start time:09:26:04
    Start date:25/03/2025
    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Overdue Invoice 93589 (672Ko).msg"
    Imagebase:0x740000
    File size:34'446'744 bytes
    MD5 hash:91A5292942864110ED734005B7E005C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Target ID:14
    Start time:09:26:22
    Start date:25/03/2025
    Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7B2AFB87-71B1-403D-8874-3F4F0C64D185" "6542CA54-3297-43D8-9107-AABE7B6D5483" "8016" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Imagebase:0x7ff676ec0000
    File size:710'048 bytes
    MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    No disassembly