Edit tour

Windows Analysis Report
FW EXTERNALSupplier Diversity Survey.msg

Overview

General Information

Sample name:	FW EXTERNALSupplier Diversity Survey.msg
Analysis ID:	1674501
MD5:	0d8581c436789ef4398bd5ad92868c60
SHA1:	0e93ee8524a5cdaa30f43b59dc4a2feb78608033
SHA256:	80942102dfb74d5b4ba4602dfb25eab4634c9687ddf94cee94ac2492fe1555c8
Infos:

Detection

Score:	2
Range:	0 - 100
Confidence:	80%

Signatures

Contains capabilities to detect virtual machines

Queries the volume information (name, serial number etc) of a device

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Stores large binary data to the registry

Classification

Process Tree

System is w11x64_office

OUTLOOK.EXE (PID: 5960 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW EXTERNALSupplier Diversity Survey.msg" MD5: 7F59D020035411A4BCF731A8320581A4)

ai.exe (PID: 5468 cmdline: "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "A29AB4A9-4597-41D1-8811-E477A67872A9" "68BFB2AD-F7F2-4D66-A589-774346D8BEB9" "5960" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: 0ED71A2D20424DC7942E810F359DA066)

rassstp.sys (PID: 4 cmdline: MD5: 6931A955F0697B3A675E3F1B1B058D96)

ndproxy.sys (PID: 4 cmdline: MD5: 8236B9B87FCB51A225A5B69A23C6DCBA)

agilevpn.sys (PID: 4 cmdline: MD5: 9470BBB777C18559249CB627755AE05A)

rasl2tp.sys (PID: 4 cmdline: MD5: 31026F5886DD4B3507C26173933722BE)

raspptp.sys (PID: 4 cmdline: MD5: DD210C0462E41139AA1E06AE8C82C6BA)

raspppoe.sys (PID: 4 cmdline: MD5: A664DB4B37AB3904F14242E7882469FB)

ndistapi.sys (PID: 4 cmdline: MD5: F2EB1438623A09E1659E5B5706D15B38)

ndiswan.sys (PID: 4 cmdline: MD5: E63671FE12F81F56D79B1CC58305AD64)

cleanup

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rassstp.sys, NewProcessName: C:\Windows\System32\drivers\rassstp.sys, OriginalFileName: C:\Windows\System32\drivers\rassstp.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rassstp.sys

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5960, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\AdobeAcroOutlook.SendAsLink\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: assets.msn.com

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rassstp.sys

Source: classification engine

Classification label: clean2.winMSG@3/5@1/77

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_18129_20158-20250425T1712390378-5960.etl

Source: FW EXTERNALSupplier Diversity Survey.msg

Joe Sandbox Cloud Basic: Detection: clean Score: 1 Threat Name: Analyzer: w10x64_ra

Perma Link

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW EXTERNALSupplier Diversity Survey.msg"
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "A29AB4A9-4597-41D1-8811-E477A67872A9" "68BFB2AD-F7F2-4D66-A589-774346D8BEB9" "5960" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "A29AB4A9-4597-41D1-8811-E477A67872A9" "68BFB2AD-F7F2-4D66-A589-774346D8BEB9" "5960" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: version.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Section loaded: profapi.dll

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\drivers\rasl2tp.sys

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0004 name: DriverDesc

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe

Queries volume information: C:\Program Files\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Name	IP	Active	Malicious	Reputation
a726.dscd.akamai.net	23.209.84.19	true	false	high
s-0005.dual-s-msedge.net	52.123.129.14	true	false	high
a233.dscd.akamai.net	23.209.84.48	true	false	high
assets.msn.com	unknown	unknown	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.109.2.121	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.209.84.19	a726.dscd.akamai.net	United States	16625	AKAMAI-ASUS	false
23.209.84.42	unknown	United States	16625	AKAMAI-ASUS	false
52.123.129.14	s-0005.dual-s-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.209.84.68	unknown	United States	16625	AKAMAI-ASUS	false
52.109.20.39	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.79.150.121	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1674501
Start date and time:	2025-04-25 23:09:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	8
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	FW EXTERNALSupplier Diversity Survey.msg
Detection:	CLEAN
Classification:	clean2.winMSG@3/5@1/77
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe
Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23
Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, crt.comodoca.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_18129_20158-20250425T1712390378-5960.etl

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	94208
Entropy (8bit):	4.461361871578457
Encrypted:	false
SSDEEP:
MD5:	A7C68CEAD50A786CD9927505AADB3809
SHA1:	F33F7DA32B3E8A7D8FDA63BA135DB2B0A94D4FFF
SHA-256:	7BE7F0E255767C426C66DA9643018F1677297672868391396FEF0ED044CB0F4C
SHA-512:	5E0617AF18F1473C261C18742457ECDBC2CA70B0BAA4302658DDF554774E000753A92E33EE4D837CB86A6F8C710FF272ADF87E4153497C3F68BA0F3E704A3A83
Malicious:	false
Reputation:	unknown
Preview:	............................................................................j...X...H....L..&...................gX..............Zb..2...........................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................X?<............L..&...........v.2._.O.U.T.L.O.O.K.:.1.7.4.8.:.b.8.0.e.8.3.6.3.e.9.a.5.4.d.7.b.b.b.f.4.9.0.3.f.c.a.7.4.3.2.f.9...C.:.\.U.s.e.r.s.\.M.e.r.c.y.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.8.1.2.9._.2.0.1.5.8.-.2.0.2.5.0.4.2.5.T.1.7.1.2.3.9.0.3.7.8.-.5.9.6.0...e.t.l.............P.P.X...H.......&...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	629547
Entropy (8bit):	5.833058678937655
Encrypted:	false
SSDEEP:
MD5:	6F7D007024115C98375DEDEFDA1174F9
SHA1:	182641DF8A89E92145D16C41376AEC8B722245ED
SHA-256:	CE1296843C31FB96CDDDC85CDF492F0D0E703E68648EFB0E8219C5C4254E5474
SHA-512:	33B5BEE42F10FD03EA8608BF595F95467540F65E2F82E783B54F795B3CFB53E95EFC23F18DA55EDCDD9F977B877DBB0E05356A9A1DEAB0105F9CD060DD329746
Malicious:	false
Reputation:	unknown
Preview:	RNWPREP.....&.0.[.X................*.......#...G.Qagp........&........q...[ d..w.w............,T.0..`......L`.....,T...`bw.....L`.....a.Sb.................c.@........... ...D..Rb...2....ey..`.....D..Rb........MM..`l.....Rb.@......zk..`......Rb.@R.....bk..`P.....Rb".iS....el..`......Rb"@.j....hp..`.....D..Rb..sS....es..`.....D..Rb:@@.....Hb..`......D..Rbn@......Cv..`v.....Rbn@.}....Yd..`&....D..Rbz.(.....UT..`......Rbz.\.....Zo..`.....D..Rb.@u.....TT..`.....D..Rb..p.....Hx..`.....D..Rb........Pi..`z....D..Rb........Ch..`.....D..Rb.......O_..`p.....Rb........xv..`.....D..Rb..[p....Ql..`:....D..Rb.......ZA..`T....D..Rb.@......At..`......Rb...^....Yk..`.....D..Rb........Wu..`2....D..Rb........wy..`......Rb...k....Sm..`@....D..Rb...@....us..`j.....Rb........Ln..`6....D..Rb".......AC..`.....D..Rb..c.....Vk..`.....D..Rb6.......IM..`<....D..RbN..6....Ti..`&....D..Rbj.q.....Gy..`......RbjA......XC..`J....D..RbzA......fn..`......Rbz..h....Bd..`......Rb.Am.....Uh..`.....D..Rb.......xC..`..

C:\Users\user\AppData\Local\Temp\~DF04517C3A8C3BCC52.TMP

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.44645027159794837
Encrypted:	false
SSDEEP:
MD5:	ACD926BA74DB9A6A5409BC9F811FCCD7
SHA1:	ECB61A8B97F46DAE64DF5B75C06F89F73916588B
SHA-256:	4E354F33172997F04ED67A9CFBD18AD566D53FC8921D06C5917537A006209269
SHA-512:	5BA83AA99E73F82C9E29312DE7ED2D334F23DA5C0CCD92E23EA4B471D9449447160ED20952E3D02C51712D3576E659834535F51B1EB7655800BB33401861FFF7
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.453731983138275
Encrypted:	false
SSDEEP:
MD5:	77EC95C361B515E8D356FF33CEBA5876
SHA1:	E1FBC8A72CC73881EA285D9EA7410F6BF0D2F89F
SHA-256:	D47AFEDE6D394079DE0EBFD6AEE2C0231A3DCA83640CB667DC0843075F6B14C1
SHA-512:	53AF8B1ECFA7AA802F8F26B2B872F420F14C910DE1A033EA6573B23C1BA87D9DF1D38D9005506FEE4063DD6FDAE2D63327906FCFC2C559B4F83DDE2D906EC4C9
Malicious:	false
Reputation:	unknown
Preview:	!BDN.\.DSM......x....[........../.......[................@...........@...@...................................@...........................................................................$.......D.......?..............................+...........................................................................................................................................................................................................................................................................................x.........C..C......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.8017463438517805
Encrypted:	false
SSDEEP:
MD5:	AE058357C74A05EBD437B9D2D44CAA92
SHA1:	43C0BBC9B912AFC81A7034FE3C2340123082B423
SHA-256:	200F8E03BDACF863A057AD15824FB6B5D94D3C8B5D05E9DBAB9C0AAFDF058609
SHA-512:	E2B53F59DDED6361107954CEE403EA2CAFE2A547CFED5384855C7042093E0FAA5D8F782C5F4763416502A578958B9F03F959867C32BC5C2FCF440C4822236FF5
Malicious:	false
Reputation:	unknown
Preview:	.}\.C...G.......H....8.&.....................#.!BDN.\.DSM......x....[........../.......[................@...........@...@...................................@...........................................................................$.......D.......?..............................+...........................................................................................................................................................................................................................................................................................x.........C..C...8.&........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	7.454712194456632
TrID:	Outlook Message (71009/1) 50.89% Outlook Form Template (41509/1) 29.75% Microsoft Word document (old ver.) (19008/1) 13.62% Generic OLE2 / Multistream Compound File (8008/1) 5.74%
File name:	FW EXTERNALSupplier Diversity Survey.msg
File size:	558'080 bytes
MD5:	0d8581c436789ef4398bd5ad92868c60
SHA1:	0e93ee8524a5cdaa30f43b59dc4a2feb78608033
SHA256:	80942102dfb74d5b4ba4602dfb25eab4634c9687ddf94cee94ac2492fe1555c8
SHA512:	77e6e5fb7fd00c01483e53da39a6e714ab4fb1ccaf19def5043dd24491bd6dcbb5e1e6a1e35f881b14f27857eeed17e7b714988801d38e35b072779df8d0908c
SSDEEP:	12288:ZC2G2B3xfNd6D5+s/9ZNBr+smk8uQceBr1+:ZC25B3xfv6DZ/37JmkSceO
TLSH:	40C4CF1871F88585F17BDA794FD396936513BC82AE00AE4F719D370F0BB1E51A920B2E
File Content Preview:	........................>...................................$...........................Q...R...S...T...U...V..................................................................................................................................................

Static Mail

General

Subject:	FW: [EXTERNAL]Supplier Diversity Survey
From:	Scott Morozoff <scott@coxmanufacturing.com>
To:	security <security@coxmanufacturing.com>
Cc:
BCC:
Date:	Fri, 25 Apr 2025 15:49:34 +0200
Communications:	Hi, guys. Im fairly certain this email is legit, but am wary of the attached documents, especially Word. Would you please scan them and let me know if it is safe for me to open? Sincerely, [cid:image004.jpg@01DBB5BE.F60E7D40]<http://www.coxmanufacturing.com/>Scott Morozoff Estimator D: (210) 807-5429 \| O: (210) 657-7731 x129 \| F: (210) 657-2345 Sales Direct: (210) 807-5462 San Antonio, TX 78247 From: Cheno Quintero, Carmen Alejandra <alejandra.cheno@te.com> Sent: Thursday, April 24, 2025 4:47 PM Subject: [EXTERNAL]Supplier Diversity Survey EXTERNAL EMAIL This email originated outside of Cox Manufacturing Company, Inc. Please exercise caution when clicking on links or opening attachments. Dear Valued Supplier, In 2020, TE Connectivity launched our corporate responsibility strategy, One Connected World. A key part of our One Connected World strategy is to partner with direct and logistics suppliers in strengthening the Sustainability, Diversity, Safety, and Productivity of our supply chain globally. The data collected in this questionnaire will be used to establish the size, location, and ownership of your organization. This survey will take approximately 5-minutes to complete. Please forward this email request to the appropriate person in your organization if you are unable to answer these self-certification questions. We appreciate your willingness to provide these invaluable insights. [http://www.te.com/content/dam/te-com/images/corporate/marketing/global/brand-resources/2018_telogo.gif]<http://www.te.com/> Alejandra Cheno Strategic Sourcing Analyst Medical Business Unit DIRECT + 52 622 165 3087 EMAIL alejandra.cheno@te.com<mailto:alejandra.cheno@te.com> [http://www.te.com/content/dam/te-com/images/corporate/marketing/global/brand-resources/2018-Facebook-Icon.gif]<https://www.facebook.com/teconnectivity> [http://www.te.com/content/dam/te-com/images/corporate/marketing/global/brand-resources/2018-Twitter-Icon.gif] <https://twitter.com/teconnectivity> [http://www.te.com/content/dam/te-com/images/corporate/marketing/global/brand-resources/2018-Instagram-Icon.gif] <http://instagram.com/teconnectivity> [http://www.te.com/content/dam/te-com/images/corporate/marketing/global/brand-resources/2018-LinkedIn-Icon.gif] <https://www.linkedin.com/company/te-connectivity> [http://www.te.com/content/dam/te-com/images/corporate/marketing/global/brand-resources/2018-YouTube-Icon.gif] <https://www.youtube.com/teconnectivity> te.com<http://www.te.com/> Click to read<http://www.te.com/global-en/private/te-email-confidentiality-statement.html> email confidentiality disclaimer.
Attachments:	Minority Definitions.pdf Supplier Diversity Self Cert Rev C.docx image001.png image002.jpg image004.jpg

Headers

Key	Value
Received	from BN8PR20MB2721.namprd20.prod.outlook.com
13	49:34 +0000
Authentication-Results	dkim=none (message not signed)
by BY1PR20MB7509.namprd20.prod.outlook.com (2603	10b6:a03:4a8::19) with
2025 13	49:35 +0000
([fe80	:8fc2:4222:9145:57df%3]) with mapi id 15.20.8655.033; Fri, 25 Apr 2025
Content-Type	application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding	binary
From	Scott Morozoff <scott@coxmanufacturing.com>
To	security <security@coxmanufacturing.com>
Subject	FW: [EXTERNAL]Supplier Diversity Survey
Thread-Topic	[EXTERNAL]Supplier Diversity Survey
Thread-Index	AdtuhWoXvPGBxEVFTq2pwko9uEdo0AJXn9kgD1+TxmAAIZUWcA==
Date	Fri, 25 Apr 2025 13:49:34 +0000
Message-ID	<BN8PR20MB2721F1C441CE34E9666D2FAFDE842@BN8PR20MB2721.namprd20.prod.outlook.com>
References	<PH0PR01MB8094BCBCE2096F6F5A0500AB9FE32@PH0PR01MB8094.prod.exchangelabs.com>
In-Reply-To	<PH0PR01MB8094796E733AB585AE96A2579F852@PH0PR01MB8094.prod.exchangelabs.com>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-Exchange-Organization-SCL	-1
X-MS-TNEF-Correlator	<BN8PR20MB2721F1C441CE34E9666D2FAFDE842@BN8PR20MB2721.namprd20.prod.outlook.com>
MIME-Version	1.0
X-MS-Exchange-Organization-MessageDirectionality	Originating
X-MS-Exchange-Organization-AuthSource	BN8PR20MB2721.namprd20.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Internal
X-MS-Exchange-Organization-AuthMechanism	04
X-MS-Exchange-Organization-Network-Message-Id	f7a0d8ae-1d92-4c93-a74d-08dd84000368
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	BN8PR20MB2721:EE_\|BY1PR20MB7509:EE_\|BN8PR20MB2371:EE_
Return-Path	scott@coxmanufacturing.com
X-MS-Exchange-Organization-ExpirationStartTime	25 Apr 2025 13:49:35.2792
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Office365-Filtering-Correlation-Id	f7a0d8ae-1d92-4c93-a74d-08dd84000368
x-ms-reactions	disallow
X-Microsoft-Antispam	BCL:0;ARA:13230040\|69100299015\|366016\|13003099007\|8096899003\|41050700001;
X-Forefront-Antispam-Report	CIP:255.255.255.255;CTRY:;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKI;H:BN8PR20MB2721.namprd20.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(69100299015)(366016)(13003099007)(8096899003)(41050700001);DIR:INT;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	25 Apr 2025 13:49:34.8369
X-MS-Exchange-CrossTenant-FromEntityHeader	Hosted
X-MS-Exchange-CrossTenant-Id	c6c38305-3244-469b-8486-bf030d22f9f9
X-MS-Exchange-CrossTenant-AuthSource	BN8PR20MB2721.namprd20.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Internal
X-MS-Exchange-CrossTenant-Network-Message-Id	f7a0d8ae-1d92-4c93-a74d-08dd84000368
X-MS-Exchange-CrossTenant-MailboxType	HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName	flfpzND9y0vsPVudPyGNY5axk6nGMJE+m2pjeTBDJgWfWTbDzSKBFAKd2cNyR3E9SsTE8E/hbIwmp5Tk24tZKtYEO+k7Acyw6NOSjZ38xLY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped	BY1PR20MB7509
X-MS-Exchange-Transport-EndToEndLatency	00:00:05.0050032
X-MS-Exchange-Processed-By-BccFoldering	15.20.8678.021
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(920097)(425001)(930097)(140003);
X-Microsoft-Antispam-Message-Info	pi+9oyIrUqA7NjcD8fAQ9S+QTXTgVn8IzXZHf/iHAD99InT+bqFpA4hk4P84FajhvRauTWlX1QX0d+FGw+bmC7nJ+E5qUvSDojdHX+s+X+2I8W/fQOEbWJzfWtRnPkHoE9L0m0Qp0pmp4kcecBsUJPPbGGBRaNnkaS8WAPc/63cSBQ+anCLRAY6yZD2ba5M1RbKuKvzZKPKREPc2z99y0MyvjH01ADCLzIW8BvDjxQbIgpcF3CI8R8KLZYJ1DpkbWWPJGqsVhk52zKwVXODVkeUWKdEeZcZPIhi0YxMcD5qjmMny4/OyfAYx3hyq5qBGbvT3px7Z3y1hcgA5beZG1M7g4CFm24HvwLBQT7jkGwWXAj0CSOofoisqpLLe4zP933IUECuvqJKN5K+xnSa5cR/8jkzbNG/0U9pPYM/5+UZ3VKOlgUGafQ/CXUSU+DnralrxVU8J1pugioSeW5WhHd6m7C1wesjBvetwfFryA3MF/QQ29iYsDz2zBhM735OGiKOzpiA5rnHiZR68DOpl3QMsW0hc4kG4NHF35+koRdK6FQJDgIVJD3SigQHOKSvV2dmA6BCDcarQCyukb7FDC1JRcgf8hAxOph5zZ/6DxyRZaALJp3U81ZQQt054/mr6NkIUwW1eJVN7psUFocRT43jhv3Z8rppWt49lcWLsToFx73jnjo4SYnpuMc3mpVA7WhxFmgUK60H9vDEmTrTn5pTavORXPHaGUY1tUuY+/CFBNe/52nIz9jQsS8tmV7wl+Y9cJceC4klTQVBYH4OLWNLnB2fH/qUIjffTCZMnx9X5LsEKYl0+K/TZHJWyJ/WoX7u3HKj0Ry+t0tKWRXYRF4OMEqYvwRRnxpB2ZShqxP8wiQFAVEjG6ztpcdbmbqdoTd8XxlOMexLT4zuxMibATjN3QI7ezpfzGZvaV7KEbRAOL1SaAAntO2hVbKyhmJWqpXIOuBI97ePJqRQUtDXLRQ==
date	Fri, 25 Apr 2025 15:49:34 +0200

File Icon


Icon Hash:	c4e1928eacb280a2

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FW EXTERNALSupplier Diversity Survey.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_18129_20158-20250425T1712390378-5960.etl

C:\Users\user\AppData\Local\Temp\prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache

C:\Users\user\AppData\Local\Temp\~DF04517C3A8C3BCC52.TMP

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Windows Analysis Report
FW EXTERNALSupplier Diversity Survey.msg