Edit tour

Windows Analysis Report
original.eml

Overview

General Information

Sample name:	original.eml
Analysis ID:	1676267
MD5:	ceff9d37b4266bf49e42d01919751cec
SHA1:	3a5ce9767fa6bd42699fd0215ebbaddd65cce37a
SHA256:	19b93e1887fd6aa5853306637315f0b1a5bc35dd754e65ada003150e19c4d63d
Infos:

Detection

Score:	21
Range:	0 - 100
Confidence:	80%

Signatures

AI detected suspicious elements in Email content

Queries the volume information (name, serial number etc) of a device

Sigma detected: Outlook Security Settings Updated - Registry

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 7088 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\original.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 3764 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B8353F91-945E-4BC7-8A11-C6C182C71405" "822DD1ED-A3D8-4FBB-BDFC-7A023C835F07" "7088" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

OUTLOOK.EXE (PID: 3924 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\1HA9TWDC\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)

cleanup

Sigma Signatures

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\1HA9TWDC\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

AI detected suspicious elements in Email content

Source: original.eml

Joe Sandbox AI: Detected potential phishing email: The email claims to be from a Chinese steel company but is sent from a different domain (metalus.qc.ca). The sender's email domain (pipe.shinestar-steel.com) appears suspicious and doesn't match legitimate business patterns. The email combines unsolicited business offering with multiple contact channel options (Skype, WhatsApp), which is a common phishing tactic

Source: Email

Classification: Lure-Based Attack

Source: classification engine

Classification label: sus21.winEML@5/4@0/61