Edit tour

Windows Analysis Report
HxAccounts.exe

Overview

General Information

Sample Name:	HxAccounts.exe
Analysis ID:	18382
MD5:	d3cc99259af987f5ae6895859df0fbc1
SHA1:	e095be7064ae0b3c970f4562f9b37e9616673325
SHA256:	235ab22c75abdb2990ce2f3575bd8facdec7139a0a7310d7a63abd24424b5092
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Found potential ransomware demand text

PE file contains an invalid checksum

Tries to load missing DLLs

IP address seen in connection with other malware

PE file contains sections with non-standard names

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 1108 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)

HxAccounts.exe (PID: 6644 cmdline: C:\Users\user\Desktop\HxAccounts.exe MD5: D3CC99259AF987F5AE6895859DF0FBC1)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: HxAccounts.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, APPCONTAINER, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\dbs\el\jul\target\x64\ship\hxaccounts_winrtapp\x-none\hxaccounts.pdb source: HxAccounts.exe
Source:	Binary string: d:\dbs\el\jul\target\x64\ship\hxaccounts_winrtapp\x-none\hxaccounts.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: HxAccounts.exe

Source: Joe Sandbox View	IP Address: 52.109.77.2 52.109.77.2
Source: Joe Sandbox View	IP Address: 192.229.221.95 192.229.221.95

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.77.2
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.77.2
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95

Spam, unwanted Advertisements and Ransom Demands

Found potential ransomware demand text

Source: HxAccounts.exe, 00000001.00000000.1420851399.00007FF6A0511000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
Source: HxAccounts.exe	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: microsoft.applications.telemetry.windows.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: vcruntime140_1_app.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Users\user\Desktop\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior

Source: HxAccounts.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HxAccounts.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: sus22.rans.winEXE@1/2@0/3

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: HxAccounts.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: HxAccounts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HxAccounts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HxAccounts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HxAccounts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HxAccounts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HxAccounts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: HxAccounts.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, APPCONTAINER, GUARD_CF, TERMINAL_SERVER_AWARE

Source: HxAccounts.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\dbs\el\jul\target\x64\ship\hxaccounts_winrtapp\x-none\hxaccounts.pdb source: HxAccounts.exe
Source:	Binary string: d:\dbs\el\jul\target\x64\ship\hxaccounts_winrtapp\x-none\hxaccounts.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: HxAccounts.exe

Source: HxAccounts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HxAccounts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HxAccounts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HxAccounts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HxAccounts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: HxAccounts.exe

Static PE information: real checksum: 0x36c55 should be: 0x43730

Source: HxAccounts.exe

Static PE information: section name: .didat

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HxAccounts.exe	0%	ReversingLabs
HxAccounts.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.109.77.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
52.109.88.191	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	18382
Start date and time:	2023-03-13 18:23:49 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	HxAccounts.exe
Detection:	SUS
Classification:	sus22.rans.winEXE@1/2@0/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Changed system and user locale, location and keyboard layout to English - United States

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.134, 20.190.160.22, 20.190.160.17, 40.126.32.136, 20.190.160.14, 20.190.160.20, 40.126.32.133
Excluded domains from analysis (whitelisted): prda.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
52.109.77.2	kill_miner	Get hash	malicious	Unknown	Browse
	PO_3725_5281_0_US.7z	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	http://51.195.47.176:80	Get hash	malicious	Unknown	Browse
	po3451118.pdf.rar	Get hash	malicious	FormBook	Browse
	Play_Now #U23ee#Ufe0f #U25b6#Ufe0f #U23ed#Ufe0f 03min25secs__3pm.htm	Get hash	malicious	HTMLPhisher	Browse
	https://azbiodyne.com/toz8z	Get hash	malicious	Phisher	Browse
	inst_client.exe	Get hash	malicious	Unknown	Browse
	ComplaintCopy_40814(Feb01).one	Get hash	malicious	Unknown	Browse
	62a0750ae87bd6445ebc202e442b0820c859507be37487e012b910660050929a.zip	Get hash	malicious	Unknown	Browse
	39815.zip	Get hash	malicious	Unknown	Browse
	complaint.doc	Get hash	malicious	Unknown	Browse
	Re ST ACH20228909340 LLC PAlD lNV 13487110.msg	Get hash	malicious	HTMLPhisher	Browse
192.229.221.95	https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=cconnelly%40chs-adphila.org&senderemailaddress=Jamila.Brown%40phila.gov&senderorganization=AwF8AAAAAngAAAADAQAAAK%2bnVKeb1ftHofNjJdZy5clPVT1QaGlsYS5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMDlBMDAxLERDPXByb2QsREM9b3V0bG9vayxEQz1jb23VXZD0qJ12QJarhRYFN2CCQ049Q29uZmlndXJhdGlvbixDTj1QaGlsYS5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMDlBMDAxLERDPXByb2QsREM9b3V0bG9vayxEQz1jb20B&messageid=%3cDM8PR09MB727088C02696B71213B8EF999CB99%40DM8PR09MB7270.namprd09.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b31c538bf-be03-4a29-b7ba-7f4ca3804212%7d%40Phila.onmicrosoft.com&consumerEncryption=false&senderorgid=2046864f-68ea-497d-af34-a6629a6cd700&urldecoded=1&e4e_sdata=bsEIVgiwH1JgJA4x1%2bKprE9XSvwothuW3bcOg3yGxHRzu5q3RCuMbCur5cH0EytjUjuWI3MHAwDZ6Znt8FmqEzHBJJq3G8sKGWNZleckOSrJHJRRqpV%2bEwibmibzyda3WjT8yAsPhruT6zUBAzQ%2fxyGoSxiL2Zb%2b%2bsGcR%2fzzJ9igZPTwlpTzg3dOxWTfsoTLNFUkr5BrZVNjLL3tIj4AG4c%2fcXChbjAdIVjIO3lQ8k9XyR0yFUZsP4FmcwzZPBH076oizIMFjICd%2fZwxL64YNvGhPCwjh4qIu950AgAZB7bdMc3VqaXu4Ynw1rFdW6USJN7SrzJDpPN4h5bd9nN0GA%3d%3d	Get hash	malicious	Unknown	Browse
	RemittanceAdvice_processedpayments.htm	Get hash	malicious	HTMLPhisher	Browse
	https://api-01.moengage.com/v1/emailclick?em=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00.5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=https://treisgroup.com/%2F%2F%2F%2F/new/%2F%2F%2F%2Fauth/rjq0cpc%2F%2F%2F%2Ftest@rdgusa.com	Get hash	malicious	HTMLPhisher	Browse
	C-IHzNRYS-6158152.js	Get hash	malicious	Unknown	Browse
	http://melderspyurias.website	Get hash	malicious	Unknown	Browse
	C-IHzNRYS-6158152.js	Get hash	malicious	Unknown	Browse
	Invoice_Payment_In_Progress_for_Mar_13_2023_.eml	Get hash	malicious	HTMLPhisher	Browse
	http://agrolook.com/mde/upload.php/	Get hash	malicious	HTMLPhisher	Browse
	X-JQGQo.104.js	Get hash	malicious	Unknown	Browse
	Payment_Advice.html	Get hash	malicious	Unknown	Browse
	http://llink.to	Get hash	malicious	Unknown	Browse
	smtp4dev.exe	Get hash	malicious	Unknown	Browse
	https://eiga.%E5%B1%B1%E9%99%BD%E5%B0%8F%E9%87%8E%E7%94%B0.com/makie/index.php/?email=grazia.fontaneto@grupposandonato.it	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
	https://thepointofview.net/office/?owner=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2FwcGZvcmVzdF91Zi9mMTY3NzQxODYwMjI2OHgzNDQ1NTI5NTUyODczMTQxMDAvaW5kZXguaHRtbCNjcm9nZXJzQGhhcnJpc3dpbGxpYW1zLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse
	https://u5374526.ct.sendgrid.net/ls/click?upn=PNOxyfHdx3LbF4hLimQrGRWtLiq1nLwOXQ4972d5egp0XeDj4lw2wZTW-2BbRmEwFxbjUG-2FDXIxJ6dZG9qkqYUlg0kpdnzNT4jQ89IHLSa23ZVaufW22DBPgy8huin7AIg6WJ7nZ2CLO4imL2uH6X-2FR-2BCrrfbTa247ZlQIMpG3SXnis-2Fye5kw87MIndm8bc6hYkuq8q0VPR9dA8xgFHiSqikq5LjaMAHYfaF4i-2BNi0MATT3UEP0waiKAKGvpqVW6d-2FYyPWHaLKEkrI-2BYay1-2FG9dCQpUiuP2Sz2kGht1qYj-2BbA-3DSs30_o32f-2FQnJMTpe8YbbT5tv2wC-2FNVXhE-2F-2FFH6pPL9HrAVPjYrPtFPKvI87C4FofPI5rWuVuRNTUnV0cjkqe2Svr-2BErwxZJlS9frTMVHd54r2yeIHX8BkQRmSJzi6WVQFG7OpX4pErAPaFq8TDMVJuCOWlOZQoAGz-2FGaAyZOHtlFVXe-2BC5DQx1aNuD59qoxbAhgSJWDbPamMxadif2k0j-2Farab-2B61rQ8TlotgbRnB9VSkWM-3D	Get hash	malicious	Unknown	Browse
	spek-0.8.5-beta.zip	Get hash	malicious	Unknown	Browse
	Expense Report - Approve-Reject.html	Get hash	malicious	HTMLPhisher	Browse
	HSBC Payment Advice_pdf.exe	Get hash	malicious	FormBook	Browse
	http://194.213.18.132/AIEO.php?i=98112	Get hash	malicious	Unknown	Browse
	bypass.ps1	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=cconnelly%40chs-adphila.org&senderemailaddress=Jamila.Brown%40phila.gov&senderorganization=AwF8AAAAAngAAAADAQAAAK%2bnVKeb1ftHofNjJdZy5clPVT1QaGlsYS5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMDlBMDAxLERDPXByb2QsREM9b3V0bG9vayxEQz1jb23VXZD0qJ12QJarhRYFN2CCQ049Q29uZmlndXJhdGlvbixDTj1QaGlsYS5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMDlBMDAxLERDPXByb2QsREM9b3V0bG9vayxEQz1jb20B&messageid=%3cDM8PR09MB727088C02696B71213B8EF999CB99%40DM8PR09MB7270.namprd09.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b31c538bf-be03-4a29-b7ba-7f4ca3804212%7d%40Phila.onmicrosoft.com&consumerEncryption=false&senderorgid=2046864f-68ea-497d-af34-a6629a6cd700&urldecoded=1&e4e_sdata=bsEIVgiwH1JgJA4x1%2bKprE9XSvwothuW3bcOg3yGxHRzu5q3RCuMbCur5cH0EytjUjuWI3MHAwDZ6Znt8FmqEzHBJJq3G8sKGWNZleckOSrJHJRRqpV%2bEwibmibzyda3WjT8yAsPhruT6zUBAzQ%2fxyGoSxiL2Zb%2b%2bsGcR%2fzzJ9igZPTwlpTzg3dOxWTfsoTLNFUkr5BrZVNjLL3tIj4AG4c%2fcXChbjAdIVjIO3lQ8k9XyR0yFUZsP4FmcwzZPBH076oizIMFjICd%2fZwxL64YNvGhPCwjh4qIu950AgAZB7bdMc3VqaXu4Ynw1rFdW6USJN7SrzJDpPN4h5bd9nN0GA%3d%3d	Get hash	malicious	Unknown	Browse	52.109.76.141
	RemittanceAdvice_processedpayments.htm	Get hash	malicious	HTMLPhisher	Browse	52.109.8.44
	ian.marshall RRSP Increased Contribution Statement_Payments.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://api-01.moengage.com/v1/emailclick?em=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00.5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=https://treisgroup.com/%2F%2F%2F%2F/new/%2F%2F%2F%2Fauth/rjq0cpc%2F%2F%2F%2Ftest@rdgusa.com	Get hash	malicious	HTMLPhisher	Browse	13.107.237.45
	Current Balances_09-03-2023.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.237.60
	#Ud83d#Udcd1Teams.Chat.Log.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.60
	C-IHzNRYS-6158152.js	Get hash	malicious	Unknown	Browse	52.109.32.24
	http://melderspyurias.website	Get hash	malicious	Unknown	Browse	52.109.77.0
	2023012348796490720230123487964907.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.60
	C-IHzNRYS-6158152.js	Get hash	malicious	Unknown	Browse	52.109.32.24
	Invoice_Payment_In_Progress_for_Mar_13_2023_.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.238.45
	http://agrolook.com/mde/upload.php/	Get hash	malicious	HTMLPhisher	Browse	52.109.76.141
	RRSP Increased Contribution Statement_Payments.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.60
	XXX.wav.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.60
	Constructing-2023012348796490720230123487964907.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.60
	X-JQGQo.104.js	Get hash	malicious	Unknown	Browse	52.109.76.141
	xTbfuxyUt4.elf	Get hash	malicious	Mirai	Browse	20.201.110.38
	Payment_Advice.html	Get hash	malicious	Unknown	Browse	52.109.32.24
	vuRwrzDUix.elf	Get hash	malicious	Mirai	Browse	20.140.169.114
	Benefits_Enrollment.htm	Get hash	malicious	Unknown	Browse	13.107.237.60
EDGECASTUS	https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=cconnelly%40chs-adphila.org&senderemailaddress=Jamila.Brown%40phila.gov&senderorganization=AwF8AAAAAngAAAADAQAAAK%2bnVKeb1ftHofNjJdZy5clPVT1QaGlsYS5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMDlBMDAxLERDPXByb2QsREM9b3V0bG9vayxEQz1jb23VXZD0qJ12QJarhRYFN2CCQ049Q29uZmlndXJhdGlvbixDTj1QaGlsYS5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMDlBMDAxLERDPXByb2QsREM9b3V0bG9vayxEQz1jb20B&messageid=%3cDM8PR09MB727088C02696B71213B8EF999CB99%40DM8PR09MB7270.namprd09.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b31c538bf-be03-4a29-b7ba-7f4ca3804212%7d%40Phila.onmicrosoft.com&consumerEncryption=false&senderorgid=2046864f-68ea-497d-af34-a6629a6cd700&urldecoded=1&e4e_sdata=bsEIVgiwH1JgJA4x1%2bKprE9XSvwothuW3bcOg3yGxHRzu5q3RCuMbCur5cH0EytjUjuWI3MHAwDZ6Znt8FmqEzHBJJq3G8sKGWNZleckOSrJHJRRqpV%2bEwibmibzyda3WjT8yAsPhruT6zUBAzQ%2fxyGoSxiL2Zb%2b%2bsGcR%2fzzJ9igZPTwlpTzg3dOxWTfsoTLNFUkr5BrZVNjLL3tIj4AG4c%2fcXChbjAdIVjIO3lQ8k9XyR0yFUZsP4FmcwzZPBH076oizIMFjICd%2fZwxL64YNvGhPCwjh4qIu950AgAZB7bdMc3VqaXu4Ynw1rFdW6USJN7SrzJDpPN4h5bd9nN0GA%3d%3d	Get hash	malicious	Unknown	Browse	192.229.221.95
	STATEMENT_91902340.shtml	Get hash	malicious	HTMLPhisher	Browse	192.229.133.221
	RemittanceAdvice_processedpayments.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://eu2signing.web.app/ghWO3lk17WO3nx0qsharkni2Pnjady9s3RWO3BM2	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	ian.marshall RRSP Increased Contribution Statement_Payments.htm	Get hash	malicious	HTMLPhisher	Browse	152.199.23.72
	https://api-01.moengage.com/v1/emailclick?em=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00.5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=https://treisgroup.com/%2F%2F%2F%2F/new/%2F%2F%2F%2Fauth/rjq0cpc%2F%2F%2F%2Ftest@rdgusa.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	Current Balances_09-03-2023.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.221.185
	#Ud83d#Udcd1Teams.Chat.Log.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.221.185
	C-IHzNRYS-6158152.js	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://melderspyurias.website	Get hash	malicious	Unknown	Browse	192.229.221.95
	2023012348796490720230123487964907.htm	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	C-IHzNRYS-6158152.js	Get hash	malicious	Unknown	Browse	192.229.221.95
	Invoice_Payment_In_Progress_for_Mar_13_2023_.eml	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	http://agrolook.com/mde/upload.php/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	RRSP Increased Contribution Statement_Payments.htm	Get hash	malicious	HTMLPhisher	Browse	152.199.23.72
	XXX.wav.html	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	Constructing-2023012348796490720230123487964907.htm	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	X-JQGQo.104.js	Get hash	malicious	Unknown	Browse	192.229.221.95
	Payment_Advice.html	Get hash	malicious	Unknown	Browse	192.229.221.95
	Benefits_Enrollment.htm	Get hash	malicious	Unknown	Browse	192.229.221.185

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230313T1824080677-1108.etl

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	4096
Entropy (8bit):	4.019226896369441
Encrypted:	false
SSDEEP:	24:YrFQuWlxBbMN6gtkOazbbDnfYCcSwAZbxPp9u+D80rg95wVF4ckoWpLb3A3dLcPD:YrFQRbxg76Czxvn
MD5:	360C04D08972257407A4620E048614FE
SHA1:	7E86A5570AA0F7B625F7D1D2D524FAC77F404973
SHA-256:	C02C659ADCDA047B1A7241B5D05C4E217322E17EB8BBB99E170200BD0EE12803
SHA-512:	70B58787F6743E4B32054CCDF1CBCA5312C77658B7BDED7014712E71D62BBF02B2D02B3A974F3EBB9A55FB2B66D4458152F2C924901976C4AE072144758BD6ED
Malicious:	false
Reputation:	low
Preview:	........@........2..U..(........................... ...8 .H....8..H....X...........T...T....U..#.....C.L...0T.j...................F..........................0X...........T...T....U..#.....C.L...0T.j...................F..........................:X...........T...T....U..#.....C.L...0T.j...................F..........................:X...........T...T....U..#.....C.L...0T.j...............o...F..........................:X...........T...T....U..#.....C.L...0T.j...............G...F..........................:X...........T...T....U..#.....C.L...0T.j...................F..........................:X...........T...T....U..#.....C.L...0T.j...................F.........................]:X...........T...T....U..#.....C.L...0T.j...............w...F.........................Y:X...........T...T....U..#.....C.L...0T.j...............y...F.........................\:X...........T...T....U..#.....C.L...0T.j...............}...F.........................Z:X...........T...T....U..#.....C.L...0T.j.......

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	5139
Entropy (8bit):	1.9107140047584497
Encrypted:	false
SSDEEP:	24:a/ax4tFd5fieh9EhZaY4a97oJOcbiZ4pd8dQKQUhNq+cxf:Hx4t3mZR4aOwQ0LtE
MD5:	4427E827AB80A072C35B46EF0FCF2441
SHA1:	57C7AEAC30E43FCB5D5E849652B38972F897CC6A
SHA-256:	813DE02F5B54CB7B429AD29AE1447FC1CA02B304D78A06010C1F3A5444421547
SHA-512:	9F2421907E4EF3CD0B0B33A4B204897475299957131547093D3A3E4EF802393A1A709AEBB66C3D96075AB73CAD8E0DC8D5E93AF0F097640E398D21C54A4F4745
Malicious:	false
Reputation:	low
Preview:	.................P..............................................................'...............$.......................................................c............................................................................................................................................................................................................................................................................................................................................................L.l........$...............2.......<.......................`........,..............d......../......b.......j........I...... ........................................y......r.......p...............D.......\|........u..............@...............n.......D........x.......................f......T...............@`..............................................................................V.......................V................K.......................Z..............................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.15551939866279
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HxAccounts.exe
File size:	220160
MD5:	d3cc99259af987f5ae6895859df0fbc1
SHA1:	e095be7064ae0b3c970f4562f9b37e9616673325
SHA256:	235ab22c75abdb2990ce2f3575bd8facdec7139a0a7310d7a63abd24424b5092
SHA512:	e012b965a9b3fbde2888e55777cdfbe0807daee65c9420fcb1354f535d4b5c3224bab65488aba0ff0790e5c14fe65cda042cab144232500b0657064ed7cfa6bb
SSDEEP:	6144:TdM+d2P+4NMFdESZnujvC7xEIQXObBTtVfCV:xM+d2W4NMLEnC7xEIQXUT
TLSH:	7224085A63590DE3D19791B88856963AF373B9274701A70E0E60C33B1F3B264FD2FA94
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........(...{...{...{9..z...{...z...{...z...{...z...{...z...{..}{...{9..z...{...{...{]..z...{2..z...{...{...{2..z...{2..z...{2..{...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x14001edc0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, APPCONTAINER, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6400107C [Thu Mar 2 02:57:00 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	e073ab4e8a2071203bf01d2a7f4d2ce2

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F00249EC164h
dec eax
add esp, 28h
jmp 00007F00249EBB9Fh
int3
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
cmp ecx, dword ptr [00012311h]
jne 00007F00249EBD45h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F00249EBD35h
ret
dec eax
ror ecx, 10h
jmp 00007F00249EC264h
int3
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
lea eax, dword ptr [0000373Bh]
dec eax
mov ebx, ecx
dec eax
mov dword ptr [ecx], eax
test dl, 00000001h
je 00007F00249EBD3Ch
mov edx, 00000018h
call 00007F00249EC0F3h
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
nop
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [0001501Ch]
call dword ptr [0000275Eh]
and dword ptr [ebx], 00000000h
dec eax
lea ecx, dword ptr [0001500Ch]
call dword ptr [00002746h]
dec eax
lea ecx, dword ptr [00014FF7h]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00002763h]
int3
nop
nop
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [00014FE0h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2656c	0x26c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0x47c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x35000	0x2118	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0xa60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x29790	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x24588	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x24450	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x25c48	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ff1b	0x20000	False	0.42053985595703125	data	6.19334154066641	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x21000	0xf28b	0xf400	False	0.3358414446721312	data	5.279650559132901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x31000	0x3188	0x2e00	False	0.251273777173913	SysEx File - Akai	3.6860301482951026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x35000	0x2118	0x2200	False	0.47081801470588236	PEX Binary Archive	5.2189649110378005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x38000	0xe8	0x200	False	0.181640625	data	1.544682306714077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0x47c	0x600	False	0.2936197916666667	data	3.9771118291576304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a000	0xa60	0xc00	False	0.3118489583333333	data	5.155392790344524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x39058	0x424	data	English	United States

Imports

DLL	Import
HxOutlook.Model.dll	?UseHxCommAccessHub@Model@HxOutlook@@YAAEAUIHxCommAccessHub@Hx@@XZ
Microsoft.Applications.Telemetry.Windows.dll	?DetachEventSource@DebugEventSource@Events@Applications@Microsoft@@UEAA_NAEAV1234@@Z, ?AttachEventSource@DebugEventSource@Events@Applications@Microsoft@@UEAA_NAEAV1234@@Z, ?RemoveEventListener@DebugEventSource@Events@Applications@Microsoft@@UEAAXW4DebugEventType@234@AEAVDebugEventListener@234@@Z, ?AddEventListener@DebugEventSource@Events@Applications@Microsoft@@UEAAXW4DebugEventType@234@AEAVDebugEventListener@234@@Z, ?DispatchEvent@DebugEventSource@Events@Applications@Microsoft@@UEAA_NVDebugEvent@234@@Z, ?AddModule@ILogConfiguration@Events@Applications@Microsoft@@QEAAXPEBDAEBV?$shared_ptr@VIModule@Events@Applications@Microsoft@@@std@@@Z, ?GetModules@ILogConfiguration@Events@Applications@Microsoft@@QEAAAEAV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$shared_ptr@VIModule@Events@Applications@Microsoft@@@2@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$shared_ptr@VIModule@Events@Applications@Microsoft@@@2@@std@@@2@@std@@XZ, ??DILogConfiguration@Events@Applications@Microsoft@@QEAAAEAV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@VVariant@Events@Applications@Microsoft@@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@VVariant@Events@Applications@Microsoft@@@std@@@2@@std@@XZ, ?Release@LogManagerProvider@Events@Applications@Microsoft@@SA?AW4status_t@234@AEAVILogConfiguration@234@@Z, ??0GUID_t@Events@Applications@Microsoft@@QEAA@AEBU0123@@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@UGUID_t@123@@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@N@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@_N@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@I@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@_J@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@H@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z, ??0GUID_t@Events@Applications@Microsoft@@QEAA@U_GUID@@@Z, ?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_JW4PiiKind@234@W4DataCategory@234@@Z, ??1EventProperty@Events@Applications@Microsoft@@UEAA@XZ, ??AILogConfiguration@Events@Applications@Microsoft@@QEAAAEAVVariant@123@PEBD@Z, ?Get@LogManagerProvider@Events@Applications@Microsoft@@CAPEAVILogManager@234@AEAVILogConfiguration@234@AEAW4status_t@234@@Z, ??4EventProperty@Events@Applications@Microsoft@@QEAAAEAU0123@PEBD@Z, ??0EventProperties@Events@Applications@Microsoft@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z, ??1EventProperties@Events@Applications@Microsoft@@UEAA@XZ, ?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0W4PiiKind@234@W4DataCategory@234@@Z, ?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UGUID_t@234@W4PiiKind@234@W4DataCategory@234@@Z, ?SetPolicyBitFlags@EventProperties@Events@Applications@Microsoft@@QEAAX_K@Z, ?SetProperty@EventProperties@Events@Applications@Microsoft@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UEventProperty@234@@Z, ??0EventProperty@Events@Applications@Microsoft@@QEAA@XZ
api-ms-win-core-localization-l1-2-0.dll	GetLocaleInfoEx
api-ms-win-core-com-l1-1-0.dll	CoCreateFreeThreadedMarshaler, CoTaskMemFree, CoGetContextToken, CoTaskMemAlloc
api-ms-win-eventing-provider-l1-1-0.dll	EventWriteTransfer
Mso20Imm.dll
vccorlib140_app.DLL	?GetObjectContext@Details@Platform@@YAPEAUIUnknown@@XZ, ?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z, ?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z, ?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z, ?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z, ??0FailureException@Platform@@QE$AAA@XZ, ??0OutOfMemoryException@Platform@@QE$AAA@XZ, ??0ChangedStateException@Platform@@QE$AAA@XZ, ?GetProxyImpl@Details@Platform@@YAJPEAUIUnknown@@AEBU_GUID@@0PEAPEAU3@@Z, ?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z, ?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z, ?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z, ??0OutOfBoundsException@Platform@@QE$AAA@XZ, ?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z, ?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z, ??0Delegate@Platform@@QE$AAA@XZ, ??0DisconnectedException@Platform@@QE$AAA@XZ, ?__abi_translateCurrentException@@YAJ_N@Z, ?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z, ?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ, ?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z, ?Free@Heap@Details@Platform@@SAXPEAX@Z, ??0Object@Platform@@QE$AAA@XZ, ?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z, ?__abi_WinRTraiseObjectDisposedException@@YAXXZ, ?__abi_WinRTraiseInvalidCastException@@YAXXZ, ?__abi_WinRTraiseNotImplementedException@@YAXXZ, ?__abi_WinRTraiseDisconnectedException@@YAXXZ, ?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z, ?ReleaseInContextImpl@Details@Platform@@YAJPEAUIUnknown@@0@Z, ?__abi_WinRTraiseFailureException@@YAXXZ, ?__abi_WinRTraiseOperationCanceledException@@YAXXZ, ?__abi_WinRTraiseAccessDeniedException@@YAXXZ, ?__abi_WinRTraiseInvalidArgumentException@@YAXXZ, ?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ, ?__abi_WinRTraiseCOMException@@YAXJ@Z, ?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z, ?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z, ?__abi_WinRTraiseOutOfMemoryException@@YAXXZ, ?__abi_WinRTraiseWrongThreadException@@YAXXZ, ?__abi_WinRTraiseOutOfBoundsException@@YAXXZ, ?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z, ?InitializeData@Details@Platform@@YAJH@Z, ?__abi_WinRTraiseChangedStateException@@YAXXZ, ?UninitializeData@Details@Platform@@YAXH@Z, ??0NotImplementedException@Platform@@QE$AAA@XZ, ?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z, ?__abi_WinRTraiseNullReferenceException@@YAXXZ
VCRUNTIME140_1_APP.dll	__CxxFrameHandler4
VCRUNTIME140_APP.dll	__std_exception_destroy, wcsrchr, __std_terminate, __std_exception_copy, memset, __std_type_info_name, memmove, memcpy, memcmp, _CxxThrowException, __C_specific_handler
MSVCP140_APP.dll	?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?uncaught_exception@std@@YA_NXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, _Mtx_unlock, _Mtx_lock, ?_Throw_C_error@std@@YAXH@Z, _Mtx_destroy_in_situ, _Mtx_init_in_situ, ?_Xbad_alloc@std@@YAXXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xinvalid_argument@std@@YAXPEBD@Z
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, _set_new_mode
api-ms-win-crt-runtime-l1-1-0.dll	_register_onexit_function, _initialize_onexit_table, _crt_atexit, _invalid_parameter_noinfo_noreturn, _c_exit, _cexit, _exit, exit, _initterm_e, _initterm, _register_thread_local_exe_atexit_callback, _get_narrow_winmain_command_line, _seh_filter_exe, _set_app_type, _errno, _configure_narrow_argv, _initialize_narrow_environment
api-ms-win-crt-convert-l1-1-0.dll	wcstoull
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-string-l1-1-0.dll	_wcsicmp, wcslen
api-ms-win-crt-math-l1-1-0.dll	pow, __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-core-util-l1-1-0.dll	DecodePointer
api-ms-win-core-synch-l1-1-0.dll	ReleaseSRWLockExclusive, AcquireSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared
api-ms-win-core-synch-l1-2-0.dll	SleepConditionVariableSRW, WakeAllConditionVariable, InitOnceExecuteOnce
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-processthreads-l1-1-0.dll	GetCurrentProcessId, GetCurrentThreadId
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemTimeAsFileTime, GetSystemDirectoryW
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook
api-ms-win-core-string-l1-1-0.dll	CompareStringOrdinal
api-ms-win-core-path-l1-1-0.dll	PathCchAppend
api-ms-win-core-file-l1-1-0.dll	GetFileAttributesW
api-ms-win-core-debug-l1-1-0.dll	IsDebuggerPresent

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2023 18:25:03.166095972 CET	80	49705	192.229.221.95	192.168.2.3
Mar 13, 2023 18:25:03.166589975 CET	49705	80	192.168.2.3	192.229.221.95
Mar 13, 2023 18:25:10.728245974 CET	80	49726	192.229.221.95	192.168.2.3
Mar 13, 2023 18:25:10.728452921 CET	49726	80	192.168.2.3	192.229.221.95
Mar 13, 2023 18:25:10.866867065 CET	80	49720	192.229.221.95	192.168.2.3
Mar 13, 2023 18:25:10.867108107 CET	49720	80	192.168.2.3	192.229.221.95
Mar 13, 2023 18:25:59.211106062 CET	49723	443	192.168.2.3	52.109.77.2
Mar 13, 2023 18:25:59.211260080 CET	49726	80	192.168.2.3	192.229.221.95
Mar 13, 2023 18:25:59.211409092 CET	49721	443	192.168.2.3	52.109.88.191
Mar 13, 2023 18:25:59.229779959 CET	80	49726	192.229.221.95	192.168.2.3
Mar 13, 2023 18:25:59.229902029 CET	49726	80	192.168.2.3	192.229.221.95
Mar 13, 2023 18:25:59.237590075 CET	443	49721	52.109.88.191	192.168.2.3
Mar 13, 2023 18:25:59.237728119 CET	49721	443	192.168.2.3	52.109.88.191
Mar 13, 2023 18:25:59.260236979 CET	443	49723	52.109.77.2	192.168.2.3
Mar 13, 2023 18:25:59.260329962 CET	49723	443	192.168.2.3	52.109.77.2
Mar 13, 2023 18:26:04.601828098 CET	80	49705	192.229.221.95	192.168.2.3
Mar 13, 2023 18:26:04.602082968 CET	49705	80	192.168.2.3	192.229.221.95
Mar 13, 2023 18:26:05.148600101 CET	49720	80	192.168.2.3	192.229.221.95
Mar 13, 2023 18:26:05.167128086 CET	80	49720	192.229.221.95	192.168.2.3
Mar 13, 2023 18:26:05.167254925 CET	49720	80	192.168.2.3	192.229.221.95

Chrome Debug Log

Statistics

Click to jump to process

Memory Usage

• OUTLOOK.EXE
• HxAccounts.exe

Click to jump to process

Behavior

• OUTLOOK.EXE
• HxAccounts.exe

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 1108, Parent PID: -1

Function Logs

General

Target ID:	0
Start time:	18:24:24
Start date:	13/03/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail
Imagebase:	0x7ff7a0940000
File size:	41778000 bytes
MD5 hash:	CA3FDE8329DE07C95897DB0D828545CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Value Created

Key Value Modified

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Message Posted to Windows UI

Show Windows behavior

Chronological Activities

Analysis Process: HxAccounts.exePID: 6644, Parent PID: 3840

Function Logs

General

Target ID:	1
Start time:	18:24:26
Start date:	13/03/2023
Path:	C:\Users\user\Desktop\HxAccounts.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\HxAccounts.exe
Imagebase:	0x7ff6a04f0000
File size:	220160 bytes
MD5 hash:	D3CC99259AF987F5AE6895859DF0FBC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HxAccounts.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230313T1824080677-1108.etl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

TCP Packets

Chrome Debug Log

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: OUTLOOK.EXEPID: 1108, Parent PID: -1

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Windows Analysis Report
HxAccounts.exe