Edit tour
Windows
Analysis Report
(No subject) (61).eml
Overview
General Information
Detection
HTMLPhisher
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected BlockedWebSite
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores files to the Windows start menu directory
Classification
- System is w10x64_ra
- OUTLOOK.EXE (PID: 6912 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\(No subject) ( 61).eml" MD5: 91A5292942864110ED734005B7E005C0) - ai.exe (PID: 4060 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "415 CD50A-3286 -4708-9E21 -1ACF4964A B02" "ED24 CD48-F495- 4908-A499- 5C520B0A7F 1B" "6912" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD) - chrome.exe (PID: 6484 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// gcc02.safe links.prot ection.out look.com/? url=https% 3A%2F%2Fem p.eduyield .com%2Fel% 3Faid%3D2w u0dda0e6c- 1865-11ef- 80aa-0217a 07992df%26 rid%3D3376 6156%26pid %3D771868% 26cid%3D49 7%26dest%3 Dgoogle.co m.%2F%2F%2 F%2Famp%2F s%2Fbioeso lutions.co m%2Fdayo2% 2Fuinkt%2F Y21vbGluYU BzYW50YWNs YXJhY2EuZ2 92%24%25C3 %25A3%25E2 %2582%25AC %25E2%2580 %259A&data =05%7C02%7 Ccmolina%4 0santaclar aca.gov%7C c439d18c22 1146681bbb 08dcc3aa8f d7%7C28ea3 54810694e8 1aa0b6e4b3 271a5cb%7C 0%7C0%7C63 8600385360 362045%7CU nknown%7CT WFpbGZsb3d 8eyJWIjoiM C4wLjAwMDA iLCJQIjoiV 2luMzIiLCJ BTiI6Ik1ha WwiLCJXVCI 6Mn0%3D%7C 40000%7C%7 C%7C&sdata =5B3d9674B %2BWxyo45c g9topT2ESf mQUifAcHQ8 hIzpHw%3D& reserved=0 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - chrome.exe (PID: 816 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2088 --fi eld-trial- handle=197 2,i,339650 3775361026 336,990261 6994921859 969,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - Acrobat.exe (PID: 4452 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\L ocal\Micro soft\Windo ws\INetCac he\Content .Outlook\F PE3LZSO\hb gnj.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) - AcroCEF.exe (PID: 5004 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7264 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=23 52 --field -trial-han dle=1556,i ,132343934 4063117762 7,15431578 7828929926 12,131072 --disable- features=B ackForward Cache,Calc ulateNativ eWinOcclus ion,WinUse BrowserSpe llChecker /prefetch: 8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
- HxOutlook.exe (PID: 7644 cmdline:
"C:\Progra m Files\Wi ndowsApps\ microsoft. windowscom munication sapps_1600 5.11629.20 316.0_x64_ _8wekyb3d8 bbwe\HxOut look.exe" -ServerNam e:microsof t.windowsl ive.mail.A ppXfbjsbkx vprcgqg6q4 c9jfr0pn3k v9x5s.mca MD5: 6F8EAC2C377C8F16D91CB5AC8B8DBF5F)
- HxAccounts.exe (PID: 1840 cmdline:
"C:\Progra m Files\Wi ndowsApps\ microsoft. windowscom munication sapps_1600 5.11629.20 316.0_x64_ _8wekyb3d8 bbwe\HxAcc ounts.exe" -ServerNa me:microso ft.windows live.manag eaccounts. AppXdbf3yp 5apt3t7q87 7db3gnz5zq pf71zj.mca MD5: 6FEB00C9A2C3FF66230658B3012BAB6A)
- Acrobat.exe (PID: 4224 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" /b / id 2972_11 68870213 / if pdfshel l_prev0024 7cc8-fc9c- 469d-a24b- 5c21c15243 a2 /CR MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlockedWebSite | Yara detected BlockedWebSite | Joe Security |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: frack113: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Phishing |
---|
Source: | File source: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |