Windows
Analysis Report
phish_alert_iocp_v1.3.98.eml
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- OUTLOOK.EXE (PID: 6072 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\phis h_alert_io cp_v1.3.98 .eml" MD5: 91A5292942864110ED734005B7E005C0) - ai.exe (PID: 6196 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "9F5 C92DD-03E5 -4AA4-A613 -EBF977ACB 98B" "86A0 69B2-EC86- 4D1D-AFCF- 25EA6C58A6 35" "6072" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 13 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1500948 |
Start date and time: | 2024-08-29 06:54:28 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 30s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | phish_alert_iocp_v1.3.98.eml |
Detection: | CLEAN |
Classification: | clean1.winEML@3/16@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.113.194.132, 184.28.90.27, 52.109.89.19, 2.19.126.151, 2.19.126.160, 20.189.173.13
- Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, onedscolprdwus12.westus.cloudapp.azure.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
Input | Output |
---|---|
URL: Email Model: jbxai | { "brand":["NG SCOUT"], "contains_trigger_text":false, "prominent_button_name":"Verify Account", "text_input_field_labels":["Your username is: arroyov"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false} |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 231348 |
Entropy (8bit): | 4.381307099051743 |
Encrypted: | false |
SSDEEP: | 3072:XE8gQRlgemiGu2gqoQOrt0FvoYwy8lk9S:02Jmi29fwy8lkg |
MD5: | 6E9952152C2A200AA2CA03D43C1EC961 |
SHA1: | A0ACE319B264CF8DD63838E715F6709A7AE26BA6 |
SHA-256: | 15AFBE10E0EE88CDFEBE4B3AD2B1E0ECB95CF28D32280597152D786F9468F2CD |
SHA-512: | C642312C0321F02D265423AA3BF7217D1EDB7AFAF76C7C56C3294766C9CEA553209366DC5DF65D4A7B4D465417FBAA24489B94D249879B96704218A8725D8F09 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1869 |
Entropy (8bit): | 5.085763792020755 |
Encrypted: | false |
SSDEEP: | 48:cGUdSyrznzyNdyndycSyrMnzyrAnzyrRdnzycASy6dyhJdyIkSyO:sdbH2NEnEcb42k21d2cAb6ELE3bO |
MD5: | D939EB102C033D3F1BE91B71C5349B2D |
SHA1: | 430E0BB9CF29D7688B6A10BA2AD3EEAD2CCB47B3 |
SHA-256: | 14AE98151F70071083ACE36986D89FE233FE0445F6C9DFDA91C3647F8C84700F |
SHA-512: | 6505440CAC6338B211AF1F988791C6423194E38D84A2B0B480B67741CC5792A3C4CF9E768ECF6728C8CC7CB7539D26F8376A0471DCC747F08D1C61A9CB977470 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 322260 |
Entropy (8bit): | 4.000299760592446 |
Encrypted: | false |
SSDEEP: | 6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl |
MD5: | CC90D669144261B198DEAD45AA266572 |
SHA1: | EF164048A8BC8BD3A015CF63E78BDAC720071305 |
SHA-256: | 89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 |
SHA-512: | 16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 10 |
Entropy (8bit): | 2.9219280948873623 |
Encrypted: | false |
SSDEEP: | 3:LBc47:tn |
MD5: | 6AFFE6E1B5AA1E8CF570770CB9B6B4DC |
SHA1: | 2D9A4F11A8D6DBB0874428152E2160F535B73F14 |
SHA-256: | 92AC651150B9AE473C4CBC7271A9B04DB9A66367512EFD3A0FE2222EE8ED7592 |
SHA-512: | A9C25E96B381FB71552E4BCB100DBB8BF834B2C03F50B4B271563403735B8FE4D04056910716FAEB0E03E7E24558EA4E13656C85B04CCC53207646BACEB45EEB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 0.09304735440217722 |
Encrypted: | false |
SSDEEP: | 3:lSWFN3l/klslpEl9Xll:l9F8E+9 |
MD5: | D0DE7DB24F7B0C0FE636B34E253F1562 |
SHA1: | 6EF2957FDEDDC3EB84974F136C22E39553287B80 |
SHA-256: | B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED |
SHA-512: | 42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4616 |
Entropy (8bit): | 0.1384465837476566 |
Encrypted: | false |
SSDEEP: | 3:7FEG2l+6x/ul/FllkpMRgSWbNFl/sl+ltlslN04l9Xll6xn:7+/lJmg9bNFlEs1E39S |
MD5: | 4AB07A702132A50FBF7229C96EEA7CCA |
SHA1: | 78BFDDF08CEBEBEE4DFD3748365F24BA299F12BB |
SHA-256: | 7952ED9DCF2520667AE733702523EFC6C7E44AA39A87254FB5EC9BEC979DC1DE |
SHA-512: | E2752F7C47A07F3D87C6B14A87C236C8EB8A9A2CBD434E1BEF2ED29EED987E584680B085D5F212B3FBB4BEB1D66DD79BAF705808315009A4B691B6C2BCFC4206 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.0441720588658491 |
Encrypted: | false |
SSDEEP: | 6:G4l2jKSxgbpl2jKSxgbzML9XXPH4l942U:l2bxgbL2bxgbw5A0 |
MD5: | 9CBD9CB7A40AE6080739B0C279F21668 |
SHA1: | 37BDB1FAC555D839A981CEAC18A1334FBF8E0040 |
SHA-256: | D4557CDC60687EAE823536E1F9B294CE45DD241C824A39D3C347F5E1B3BA6AB0 |
SHA-512: | 6F606535B2BCCC0B679C75DE190AA7BE76214ECA3BB75F104960DB2B092C1D4C6578B68C0EE6764097AAC111676B41E7C2EB5212EFD18EECD755FCD7786E0474 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 45352 |
Entropy (8bit): | 0.39383069825463557 |
Encrypted: | false |
SSDEEP: | 48:9RXTQj8YATeUill7DYM8FXCxO8VFDYM8x:8bAToll4RIjVG |
MD5: | BF764CC9E435DFDF51DA6A32BBB306EE |
SHA1: | 8D271C6E85577469E9F02EF6B76BF934B78DDD5C |
SHA-256: | 48F18D7B3BEC7A2334956C1580EB5CB57D074E990361516DD40E1F364251BD29 |
SHA-512: | A81089CE8A1EEC0C6E1087824C8537217E5CB9E1E510918CA588275C3B9257D97252BF760010793DD628FB75E8A97E31CF9BB8A98D1EE2C80D3A4B34EF1DA3DE |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 9596 |
Entropy (8bit): | 3.67784047457538 |
Encrypted: | false |
SSDEEP: | 192:AzYD7CfmiXWWWDqWGl9eFCAkmO6RGCbpmhuulEC6m:AzYS5WWWDqWGusdKNb8uulX |
MD5: | 450F81C9F8D8598F0859068ED849E5ED |
SHA1: | E538E073BE77A35BBC3772F50847742606A77649 |
SHA-256: | B25B7EAB9E9DBFEE459BD10CC9E7FE0C195C79EEA6F1EAE532B1412E3C947FD2 |
SHA-512: | 6D06114E96CBA4F174429323299EB5EDB2792A514C8B56CBF1C18869F78446E0B2985399DE51304320EFA8FECF496FCDFFB011559E4AC04D3670C49858448306 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724907334612080600_3ED997EE-75D9-40D2-B37B-2A762D776EB5.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.16320567721425472 |
Encrypted: | false |
SSDEEP: | 1536:qn14YI8bKJhAxHtwILpT+MQp77leHazzpPhMrO7BFxamJInZbUVUvsjikYn6yJLs:mD7dI7ltpRHQ |
MD5: | 8FD649A9288CA9FFA24F0E948DB690C3 |
SHA1: | D989713D73E3E7C9326907AF7E643C72A41CE31E |
SHA-256: | 3E4D6CF5C8F2CE408838AC304317C528BB2FD134576FADEAE1B260861766C5E6 |
SHA-512: | 6B7AD531A792299BF6E102D94AF4EDB9D089B25FDD8ADFC29F36612C6B79EEF0D1232700CB8E93765132E75D602BE38E92C281770BD52D6ECA2636A06184E06A |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724907334614078600_3ED997EE-75D9-40D2-B37B-2A762D776EB5.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240829T0055340255-6072.etl
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 106496 |
Entropy (8bit): | 4.5098329473950685 |
Encrypted: | false |
SSDEEP: | 768:uwXVYCZb40J6nKxU3I43rU59V68UvAsTXq+MK5WbWpWiWgniik4c:bTT43459V68UIsTX7nM |
MD5: | 16DB4FDA26270F363C324E4C028C3F57 |
SHA1: | 4D0CDC776B7F69A58F48E1C215FE6E97CF96D664 |
SHA-256: | 720B88B09BFEC72A46B183F688C23E2585D0FEFF334A971E29D84840E19A96A3 |
SHA-512: | 2C681EE6B46F0B1990AEEC47F2289F3901708D67B8B156A55C8B398E640EED29A6741F38084A1EEA031F9B0F20CB6E813C3E3D153917CD9022EAEF3F970615B9 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 30 |
Entropy (8bit): | 1.2389205950315936 |
Encrypted: | false |
SSDEEP: | 3:ZAnh/X:+nh/ |
MD5: | DD56BB7410E1E0F240F123EB7586EBA8 |
SHA1: | 7EA393CF6D5274AA8BB7EC7359F816FC7FE2A04E |
SHA-256: | 56070CEE7DE2E5818DA8F5CD77E90969801358593A316C4D210C6DF1410DECED |
SHA-512: | 56A3FD906CE6E87D115386426ACCD886A0AE0330D738DE751A9AD137CD5F3E3FD2FA8104BE186AB48867F0A5CA291D0EA316FED84178B205576C6E2876A091F4 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.6690346980911667 |
Encrypted: | false |
SSDEEP: | 12:rl3baFVfsqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCw3Ym:r+3mnq1Py961I |
MD5: | C417841FD72E932D55B0F8311087C67E |
SHA1: | 375DE41B4328E2E2313B40B4B9BA6D1D914577F9 |
SHA-256: | C54AC55A67EC2A848C46B8807093C29D96E457C8AC4EB25B808F4E2E6C782818 |
SHA-512: | EC6374DD2223722CB5362973C9E36CF2F8EF1E29BC84FCD03E5EF7F9D94BDFADA6E9205DD50BAFEC70CF7929F3D61D78D90BE2F37ABAF80265BB9C57BEE05FFF |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 271360 |
Entropy (8bit): | 2.7969977124615566 |
Encrypted: | false |
SSDEEP: | 1536:RrToqsIZRMWrk9x0ELs2AtZA2kR60rqlNCKlNmncZR08qHw7xW53jEpEHP4qQ10r:ZoqxZRMWyATA2kRfncZRt/p9zpp9 |
MD5: | CF397BC2CE7A49EE4460570E710E43AB |
SHA1: | C2D6B7C20417DF4335E2A72BE722DB66E821C127 |
SHA-256: | 3B22DA7046267AB4A825E3637F00F40C1C9B50F4E391351BBC2A0E0E7FAA188C |
SHA-512: | 1DDB3C6732A2DCD9B3AE4141934E153FE6D862E357C67FDA3C7A24DC60535C8B383F88F5170CAE14351EBCD57C6C815BC67037974FE4200F2D74B10FDFB65E2B |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 3.1923563501438297 |
Encrypted: | false |
SSDEEP: | 1536:uW53jEpEHP4qQ10PAwr1hDO6RSZRgnv9xJlNCKlNNW53jEpEHP4qQ10PAwr3eUTH:cp9zJZRgnvp9uddf |
MD5: | 0E8AB4DE901F23FF9D9F91909CA4FBFE |
SHA1: | B96F3CB764883DE23B2A92F4DF0FF822C0D8355E |
SHA-256: | 4DFC642ABF6D9D0FBEEF16191D8A362B1CFC5E6971DBD1CF42E7AE920D62725D |
SHA-512: | 36C283F155411A281B6060C9AF2FB928AF97A4BC1877D83EA648677B66C3880E958B5DFE8F21210859D277AE7A6CDE58811348B39671070506A45199BF41314A |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.840367419465634 |
TrID: |
|
File name: | phish_alert_iocp_v1.3.98.eml |
File size: | 23'356 bytes |
MD5: | f00ee5d6f5b655fea920ca328fdf466a |
SHA1: | 8d39cc56c619724570e784f29fac37656efee314 |
SHA256: | f48951607bf1ade283601002adb9b95bd2f9460c41d59c488221e5f3f1bd54c4 |
SHA512: | ee9a4bdb158f83f1ea7112627fb1de8f210456c5d54ea16a9111675fb7f1e0ac4dd49840c71c2f5479175e6780df87783587c6127eef03ce3c6c665ee7860b9f |
SSDEEP: | 192:8gL3PNZGPuXlA2i/FbAWz54h/ujOKoS8Q7g/fQszRCwbGxvHqFiyk2D6HoC5nGeS:j/auSya4/Sl7kQMxsf1SXI28w3J5V1 |
TLSH: | D7A23C54DB91181A6EB3616EB5027B2BF2A50C9F872348F0FDADA1121F4F8625B51FCC |
File Content Preview: | Received: from DS0PR09MB11083.namprd09.prod.outlook.com.. (2603:10b6:8:177::17) by SA0PR09MB7324.namprd09.prod.outlook.com with.. HTTPS; Wed, 28 Aug 2024 23:51:15 +0000..Received: from BL0PR0901CA0023.namprd09.prod.outlook.com.. (2603:10b6:208:1c0::33) by |
Subject: | New NG SCOUT account created |
From: | NG SCOUT <no-reply@ngscout.org> |
To: | "Arroyo, Van@CalOES" <Van.Arroyo@CalOES.ca.gov> |
Cc: | |
BCC: | |
Date: | Wed, 28 Aug 2024 16:51:11 -0700 |
Communications: |
|
Attachments: |
Key | Value |
---|---|
Received | Wed, 28 Aug 2024 16:51:16 -0700 |
authentication-results | spf=pass (sender IP is 23.251.242.6) smtp.mailfrom=us-west-1.amazonses.com; dkim=pass (signature was verified) header.d=amazonses.com;dmarc=none action=none header.from=ngscout.org;compauth=pass reason=101 |
received-spf | Pass (protection.outlook.com: domain of us-west-1.amazonses.com designates 23.251.242.6 as permitted sender) receiver=protection.outlook.com; client-ip=23.251.242.6; helo=e242-6.smtp-out.us-west-1.amazonses.com; pr=C |
dkim-signature | v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=iek43urnex4zqv5t3opageoatkmhcael; d=amazonses.com; t=1724889071; h=Content-Type:From:To:Subject:Message-ID:Content-Transfer-Encoding:Date:MIME-Version:Feedback-ID; bh=ip0njd2aFcz5uAoTyV6oDS1872Udgmk4YhdfsUyKgQo=; b=T67f2Vn/r/hA8DppfLpd1IwPWpbTtZn5fAuIYoaL/7IzKfvvoOjn7mY1shaq9cAB OopDCwRrUJGHJhxOZjdcBe/X7IbE7NNoHJuzX9U4TwGwJkezL6gpnZhTpS0DkY/bC26 YGjfIo4WgyGA3JeiAhrFgyFUiFNQ38w/shJAXn7E= |
Feedback-ID | ::1.us-west-1.zVB+VpWcfh+9ETNzT2ipxh06AzP2QxpVLKqRXXl3T5Q=:AmazonSES |
X-SES-Outgoing | 2024.08.28-23.251.242.6 |
Return-Path | 011101919b667f4b-7456183f-e086-4ef8-9a33-39833f9157e7-000000@us-west-1.amazonses.com |
X-MS-Exchange-Organization-ExpirationStartTime | 28 Aug 2024 23:51:12.4141 (UTC) |
X-MS-Exchange-Organization-ExpirationStartTimeReason | OriginalSubmit |
X-MS-Exchange-Organization-ExpirationInterval | 1:00:00:00.0000000 |
X-MS-Exchange-Organization-ExpirationIntervalReason | OriginalSubmit |
X-MS-Exchange-Organization-Network-Message-Id | 82c7f9c4-5623-4d9d-4a48-08dcc7bc4c17 |
x-eopattributedmessage | 0 |
x-eoptenantattributedmessage | ebf268ae-3036-4714-9f69-c9fd0e9dc6b9:0 |
X-MS-Exchange-Organization-MessageDirectionality | Incoming |
x-ms-publictraffictype | |
x-ms-traffictypediagnostic | DS1PEPF00017E08:EE_|DS0PR09MB11083:EE_|SA0PR09MB7324:EE_ |
x-ms-exchange-organization-authsource | DS1PEPF00017E08.namprd09.prod.outlook.com |
x-ms-exchange-organization-authas | Anonymous |
x-ms-office365-filtering-correlation-id | 82c7f9c4-5623-4d9d-4a48-08dcc7bc4c17 |
x-ms-exchange-atpmessageproperties | SA|SL |
X-MS-Exchange-Organization-SCL | 1 |
x-microsoft-antispam | BCL:0;ARA:13230040|1032899013|32142699015|69100299015; |
x-forefront-antispam-report | CIP:23.251.242.6;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:e242-6.smtp-out.us-west-1.amazonses.com;PTR:e242-6.smtp-out.us-west-1.amazonses.com;CAT:NONE;SFS:(13230040)(1032899013)(32142699015)(69100299015);DIR:INB; |
x-ms-exchange-crosstenant-originalarrivaltime | 28 Aug 2024 23:51:12.1797 (UTC) |
x-ms-exchange-crosstenant-network-message-id | 82c7f9c4-5623-4d9d-4a48-08dcc7bc4c17 |
x-ms-exchange-crosstenant-id | ebf268ae-3036-4714-9f69-c9fd0e9dc6b9 |
x-ms-exchange-crosstenant-authsource | DS1PEPF00017E08.namprd09.prod.outlook.com |
x-ms-exchange-crosstenant-authas | Anonymous |
x-ms-exchange-crosstenant-fromentityheader | Internet |
x-ms-exchange-transport-crosstenantheadersstamped | DS0PR09MB11083 |
x-ms-exchange-transport-endtoendlatency | 00:00:03.5966869 |
x-ms-exchange-processed-by-bccfoldering | 15.20.7897.027 |
X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198); |
X-Microsoft-Antispam-Message-Info | JEh9UhpVAK8CezTeZg7xL8CT1hvSbh31BgveBAXG9yxVH+0VY05XK7rDQGgVw6jDgT8KTS+0uv56Q8ROTUtvfrDi6S49LnJk/Z+XymLXsj7dHqkNnrPtMaVgq2WhqsuTn3r+bsFu1Ut5jjfnoh40yTkGZ+NquVQJBqYGx0ihEkh6KBFK8grbJutYZeZdl4SsUoLmK6809GU5xbIMM1wHlt6DxScgHR2IUDx6dwLG0A/OC3xZOMlswvdTWO1dUPGOY/OqQ1DbDytt29D436/CTbe/449hvDhHBaOzu5x5cpZGgX3xkSJr9SM3ZeBAYUTgBfxR2fY4cCWSYo5fpPUXuTAHfRA68+yCTr/m2bmCrLfltafWt0kKVV2wi8hSsWmnAOwRQiLSOvkvPbyxm6zVYqwGsGRVHEb2SaMLwo6FeohF/lurFMmeaU1+004qkh8rjNnlrlqv+tkJnDF983umARudRqmxa9VA+RoqFItg3KGLhis5goPFcOaQXF5R17hBbP3wGnfTXACkqipQfUgiNOqPfVzFvFq9cdmagHg8SKza/eJosMPHAdTbbQZUSgwBBC7HlqdmGTcMw63eGi1WB+OEAtezvOA5k99wEQSENb/EABJq7Qn9/8CmJesoHFixbERLD4JO6MYGkO8HAx+Z/aTdPgOZjVv+OCfppy7JM710SH1YpQXGj5Ndb1pcBTG7YsschoXgZSjd1yj1nsOZ98YP7Et2NV1z/UCd89/iFm4MBqmiAE3eiBNNIlqj0C94Yx+xY9oG+yCNYKoRw0RjlPYqs1xf+qss0fO09msTJZWmuvE4JAtgJKtcNqgZAgPwKw37IG72uVB/eLSas2VKuBM5+2nxRzg9DnDid3CMeAqr3PCOhXCOsu5F9N0QPr2IL4oPgfCjahHjUociDNTcvpV/P4xAgl7eDFOTYBWMBHy6PGWnvQVEx0v/pYZ9oc4QjsZIYTGMIpq6Y1F9stu25aRdD8haBErXL6vv2IspSlPceu8zFmRsckO96FFaQTKyc7A7DjIgxOezAvwkCFLqXWzGkMHoONcSFSUq9YhysbtalzIDIwd6gr6VmuxbzII7JsLFikqFE/ntrJ3mWtzvFDa4M/2LlfKMYgf1HYqXksDRdayB4ZLySn5rQguQhf+/YYQr8omgUiPHlV/BqFfMcOU9MxIpf/wvsuemKgxHojssStUJ57Nu1jycUoUYYcbLSl/W+fo0p7f5SIaWqjkGwufxW6dFaaxdbDSFoNs+Lgmms7qQ37QfIslTo8uNkyIuZpw6HrIYRw2REQsuqvm9AjbFUo1YdhCfjgaVtsDId5HkL6mve4BGf4c/MVW4zXQ1O0YsBJcovRrjCyqQIHb5zULachzV3hDAn+1GZcBshmUtwtrD11kgIuIcE6JAldWqhPB0YUF9ULZEKtkk4GIRpwlDnBJU6Cxj4qQ5+qRa8o0f/DDclxbsD9RRaygBg2rvhVXYPMxQiOAFGA54M2z9Jov4Lth0JJejU5Aabn5v91fEegfk/YcC6TxmpgA6hzX/zo7goVdAkAluLAYfB/9ZhMpy3rCZLk4ZAGJiygtc/otWwbNY2P2iAZbv+5ImHoA5LiLjpwmAort5IOur5t2EITW/PdJqXx1vTPfsJSqCL7QeGbpi0Jrf/CxNICupSIhkflTqJneLaD5qtCosAg5ccukYe5Mzod7GESLNYycJfOo0Nuj5/LJnfLYauGfvT2s5wOahcYvRSNMh0JIRVLQ3YIi7oo/oTbwxtE026+X50XL4UEuTRGQVKxPqsBvcZzGZ+nJZwXg14Lhw3CAaN709DSlHUpY2KzPnIQUCjWXG9mgaReEHGeJu7v8nxuehwAPC3isS8IDgbE2v8yRn1qW5BCRAbJKfHNx5f+Shlfaw7Zz3VHoZZfVYAFPO24VWVwHey/GsDR+NHW3eNOsaIt+3xQKS2BudzK0bHYZMfMd4JumvZ8oaasZbTuvgaWmUobaD9WeyUuJhlRKce/hKdcQ+mcBl+XwiJC6PLB+qSiy/pAhqcL8PED+L3nfXJtNi118U |
x-ms-exchange-organization-originalclientipaddress | 23.251.242.6 |
x-ms-exchange-organization-originalserveripaddress | 10.167.18.165 |
X-Priority | 3 |
X-MSMail-Priority | Normal |
Thread-Index | AQHa+aUrkeltNqnFoUSNIEA6XEkEAQ== |
Message-ID | <011101919b667f4b-7456183f-e086-4ef8-9a33-39833f9157e7-000000@us-west-1.amazonses.com> |
From | NG SCOUT <no-reply@ngscout.org> |
To | "Arroyo, Van@CalOES" <Van.Arroyo@CalOES.ca.gov> |
Subject | New NG SCOUT account created |
Date | Wed, 28 Aug 2024 16:51:11 -0700 |
MIME-Version | 1.0 |
Content-type | Multipart/alternative; charset="iso-8859-1"; boundary="00B0FEED_message_boundary" |
Content-Description | Multipart message |
Icon Hash: | 46070c0a8e0c67d6 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 00:55:30 |
Start date: | 29/08/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf90000 |
File size: | 34'446'744 bytes |
MD5 hash: | 91A5292942864110ED734005B7E005C0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 2 |
Start time: | 00:55:35 |
Start date: | 29/08/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff69cd20000 |
File size: | 710'048 bytes |
MD5 hash: | EC652BEDD90E089D9406AFED89A8A8BD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |