Windows Analysis Report
nested-FW%3A payment.eml

Overview

General Information

Sample name: nested-FW%3A payment.eml
Analysis ID: 1524544
MD5: 5f8f0b0e9907ebba6720c25b2382904c
SHA1: 84d0ffd0e4274ef1dd297c62e51b7f76bfcfeaa2
SHA256: b7f88f3aa4c7254cb9137193967ca07d2ba4cc99c7e44c91ec21ed5eea70ed31
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Creates a window with clipboard capturing capabilities
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Use Short Name Path in Command Line

Classification

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0C98E726-7671-4943-B9C9-067EE3A43554}.tmp Jump to behavior
Source: global traffic DNS traffic detected: DNS query: config.messenger.msn.com
Source: nested-FW%3A payment.eml String found in binary or memory: https://srfed-my.sharepoint.com/:f:/p/paul_scace/EtC5e2XquN9Fp0K3Sw7IAUsB1=
Source: ~WRS{0C98E726-7671-4943-B9C9-067EE3A43554}.tmp.0.dr String found in binary or memory: https://srfed-my.sharepoint.com/:f:/p/paul_scace/EtC5e2XquN9Fp0K3Sw7IAUsB1jH11BqdCOET9BKLSlV1Tw?e=jP
Creates a window with clipboard capturing capabilities
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: classification engine Classification label: clean1.winEML@1/11@1/0
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File created: C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File created: C:\Users\user\AppData\Local\Temp\CVR8610.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Window detected: Number of UI elements: 15
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1524544 Sample: nested-FW%3A payment.eml Startdate: 03/10/2024 Architecture: WINDOWS Score: 1 4 OUTLOOK.EXE 512 33 2->4         started        dnsIp3 7 config.messenger.msn.com 4->7
No contacted IP infos

Contacted Domains

Name IP Active
config.messenger.msn.com unknown unknown