Windows
Analysis Report
nested-FW%3A payment.eml
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- OUTLOOK.EXE (PID: 3284 cmdline:
"C:\PROGRA ~1\MICROS~ 1\Office14 \OUTLOOK.E XE" /eml " C:\Users\u ser\Deskto p\nested-F W%3A payme nt.eml" MD5: 4EB384BD3A1D26B94A44327818685F54)
- cleanup
Source: | Author: X__Junior (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: frack113: |
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | File opened: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Window created: | Jump to behavior |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | 1 Clipboard Data | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 Remote System Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
config.messenger.msn.com | unknown | unknown | false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524544 |
Start date and time: | 2024-10-03 00:01:19 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 58s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | nested-FW%3A payment.eml |
Detection: | CLEAN |
Classification: | clean1.winEML@1/11@1/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
- Excluded IPs from analysis (whitelisted): 64.4.26.155
- Excluded domains from analysis (whitelisted): config.messenger.msnmessenger.msn.com.akadns.net
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetValueKey calls found.
- VT rate limit hit for: nested-FW%3A payment.eml
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 239628 |
Entropy (8bit): | 4.258523748139207 |
Encrypted: | false |
SSDEEP: | 1536:wYLSgsdHmiOgs5NcAz79ysQqt2XqoQyrcm0Fvfyp3xe6yAc39uEuL:zSg9iOg+miGu2XqoQyrt0Fvqphe6L+a |
MD5: | CE1E2BF84590B058CB239E5FC28EE42E |
SHA1: | E66677F634CA524E3CE8963A7D84EDFEA890C34E |
SHA-256: | 355843696F3CB150CB830492B1BB6953878D6AC4AE70BA06603D5D64DA1102C0 |
SHA-512: | 7E426C6B67E9BA93ADC02F6D0D7D11A3533CFDB68FF106DB46DDCE46826A40D799B8E2C7FCBC45FF8CCD5D6461D1081B14CB56163235988F694FD1BAFF2294C6 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_C164271868E29D47BDEA29AB4D73CA8B.dat
Download File
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 588 |
Entropy (8bit): | 5.283783007941164 |
Encrypted: | false |
SSDEEP: | 12:TMG8ORCxXmHKAlN3AoQME5LAGtWuY4A2eqiAoQME5XAoQME5mAlNcdqzASAAc+Sc:3PQRmHKAlN3AT5AG9Y4A1ATxATIAlN02 |
MD5: | E059A0413C05A7539F3C7946435AE633 |
SHA1: | 215A7015B625729123FB9DFF3A91BF72BCCB88F7 |
SHA-256: | 84F1A732EFEFB64300D3D715FC6CB8C5D9C357CFDD15CB6C27FB772128202537 |
SHA-512: | 96463DD76A367EB7247B7D76A66D6E8F4A157F2EE58AA7AF90D5185BDCCBA50E126ADFAB9CB13F8A0D4D8EC90FF107ACB6209D9CFE283A98998C2C0E98501A58 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_250D2E3C8794BC4E95FB6A4333D8D9DC.dat
Download File
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 261 |
Entropy (8bit): | 5.153532784897173 |
Encrypted: | false |
SSDEEP: | 6:TMV08OLWYR9OeAivsNR89LREGQPjprARcHZfdMARac+gKsjv06m:TMG8ORCxXCpiGQPj9A6xiAAc+Sj86m |
MD5: | 9582984B137701598BAC91FFB5B86FED |
SHA1: | 16373CF4B0BDEE47D85BA39981B9A9499E59D34E |
SHA-256: | 9F5BE8ABA6283365BA05FAF08B54A7196E64B2146986D00BAED2FBDA8CF6482B |
SHA-512: | 3EE86CA79F4BE623D2554A5232C8D5D5631D42540AB3FF55F59F3B3E62D6AF7955254C7B81676FBFA9C121F491198E496587F02E576A6F9E8EF54EED870D7083 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_614BC982876BD14E82F4092077D7C625.dat
Download File
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 267 |
Entropy (8bit): | 5.160869873037959 |
Encrypted: | false |
SSDEEP: | 6:TMV08OLWYR9OeAivsNRRM2fOgLs4ARUQMdMhUvARac+gKsjv06m:TMG8ORCxXW4AOQM5AAc+Sj86m |
MD5: | 57F30B1BCA811C2FCB81F4C13F6A927B |
SHA1: | FE5ADC0968CF5727AE2D77FD57F39E552319C8E8 |
SHA-256: | 612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 |
SHA-512: | B195EF2F93C34581B867BF6598133A0A5A4101EAED64FAE1FBCE34BF3067C0D313CD700E36F82C84E37522E3D43E179671A8D602E8452441BB35DAEA833D5036 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_DE059256C55A1A4A853D9F1B8B61224D.dat
Download File
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 204 |
Entropy (8bit): | 5.146779630782915 |
Encrypted: | false |
SSDEEP: | 6:TMV08OLWYR9OeAivsNRKQKSBCKoUprARac+gKsjv06m:TMG8ORCxXoQrBCOAAc+Sj86m |
MD5: | F194B1FA12F9B6F46A47391FAE8BEEC2 |
SHA1: | A98AA68D6755CEF50B9AAF0B8ACFF6266BC49493 |
SHA-256: | FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74 |
SHA-512: | 8368579F03759BCE44313D33B5E877343D282C3F9938BE49343C46A529C6DF464DB0EA462753DD542DF760EF2F943A29562FDCE42C5AB5D411BD0A8CF85DA488 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\901EE597.dat
Download File
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 7186 |
Entropy (8bit): | 7.654441639555211 |
Encrypted: | false |
SSDEEP: | 192:v44AgZEknqHVHEDXvlWWW0oqiXHJWWontkZm:vzAhVHEbvlWWW0oqiXHJWWktkZm |
MD5: | B7A10E3C1A0B57A0F176148B01C85C2E |
SHA1: | 1C0DC3E517845089B7017CC2CBF2AB3F5C666071 |
SHA-256: | C87B50239968BD8BCBA1DC27F042496A9A585C04E3EA01315871E88EF0A4E152 |
SHA-512: | 89C92167E13C0787E1814B0968F3E89C3C9F978BA8C7314B896457E06A8AF4F99DFB35E61A7A7268C99B9DD6F2FB8F99AE18AB424F88D610A78F8176F483BE97 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0C98E726-7671-4943-B9C9-067EE3A43554}.tmp
Download File
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 2.5424596564286817 |
Encrypted: | false |
SSDEEP: | 12:DLqBmQElpyklvW1TK0sO0BZ6aiSARf2mNw0fkQK1bN2vUnvYjlvYC:DLqBtMpy+OKD/cfu0fzKhNWugjlgC |
MD5: | 3E9402A4E29ADF43011C5F3FF8DB7868 |
SHA1: | FE875EFB109C5CDDD2BE31FBB71DEB3502FEAE97 |
SHA-256: | 6C28376E621A068809FB9C978D2084633D74098C3B94D555B8BA3A61C354244C |
SHA-512: | 8E4A917FBD617455573903336A5E3A9E1BA10DC39F850491CC4E881C40B811A41B41EB33E8BA659C240AEDFAF6A87B19C97735E2DD27FC7CE58F60CE8C89FE73 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4754ED9B-5C17-43EF-BD57-96744A09B729}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png
Download File
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 605 |
Entropy (8bit): | 7.435048064793928 |
Encrypted: | false |
SSDEEP: | 12:6v/7uNpsb/ZJZP6pZVS2vW77X3wq2A5QLciaL9OykYdHMXWO5e5dzJZgR2:nTKPqS2vuX/MvmEyXWF0RQs |
MD5: | 4C61C12EDBC453D7AE184976E95258E1 |
SHA1: | 87C1B3E9B6A11579F89CF92C0DB811E22840A3C2 |
SHA-256: | 296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F |
SHA-512: | 2258C757257C79F211535114806CEEADDBE13834F443D9FFBADBA049480CFAED6498C7F5557444759DCBB9CACCEB69BDBC05B5A544854087888086AF91E7F1AE |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.6697141597486581 |
Encrypted: | false |
SSDEEP: | 12:rl3baFaVqLKeTy2MyheC8T23BMyhe+S7wzQD19zNMyhe+S7xMyheCn90m:romnq1Pk961F |
MD5: | 7CCEAB209E6B24B8965F7AA5DD8D54FD |
SHA1: | DFE92CD93ED9E105D6341DD6B4D199B6760BEEBA |
SHA-256: | 3508389D54C37E2D65F09E7D8BC20D04B696DADED43DDC3E97B12623721DA3E8 |
SHA-512: | 1AFB12CBA058DEBEE37340C6DA1D446872337C85C1D1B638FF23AA0AF578C97D556684C2724F329ADE92629551BD71B9674F198CB5CF52B5A608D0376DF626DD |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 271360 |
Entropy (8bit): | 1.3413966937936947 |
Encrypted: | false |
SSDEEP: | 768:CpGjJYisqeSYgRHH9cbXV5c6FlR6Qhzlu9pGBF6F7:dJ58SYeHHenc6FX6qoCAF |
MD5: | 9184F736B257CE0B0BFF808054CF3C12 |
SHA1: | AA0A2F0C5A00B5C29FAC5EC28CF1AABC9A271D76 |
SHA-256: | 98A38299425E5CC6A25ADD3B814841A14540B508409FC1999A668C405A6C0025 |
SHA-512: | E38585026D9A4A011CD26FAC109B700507D931476CFADEA772C9CF24BCC12878079E6AA8ABE37A18CBA6FA6EA12A62E4C62264CFEFCEFE766297DA350E8640ED |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | FCD6BCB56C1689FCEF28B57C22475BAD |
SHA1: | 1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961 |
SHA-256: | DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31 |
SHA-512: | 73E4153936DAB198397B74EE9EFC26093DDA721EAAB2F8D92786891153B45B04265A161B169C988EDB0DB2C53124607B6EAAA816559C5CE54F3DBC9FA6A7A4B2 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.6728122325946595 |
TrID: | |
File name: | nested-FW%3A payment.eml |
File size: | 57'956 bytes |
MD5: | 5f8f0b0e9907ebba6720c25b2382904c |
SHA1: | 84d0ffd0e4274ef1dd297c62e51b7f76bfcfeaa2 |
SHA256: | b7f88f3aa4c7254cb9137193967ca07d2ba4cc99c7e44c91ec21ed5eea70ed31 |
SHA512: | 1e1962c67055480e22420057e137058604b9d08ae2aaca1362eb4b460574bbbda1d11094354eeafe0ffc1452934cefcd4d1500d8f86f6c5b589c762cda34cf8e |
SSDEEP: | 768:l88HV5L5ttFtAYcBMrCeSWNecFIreilVq1:+2tNcBMrCeSWNecFu6 |
TLSH: | 7143BF8CE9108D8B33B3A2F9623454F41B77967CC0090497F0EAF26D7D86C66E6D2267 |
File Content Preview: | Subject: FW: payment..Thread-Topic: payment..Thread-Index: AdsU+/51qcjypk/uSIKLdIowLZUbigAAQYxg..Content-Language: en-US..X-MS-Has-Attach: yes..X-MS-TNEF-Correlator: ..X-MS-Exchange-Organization-RecordReviewCfmType: 0..Content-Type: multipart/related;...t |
Subject: | FW: payment |
From: | |
To: | |
Cc: | |
BCC: | |
Date: | |
Communications: |
|
Attachments: |
|
Key | Value |
---|---|
Subject | FW: payment |
Thread-Topic | payment |
Thread-Index | AdsU+/51qcjypk/uSIKLdIowLZUbigAAQYxg |
Content-Language | en-US |
X-MS-Has-Attach | yes |
X-MS-TNEF-Correlator | |
X-MS-Exchange-Organization-RecordReviewCfmType | 0 |
Content-Type | multipart/related; type="multipart/alternative"; boundary="_004_8067807165766670777970657977696673766674677780787368756_" |
MIME-Version | 1.0 |
Icon Hash: | 72cf97d7cfab80d5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 3, 2024 00:02:20.248277903 CEST | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 3, 2024 00:02:20.248277903 CEST | 192.168.2.22 | 8.8.8.8 | 0xfda3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 3, 2024 00:02:20.267719030 CEST | 8.8.8.8 | 192.168.2.22 | 0xfda3 | No error (0) | config.messenger.msnmessenger.msn.com.akadns.net | CNAME (Canonical name) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 18:02:12 |
Start date: | 02/10/2024 |
Path: | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fab0000 |
File size: | 24'496'480 bytes |
MD5 hash: | 4EB384BD3A1D26B94A44327818685F54 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |