Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:	phish_alert_sp2_2.0.0.0.eml
Analysis ID:	1438438
MD5:	ffdd9a9e3a0cbfa99ba79d23b526cf54
SHA1:	279a4686e1fbbb7e2572a4c42c68314db10d3d48
SHA256:	0864c9f802e9208ab5e494d6358ce99123b585eea300eda2078744dfe56e6e09
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores files to the Windows start menu directory

Stores large binary data to the registry

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 3572 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 1864 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "915E857C-AE5E-4ED8-A591-A057A1D5BC0F" "1EBA292B-A959-459E-8BAB-06B87A452956" "3572" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 6304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://ucasm-ci.org/universite/critical_login_notification.html MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=1944,i,16332597571952505129,8496844949283767507,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3572, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 20.190.190.130:443 -> 192.168.2.17:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.190.130:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.208.109:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.208.109:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.21.200:443 -> 192.168.2.17:49733 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	DNS traffic detected: DNS query: ucasm-ci.org
Source: global traffic	DNS traffic detected: DNS query: graficaonline.com.br
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443

Source: unknown	HTTPS traffic detected: 20.190.190.130:443 -> 192.168.2.17:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.190.130:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.208.109:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.192.208.109:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.21.200:443 -> 192.168.2.17:49733 version: TLS 1.2

Source: classification engine

Classification label: clean2.winEML@18/14@8/189