Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RE_ NCSA for Stoncor Middle East Trading.eml

Overview

General Information

Sample name:RE_ NCSA for Stoncor Middle East Trading.eml
Analysis ID:1504859
MD5:a83b2b420716fcac565dd41061eff1aa
SHA1:3cc73dfcf3622c1960b6c10de33a04409637ffc3
SHA256:9bcbd71dc30132f915f01700bfd7e3ac6f98e926e0d93efc3904b047be1ffb18
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7144 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\RE_ NCSA for Stoncor Middle East Trading.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 512 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF4E55BD-D7C9-494D-AFCD-03576F9FB608" "FE5FDB2E-DBCA-4806-996B-6932E75CAB93" "7144" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • Acrobat.exe (PID: 2736 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FLKRI7V1\NCSOC-GPG-Kleoptra-snt2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 2972 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 656 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,16594438828922420294,520252352787094824,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • cleanup
No configs have been found
No yara matches
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7144, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Joe Sandbox ViewIP Address: 104.118.8.172 104.118.8.172
Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknownTCP traffic detected without corresponding DNS query: 104.118.8.172
Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A0.6.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.aadrm.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.aadrm.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.cortana.ai
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.office.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.onedrive.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://api.scheduler.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://app.powerbi.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://augloop.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://canary.designerapp.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.entity.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://config.edge.skype.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cortana.ai
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cortana.ai/api
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://cr.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://d.docs.live.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dev.cortana.ai
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://devnull.onenote.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://directory.services.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://ecs.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 8E276809-F546-41BA-A0D2-86F879