Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EXTERNAL Olgoonik Development IT User Invitation.msg

Overview

General Information

Sample name:EXTERNAL Olgoonik Development IT User Invitation.msg
Analysis ID:1634187
MD5:e30827daa733de0556103cf51de8df8c
SHA1:59cefa5f4f5b59c9f443e2679e96830f4e7ca3c6
SHA256:3d26bbee0285b3e15e90f1448276b8b6bd85c04afa41279843437c62749e4e51
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7984 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\EXTERNAL Olgoonik Development IT User Invitation.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5836 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FC19985E-C07B-4167-A820-A09C157E4669" "4ABC1EC0-9383-4A24-81A0-C20653D57BC7" "7984" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7984, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49730, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 7984, Protocol: tcp, SourceIp: 52.123.128.14, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-10T19:44:44.849681+010020283713Unknown Traffic192.168.2.44973052.123.128.14443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Email contains prominent button: 'accept invitation'
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email claims to be from Olgoonik but uses a generic 'rmmservice.com' domain. The sender address 'noreply@rmmservice.com' doesn't match the claimed organization. The URL structure and redirection through safelinks appears suspicious for a corporate IT system
Source: EmailClassification: Credential Stealer
Source: Joe Sandbox ViewIP Address: 52.123.128.14 52.123.128.14
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 52.123.128.14:443
Source: EXTERNAL Olgoonik Development IT User Invitation.msgString found in binary or memory: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2F
Source: EXTERNAL Olgoonik Development IT User Invitation.msgString found in binary or memory: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2F&data=05
Source: EXTERNAL Olgoonik Development IT User Invitation.msgString found in binary or memory: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2Fauth%2F%
Source: EXTERNAL Olgoonik Development IT User Invitation.msgString found in binary or memory: https://nam04.safelinks__substg1.0_80120102
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: classification engineClassification label: mal48.winMSG@3/4@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1443090671-7984.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\EXTERNAL Olgoonik Development IT User Invitation.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FC19985E-C07B-4167-A820-A09C157E4669" "4ABC1EC0-9383-4A24-81A0-C20653D57BC7" "7984" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FC19985E-C07B-4167-A820-A09C157E4669" "4ABC1EC0-9383-4A24-81A0-C20653D57BC7" "7984" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://nam04.safelinks__substg1.0_801201020%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://nam04.safelinks__substg1.0_80120102EXTERNAL Olgoonik Development IT User Invitation.msgfalse
    • Avira URL Cloud: safe
    		unknown
    https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2FEXTERNAL Olgoonik Development IT User Invitation.msgfalse
      		high
      https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2Fauth%2F%EXTERNAL Olgoonik Development IT User Invitation.msgfalse
        		high
        https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2F&data=05EXTERNAL Olgoonik Development IT User Invitation.msgfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          52.123.128.14
          		s-0005.dual-s-msedge.netUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1634187
          Start date and time:2025-03-10 19:41:58 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 13s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:18
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:EXTERNAL Olgoonik Development IT User Invitation.msg
          Detection:MAL
          Classification:mal48.winMSG@3/4@0/1
          Cookbook Comments:
          • Found application associated with file extension: .msg

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.109.32.97, 20.189.173.16
          • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdwus17.westus.cloudapp.azure.com, mobile.events.data.microsoft.com, dual-s-0005-office.config.skype.com, config.officeapps.live.com, e16604.f.akamaiedge.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, ukw-azsc-config.officeapps.live.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          52.123.128.14phish_alert_iocp_v1.4.48 - 2025-03-10T103931.828.emlGet hashmaliciousUnknownBrowse
            phish_alert_sp2_2.0.0.0 (1).emlGet hashmaliciousUnknownBrowse
              R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                  Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msgGet hashmaliciousUnknownBrowse
                    221036299-043825-sanlccjavap0004-6531.xlsGet hashmaliciousUnknownBrowse
                      phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                        desaremix.exeGet hashmaliciousKillMBRBrowse
                          desaremix.exeGet hashmaliciousKillMBRBrowse
                            phish_alert_sp2_2.0.0.0.msgGet hashmaliciousunknownBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              MICROSOFT-CORP-MSN-AS-BLOCKUSphish_alert_iocp_v1.4.48 - 2025-03-10T103931.828.emlGet hashmaliciousUnknownBrowse
                              • 40.79.167.8
                              phish_alert_sp2_2.0.0.0 (1).emlGet hashmaliciousUnknownBrowse
                              • 52.123.128.14
                              R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                              • 52.123.128.14
                              R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                              • 52.123.128.14
                              Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msgGet hashmaliciousUnknownBrowse
                              • 104.208.16.95
                              https://tjjrotk.bishirian.my/Get hashmaliciousHTMLPhisherBrowse
                              • 40.114.177.156
                              Theresa Badham_blmgmxdkjbwlx.htmlGet hashmaliciousUnknownBrowse
                              • 40.114.177.156
                              Online Notification.pdfGet hashmaliciousHTMLPhisherBrowse
                              • 13.107.42.14
                              Would you please take a look at this for Miss Robin.msgGet hashmaliciousUnknownBrowse
                              • 52.123.129.14
                              R.D. Bitzer Co. Inc.xlsmGet hashmaliciousUnknownBrowse
                              • 52.123.131.14

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1443090671-7984.etl

                              Download File
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):94208
                              Entropy (8bit):4.444942908396037
                              Encrypted:false
                              SSDEEP:768:cT6jzPwZiFdOzcd7AC4oN9xDQxFxOOZXGke8:xwZH44oN9xDQ5OwXw8
                              MD5:EE29FCD19BAFA6AD2FB083E8D1D865B0
                              SHA1:9D2CC2E4A25C22275E913FEB78D922A2ED9CEB6D
                              SHA-256:AA1B96ABFE2C8BB221C62D8531DA66538649A8A4CF5CFF14F8569E4D66B36860
                              SHA-512:9D733257EADA874B172F825F1A5CE8966D3FDF938E91EC81A5A385D7FDE68A66F5CF64194BB850FBFB9931AFCA3D04FAAB3192E0E4B4AE7586BCD55CA655C22B
                              Malicious:false
                              Preview:............................................................................b...4...0...l.1E...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................g_A...........l.1E...........v.2._.O.U.T.L.O.O.K.:.1.f.3.0.:.6.9.3.9.9.9.9.b.5.1.d.3.4.b.4.f.8.b.8.5.8.4.c.8.0.2.5.7.4.7.b.6...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.0.T.1.4.4.3.0.9.0.6.7.1.-.7.9.8.4...e.t.l.............P.P.4...0...l.1E...................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\~DF1A3FC9B950338F52.TMP

                              Download File
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):163840
                              Entropy (8bit):0.4837621242587964
                              Encrypted:false
                              SSDEEP:384:I4qF6rxIeJE+My4EkvMgvi1DurjZz0XHOo:EF6r6KNMy4fMgK1D2z0XHO
                              MD5:50E76959EE3B8779F7D42E1205CCCF36
                              SHA1:21405269EE5BDBF83DE800D419DF95B214371E81
                              SHA-256:94999D0D1E25B39D2F15B0BEFF0A9BDCD60F2ED129558206B3DA5A6FB0445612
                              SHA-512:09E4588FE633CF54C864CD27D924BF5738C624F681697ED23B222A9D60F8C8835E74B49C510D42800162E6B3A328C11AEC873EE41755A943C97991E6F881CBE4
                              Malicious:false
                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                              Download File
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                              File Type:Microsoft Outlook email folder (>=2003)
                              Category:dropped
                              Size (bytes):271360
                              Entropy (8bit):1.317334031949095
                              Encrypted:false
                              SSDEEP:768:pQQc0QKVwte5IuCN44Tlpxe9UPPCYjYGKirBfk8BUTIZ:2Uq8N9UPbdfkeNZ
                              MD5:BCB1D4B6EA363991B8446D5AA6A66FBC
                              SHA1:96EBC478F46A1CCFDEB96A4302A6F1CD5503F04D
                              SHA-256:3984ACC4F199A921BBD5C0334DFAB7E73CB709CBDDB82B9723DF7F5C88FFC365
                              SHA-512:E700F68CE69C159D29EC57BBB67902E996D1204BF073061C802146D6530D5697955E07CB87775D869AB0B9086251B0381166C6E09398FB404C290D0212414882
                              Malicious:true
                              Preview:!BDN....SM......\...5...........>.......T................@...........@...@...................................@...........................................................................$.......D......@Q..............:...............=......................................................................................................................................................................................................................................................................................................T........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                              Download File
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):131072
                              Entropy (8bit):0.997260037751576
                              Encrypted:false
                              SSDEEP:192:hbcS7oOJMUDepVfrzTJsHFQLmk+4m2CyLBSi1eg47Iui1R4346bIz:hIS7XJRDefjqHF3B4x0isg47s1RSb
                              MD5:399891714F6F3F5BEE0711814A8E9324
                              SHA1:284979300F7DF4EE635D960AEC5998045F6A5E9F
                              SHA-256:2505C550CDFF103728C834FFF03693327F085D50E859619E12D3033B45C761A2
                              SHA-512:D86E48B5B7E13E0F6809DB754748AA647B1ACD9426A56AB5C661C29C42B97B0BA2903D9CDDB98AC96AEC50F1E8BFF54D4602FE47AC258A68D4CD342C7EB200A1
                              Malicious:true
                              Preview:.p.yC...S.......0......B.....................#.!BDN....SM......\...5...........>.......T................@...........@...@...................................@...........................................................................$.......D......@Q..............:...............=......................................................................................................................................................................................................................................................................................................T.......B........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:CDFV2 Microsoft Outlook Message
                              Entropy (8bit):3.879834195784517
                              TrID:
                              • Outlook Message (71009/1) 58.92%
                              • Outlook Form Template (41509/1) 34.44%
                              • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                              File name:EXTERNAL Olgoonik Development IT User Invitation.msg
                              File size:99'840 bytes
                              MD5:e30827daa733de0556103cf51de8df8c
                              SHA1:59cefa5f4f5b59c9f443e2679e96830f4e7ca3c6
                              SHA256:3d26bbee0285b3e15e90f1448276b8b6bd85c04afa41279843437c62749e4e51
                              SHA512:3483fc4381fa843301eacaec6b178b023925c5bc075bf7f4b9296c160e07a942d166544dd13fe848cfa9459fd21fe847d8eb250a8b99bd1c4a87363babb53d8f
                              SSDEEP:3072:b1ImJ8vTdiV+APV1icPmA/1DicZowO/F:7CLdGocb9+cXO
                              TLSH:FFA3F12439EA0216F277DF758AE24097D536FD93AD149A4F2185330E0672A41EC63B3F
                              File Content Preview:........................>.......................................................z..............................................................................................................................................................................

                              Static Mail

                              General

                              Subject:[EXTERNAL] Olgoonik Development IT User Invitation
                              From:noreply@rmmservice.com
                              To:Jim G <bjackson1@olgoonik.com>
                              Cc:
                              BCC:
                              Date:Mon, 10 Mar 2025 17:38:04 +0100
                              Communications:
                              • <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2F&data=05%7C02%7Cbjackson1%40olgoonik.com%7C95b45718e3d34397bc3808dd5ff1eeef%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638772214932331041%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=QHGI3QAbqJAiQRjTIIzjTluPeEdsw5F3R91Q0VUqrBQ%3D&reserved=0> Hi Brian, You have been added as a user of the Olgoonik Development IT portal by Jim G. Please click on the link below to accept the invitation: <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Folgoonik.rmmservice.com%2Fauth%2F%23%2Factivate%2Fuser%2F4PUC99MS3D9R&data=05%7C02%7Cbjackson1%40olgoonik.com%7C95b45718e3d34397bc3808dd5ff1eeef%7C341c5aad39be47a3901e146d297ecd80%7C0%7C0%7C638772214932369648%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Zpe6%2F%2FIOrd0JdlUPQJ1mlDChnMgj6tXQkQB%2Bs5cXhvU%3D&reserved=0> Accept Invitation If you have any questions or feedback, please get in touch with us at ithelpdesk@olgoonik.com <mailto:ithelpdesk@olgoonik.com> - Olgoonik Development IT Team Copyright 2024, All rights reserved.
                              Attachments:

                                Headers

                                Key Value
                                Receivedfrom MTM3NjgyNA (unknown)
                                1638:13 +0000
                                by MN2PR08MB6397.namprd08.prod.outlook.com (260310b6:208:1aa::10) with
                                2025 1638:07 +0000
                                (260310b6:a02:a8::25) with Microsoft SMTP Server (version=TLS1_3,
                                10 Mar 2025 1638:05 +0000
                                Authentication-Resultsspf=pass (sender IP is 168.245.56.255)
                                Received-SPFPass (protection.outlook.com: domain of em7578.rmmservice.com
                                via Frontend Transport; Mon, 10 Mar 2025 1638:05 +0000
                                DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=rmmservice.com;
                                h=content-transfer-encodingcontent-type:from:mime-version:subject:to:
                                cccontent-type:from:subject:to;
                                2025-03-10 1638:04.603484799 +0000 UTC m=+3457566.072497817
                                Mon, 10 Mar 2025 1638:04.581 +0000 (UTC)
                                Content-Transfer-Encodingquoted-printable
                                Content-Typetext/html; charset=iso-8859-1
                                DateMon, 10 Mar 2025 16:38:04 +0000 (UTC)
                                Fromnoreply@rmmservice.com
                                Mime-Version1.0
                                Message-ID<HBvhLPiITwWy_bRqHSKAWQ@geopod-ismtpd-0>
                                Subject[EXTERNAL] Olgoonik Development IT User Invitation
                                X-SG-EID=?us-ascii?Q?u001=2EwgPQEA+gt=2F9mQv4JaEv+7Ws++1tVtlt5EBKRL28gTw+tYYwnkNAZsV5Rn?=
                                ToJim G <bjackson1@olgoonik.com>
                                X-Entity-IDu001.YjFlvIYx04YZ+8KIvBPH9Q==
                                Return-Pathbounces+1376824-b81c-bjackson1=olgoonik.com@em7578.rmmservice.com
                                X-MS-Exchange-Organization-ExpirationStartTime10 Mar 2025 16:38:05.6924
                                X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                                X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                                X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                                X-MS-Exchange-Organization-Network-Message-Id95b45718-e3d3-4397-bc38-08dd5ff1eeef
                                X-EOPAttributedMessage0
                                X-EOPTenantAttributedMessage341c5aad-39be-47a3-901e-146d297ecd80:0
                                X-MS-Exchange-Organization-MessageDirectionalityIncoming
                                X-MS-PublicTrafficTypeEmail
                                X-MS-TrafficTypeDiagnosticCO1PEPF000044F6:EE_|MN2PR08MB6397:EE_|PH7PR08MB8353:EE_
                                X-MS-Exchange-Organization-AuthSourceCO1PEPF000044F6.namprd21.prod.outlook.com
                                X-MS-Exchange-Organization-AuthAsAnonymous
                                X-MS-Office365-Filtering-Correlation-Id95b45718-e3d3-4397-bc38-08dd5ff1eeef
                                X-MS-Exchange-AtpMessagePropertiesSA|SL
                                X-MS-Exchange-Organization-SCL1
                                X-Microsoft-AntispamBCL:2;ARA:13230040|13102899012|12012899012|4073199012|13012899012|4092899012|29132699027|3072899012|5073199012|3092899012|5082899009|2092899012|5062899012|5063199012|6062899009|22003199012|4076899003|8096899003|13003099007;
                                X-Forefront-Antispam-ReportCIP:168.245.56.255;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:o3.ptr5278.ninjarmm.com;PTR:o3.ptr5278.ninjarmm.com;CAT:NONE;SFS:(13230040)(13102899012)(12012899012)(4073199012)(13012899012)(4092899012)(29132699027)(3072899012)(5073199012)(3092899012)(5082899009)(2092899012)(5062899012)(5063199012)(6062899009)(22003199012)(4076899003)(8096899003)(13003099007);DIR:INB;
                                X-MS-Exchange-CrossTenant-OriginalArrivalTime10 Mar 2025 16:38:05.3330
                                X-MS-Exchange-CrossTenant-Network-Message-Id95b45718-e3d3-4397-bc38-08dd5ff1eeef
                                X-MS-Exchange-CrossTenant-Id341c5aad-39be-47a3-901e-146d297ecd80
                                X-MS-Exchange-CrossTenant-AuthSourceCO1PEPF000044F6.namprd21.prod.outlook.com
                                X-MS-Exchange-CrossTenant-AuthAsAnonymous
                                X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                                X-MS-Exchange-Transport-CrossTenantHeadersStampedMN2PR08MB6397
                                X-MS-Exchange-Transport-EndToEndLatency00:00:07.6893569
                                X-MS-Exchange-Processed-By-BccFoldering15.20.8511.025
                                X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710117)(4712020)(470014026)(4714040)(4716014)(920097)(930097)(140003)(1420198);
                                X-Microsoft-Antispam-Message-Info=?us-ascii?Q?sGRaLpUu03/8cxl9RZYBEZmkn9p9dU1oOS3O+A9SwdOYYg5W0cHktB1vANUH?=
                                dateMon, 10 Mar 2025 17:38:04 +0100

                                File Icon

                                Icon Hash:c4e1928eacb280a2

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2025-03-10T19:44:44.849681+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973052.123.128.14443TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Mar 10, 2025 19:43:44.961765051 CET49730443192.168.2.452.123.128.14
                                Mar 10, 2025 19:43:44.961832047 CET4434973052.123.128.14192.168.2.4
                                Mar 10, 2025 19:43:44.962268114 CET49730443192.168.2.452.123.128.14
                                Mar 10, 2025 19:43:44.963260889 CET49730443192.168.2.452.123.128.14
                                Mar 10, 2025 19:43:44.963272095 CET4434973052.123.128.14192.168.2.4
                                Mar 10, 2025 19:44:44.849680901 CET49730443192.168.2.452.123.128.14

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Mar 10, 2025 19:43:44.950501919 CET1.1.1.1192.168.2.40x1c7bNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                                Mar 10, 2025 19:43:44.950501919 CET1.1.1.1192.168.2.40x1c7bNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                                Mar 10, 2025 19:43:44.950501919 CET1.1.1.1192.168.2.40x1c7bNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:6
                                Start time:14:43:05
                                Start date:10/03/2025
                                Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\EXTERNAL Olgoonik Development IT User Invitation.msg"
                                Imagebase:0xb50000
                                File size:34'446'744 bytes
                                MD5 hash:91A5292942864110ED734005B7E005C0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:12
                                Start time:14:43:13
                                Start date:10/03/2025
                                Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "FC19985E-C07B-4167-A820-A09C157E4669" "4ABC1EC0-9383-4A24-81A0-C20653D57BC7" "7984" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                Imagebase:0x7ff6bb400000
                                File size:710'048 bytes
                                MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                Disassembly

                                No disassembly