Edit tour

Windows Analysis Report
20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml

Overview

General Information

Sample name:	20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml
Analysis ID:	1635328
MD5:	534c66c925d1aa2bff10acf060c776fd
SHA1:	c76867949581f15900317216215f549b2959131a
SHA256:	c5a1c37fb023d2fc386b20b0a46fcbf76e4d794711d50a3a84d2f46754fc50cc
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

AI detected suspicious elements in Email content

AI detected suspicious elements in Email header

Detected non-DNS traffic on DNS port

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w11x64_office

OUTLOOK.EXE (PID: 5072 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml" MD5: 7F59D020035411A4BCF731A8320581A4)

ai.exe (PID: 3620 cmdline: "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "D1542569-9C19-418E-BB3A-5D1660B5B765" "7B673E28-5B1B-4E61-97F1-DAE7176544D8" "5072" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: 0ED71A2D20424DC7942E810F359DA066)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5072, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\AdobeAcroOutlook.SendAsLink\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email contains obfuscated malicious JavaScript code attempting to execute arbitrary functions. The sender domain (bttwpg.com) is suspicious and doesn't match with claimed AT&T voicemail service. The attachment naming pattern (AT&T_Msg_-876.html) is suspicious and likely contains malicious code

AI detected suspicious elements in Email header

Source: Email

Joe Sandbox AI: Detected suspicious elements in Email header: Proofpoint explicitly marked as phishing with high score (phishscore=100). Suspicious localhost [127.0.0.1] sender but actual IP is 139.64.164.134, indicating header manipulation. PTR record shows 'InfoDomainNonexistent' indicating missing/invalid reverse DNS. High MLX log score (144) and CLX score (234) from Proofpoint. Anonymous cross-tenant authentication (x-ms-exchange-crosstenant-authas: Anonymous). Impostor and unknown sender scores present in Proofpoint details. Domain age appears relatively new based on Proofpoint scan (domainage_hfrom=1883). Multiple security systems (Proofpoint, Microsoft) showing suspicious indicators

Source: Email

Classification: Credential Stealer

Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.24:55420 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: classification engine

Classification label: mal48.winEML@3/4@0/31