Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:50183
Start time:23:07:57
Joe Sandbox Product:CloudBasic
Start date:13.03.2018
Overall analysis duration:0h 3m 46s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:invite.ics
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.winICS@1/11@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .ics
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiPrvSE.exe, WmiApSrv.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: OUTLOOK.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold20 - 100Report FP / FNclean


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: OUTLOOK.EXEString found in binary or memory: hotmail.com equals www.hotmail.com (Hotmail)
Source: OUTLOOK.EXEString found in binary or memory: hotmail.comMSN-VIA-OUTLOOK.COM.msn.com equals www.hotmail.com (Hotmail)
Urls found in memory or binary dataShow sources
Source: OUTLOOK.EXEString found in binary or memory: file:///
Source: OUTLOOK.EXEString found in binary or memory: file:///C:
Source: OUTLOOK.EXEString found in binary or memory: http://%s%s/autodiscover/autodiscover.xmlAutoDiscover
Source: OUTLOOK.EXEString found in binary or memory: https://%s%s/autodiscover/autodiscover.xml
Source: OUTLOOK.EXEString found in binary or memory: https://%s/autodiscover/autodiscover.xml
Source: invite.icsString found in binary or memory: https://www.google.com/calendar/event?action=VIEW&

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXERegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance

System Summary:

barindex
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEWindow found: window name: SysTabControl32
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEAutomated click: Next >
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEAutomated click: Next >
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEAutomated click: Next >
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: t:\outlook\x86\ship\0\olmapi32.pdb\ship\0\olmapi32.dll\bbtopt\olmapi32O.pdbQ source: OUTLOOK.EXE
Source: Binary string: t:\outlook\x86\ship\0\olmapi32.pdb source: OUTLOOK.EXE
Source: Binary string: \ship\0\olmapi32.dll\bbtopt\olmapi32O.pdb source: OUTLOOK.EXE
Classification labelShow sources
Source: classification engineClassification label: clean2.winICS@1/11@0/0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Microsoft\FORMS
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile created: C:\Users\HERBBL~1\AppData\Local\Temp\CVRA12B.tmp
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: invite.icsVirustotal: hash found
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Writes ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile written: C:\Windows\inf\Outlook\0009\outlperf.ini
Creates files inside the system directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile created: C:\Windows\inf\Outlook\
Deletes Windows filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile deleted: C:\Windows\System32\PerfStringBackup.TMP

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEFile Volume queried: C:\Windows\System32 FullSizeInformation

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 50183 Sample: invite.ics Startdate: 13/03/2018 Architecture: WINDOWS Score: 2 4 OUTLOOK.EXE 97 24 2->4         started       

Simulations

Behavior and APIs

TimeTypeDescription
23:08:46API Interceptor3x Sleep call for process: OUTLOOK.EXE modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
invite.ics0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot