ID: 473615 Sample Name: 212699455.aspx Cookbook: default.jbs Time: 03:25:51 Date: 30/08/2021 Version: 33.0.0 White Diamond Table of Contents
Table of Contents 2 Windows Analysis Report 212699455.aspx 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Jbx Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 5 Domains and IPs 6 Contacted Domains 6 URLs from Memory and Binaries 6 Contacted IPs 6 General Information 6 Simulations 7 Behavior and APIs 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 7 Static File Info 8 General 8 File Icon 9 Network Behavior 9 Network Port Distribution 9 UDP Packets 9 Code Manipulations 9 Statistics 9 System Behavior 9 Analysis Process: OUTLOOK.EXE PID: 3252 Parent PID: 3012 9 General 9 File Activities 9 Registry Activities 10 Key Created 10 Disassembly 10
Copyright Joe Security LLC 2021 Page 2 of 10 Windows Analysis Report 212699455.aspx
Overview
General Information Detection Signatures Classification
Sample 212699455.aspx (renamed No high impact signatures. Name: file extension from aspx to pst) Analysis ID: 473615
MD5: 69f6d48ea099d9d… Ransomware
SHA1: 94d2b83de1bdac… Miner Spreading
SHA256: mmaallliiiccciiioouusss db6138d3de2f5d6… malicious
Evader Phishing
sssuusssppiiiccciiioouusss Infos: suspicious
cccllleeaann
clean Most interesting Screenshot:
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100%
Process Tree
System is w10x64 OUTLOOK.EXE (PID: 3252 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE' /pst 'C:\Users\user\Desktop\212699455.pst' MD5: 7DD935BA9B57D9D7EFF63C67653E70B5) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Jbx Signature Overview
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Copyright Joe Security LLC 2021 Page 3 of 10 Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Masquerading 1 OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Credential Information Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS Remote Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory System Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization
Behavior Graph
Hide Legend Legend: Process Behavior Graph Signature Created File ID: 473615 DNS/IP Info Is Dropped Sample: 212699455.aspx Is Windows Process Number of created Registry Values Startdate: 30/08/2021 Number of created Files Architecture: WINDOWS Visual Basic Delphi Score: 0 Java .Net C# or VB.NET
C, C++ or other language
Is malicious started Internet
OUTLOOK.EXE
26 20
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2021 Page 4 of 10 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2021 Page 5 of 10 Source Detection Scanner Label Link https://roaming.edog. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% URL Reputation safe https://directory.services. 0% URL Reputation safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 473615 Start date: 30.08.2021 Start time: 03:25:51 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 36s Hypervisor based Inspection enabled: false Report type: light Sample file name: 212699455.aspx (renamed file extension from aspx to pst) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 27 analysed: Number of new started drivers analysed: 0
Copyright Joe Security LLC 2021 Page 6 of 10 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winPST@1/3@0/0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT Process: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE File Type: data Category: dropped Size (bytes): 3243996 Entropy (8bit): 4.396421171479225 Encrypted: false SSDEEP: 49152:tETXTXlTXlgXRAXR3XRtKROGwOk+Ok9OkXOkYOkAOkl:tmZpU0xwcofBCOf MD5: 965A8F4B6C490CED677DC94559E4A7C8 SHA1: 35DCC03C92B617BC025730F79671542161B391FE SHA-256: 8A6295657B63E65947DFFE9B2837CE4934FBD0BC837EC36CFC4EF1CD7CB387F1 SHA-512: 9D17411D274BEB3E8944F71EE573946888CE0C93E27B80BE4BB686F2F8A78E9845B7622D8C51820D23F44A8520C88A47B99F3F09CD11847F67954B3D86C94450 Copyright Joe Security LLC 2021 Page 7 of 10 C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
Malicious: false Reputation: low Preview: TH02...... SM01,...... G...... IPM.Activity...... h..\n...... h...... xn.enH..h...... h...... YnH..h...... h....0...h$.....h...... MWn...h...... EMWn...h...@...... h.v.nH...$YWn...0....T...... nd....v.n..2h.|\n...... k{.Y.....c.6...!h...... T..... hR..n....WYWn..#h....8...... $h...... 8....."h...... '[email protected]...... 1h....<...... 0h..xn4...... /h....h...... H..h..xnp...... -h...... +h...... g.n...... F7...... FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDes cription...... F.k...... 1122110020000000....Microsoft...This form is used to create journal entries...... kf...... &...... (...... (...... @...... fffffffff...... wwwwwwww.p....pp...... p...... pw...... pw..DDDDO..
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EC29D520-8742-4CAE-B9CB-021E247FBE0D Process: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 136903 Entropy (8bit): 5.362214933237467 Encrypted: false SSDEEP: 1536:qcQIKNveBfA3gBwbnQ9DQW+z2Y34ZliKWXboOidXuE6LWME9:pCQ9DQW+zaXr1 MD5: FAF016E23D9ACEB477D67E57AE6EF2C6 SHA1: 4427CE4B830A0AFA1792F3C0CB2423C02AE302B3 SHA-256: 59C39959738B3BB425E8BC27C656EA7C51F997965FC657C1514FF3D2F09D0DD6 SHA-512: FE85D4FB57AF6ED9C88E85E65E93DC4D4CA5E5C14034457D44734F169C2F73F30DE4FA163F95F68499FE7F6520DFB87C508E2BB024CEBBA4921C3836C15110E0 Malicious: false Reputation: low Preview: .. C:\Users\user\AppData\Local\Temp\outlook logging\firstrun.log Process: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE File Type: diff output, ASCII text, with CRLF line terminators Category: dropped Size (bytes): 82 Entropy (8bit): 4.90267121259189 Encrypted: false SSDEEP: 3:YD2FjWWCoSuX3DfIN1QyJ/RgAO:YD5SSuHDxyJeR MD5: DE1F50F25C30EA8F881383B408A3B5BB SHA1: 1B39FBA67F48406EC216FAD7A3BEE33F9E1709A1 SHA-256: CBC04636CF34D80D578840BCDE9C641EEFE4DCE480CFE67638EDDF977A32A276 SHA-512: 8CB92FD993B29205BF9CEBD8714A64232D4F1D2AF0391ED6909DAF2EFAF6310C0954149A9C6A0C80346A50C151D65CC4B5E1B7BC92B6A0C3AE0D71DC85EC51 86 Malicious: false Reputation: low Preview: *** Starting First Run (08-30-2021 03:26:54) ***.....HrPreSplashFirstRun called... Static File Info General File type: Microsoft Outlook email folder (>=2003) Entropy (8bit): 0.4547567974245742 TrID: Microsoft OutLook Personal Folder (Unicode) (4007/3) 50.01% Microsoft OutLook Personal Folder (ANSI) (4006/2) 49.99% File name: 212699455.pst File size: 271360 MD5: 69f6d48ea099d9d1662a86d1f7f6f9af SHA1: 94d2b83de1bdac72c12baaa0b9ca6455b6e76286 SHA256: db6138d3de2f5d6e6c43498d372ac7be678ca4eac3867d ae594fb0dd3244b90e Copyright Joe Security LLC 2021 Page 8 of 10 General SHA512: 736c1a215ef6026f4290641a81e97717b21fe8cf0e4dc2b a87ee4c3f28ad88499ba2c7e8a13102430eec938e30eec c632d0982e03067df1545cdec40c1ab6c56 SSDEEP: 192:k6cl8pDMRf0lr0w7Rc9htZU8OX8e8AK3rCG/Pt7Id G/4S:RDaf0iwOg8Fpbt4 File Content Preview: !BDN.M..SM...... K...... @...... $...... D...... G...... r...... J...... File Icon Icon Hash: 74fcd0d2d6d6d0cc Network Behavior Network Port Distribution UDP Packets Code Manipulations Statistics System Behavior Analysis Process: OUTLOOK.EXE PID: 3252 Parent PID: 3012 General Start time: 03:26:48 Start date: 30/08/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE' /pst 'C:\Users\user\Desktop \212699455.pst' Imagebase: 0x2e0000 File size: 23291112 bytes MD5 hash: 7DD935BA9B57D9D7EFF63C67653E70B5 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate File Activities Show Windows behavior Copyright Joe Security LLC 2021 Page 9 of 10 Registry Activities Show Windows behavior Key Created Disassembly Copyright Joe Security LLC Joe Sandbox Cloud Basic 33.0.0 White Diamond Copyright Joe Security LLC 2021 Page 10 of 10