ID: 473615 Sample Name: 212699455.aspx Cookbook: default.jbs Time: 03:25:51 Date: 30/08/2021 Version: 33.0.0 White Diamond Table of Contents

Table of Contents 2 Windows Analysis Report 212699455.aspx 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Jbx Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 5 Domains and IPs 6 Contacted Domains 6 URLs from Memory and Binaries 6 Contacted IPs 6 General Information 6 Simulations 7 Behavior and APIs 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 7 Static File Info 8 General 8 File Icon 9 Network Behavior 9 Network Port Distribution 9 UDP Packets 9 Code Manipulations 9 Statistics 9 System Behavior 9 Analysis Process: OUTLOOK.EXE PID: 3252 Parent PID: 3012 9 General 9 File Activities 9 Registry Activities 10 Key Created 10 Disassembly 10

Copyright Joe Security LLC 2021 Page 2 of 10 Windows Analysis Report 212699455.aspx

Overview

General Information Detection Signatures Classification

Sample 212699455.aspx (renamed No high impact signatures. Name: file extension from aspx to pst) Analysis ID: 473615

MD5: 69f6d48ea099d9d… Ransomware

SHA1: 94d2b83de1bdac… Miner Spreading

SHA256: mmaallliiiccciiioouusss db6138d3de2f5d6… malicious

Evader Phishing

sssuusssppiiiccciiioouusss Infos: suspicious

cccllleeaann

clean Most interesting Screenshot:

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100%

Process Tree

System is w10x64 OUTLOOK.EXE (PID: 3252 cmdline: 'C:\ (x86)\ Office\Office16\OUTLOOK.EXE' /pst 'C:\Users\user\Desktop\212699455.pst' MD5: 7DD935BA9B57D9D7EFF63C67653E70B5) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Copyright Joe Security LLC 2021 Page 3 of 10 Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Masquerading 1 OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Credential Information Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS Remote Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory System Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization

Behavior Graph

Hide Legend Legend: Process Behavior Graph Signature Created File ID: 473615 DNS/IP Info Is Dropped Sample: 212699455.aspx Is Windows Process Number of created Registry Values Startdate: 30/08/2021 Number of created Files Architecture: WINDOWS Delphi Score: 0 Java .Net C# or VB.NET

C, C++ or other language

Is malicious started Internet

OUTLOOK.EXE

26 20

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 4 of 10 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Copyright Joe Security LLC 2021 Page 5 of 10 Source Detection Scanner Label Link https://roaming.edog. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% URL Reputation safe https://directory.services. 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 473615 Start date: 30.08.2021 Start time: 03:25:51 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 36s Hypervisor based Inspection enabled: false Report type: light Sample file name: 212699455.aspx (renamed file extension from aspx to pst) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 27 analysed: Number of new started drivers analysed: 0

Copyright Joe Security LLC 2021 Page 6 of 10 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winPST@1/3@0/0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT Process: C:\Program Files (x86)\\Office16\OUTLOOK.EXE File Type: data Category: dropped Size (bytes): 3243996 Entropy (8bit): 4.396421171479225 Encrypted: false SSDEEP: 49152:tETXTXlTXlgXRAXR3XRtKROGwOk+Ok9OkXOkYOkAOkl:tmZpU0xwcofBCOf MD5: 965A8F4B6C490CED677DC94559E4A7C8 SHA1: 35DCC03C92B617BC025730F79671542161B391FE SHA-256: 8A6295657B63E65947DFFE9B2837CE4934FBD0BC837EC36CFC4EF1CD7CB387F1 SHA-512: 9D17411D274BEB3E8944F71EE573946888CE0C93E27B80BE4BB686F2F8A78E9845B7622D8C51820D23F44A8520C88A47B99F3F09CD11847F67954B3D86C94450 Copyright Joe Security LLC 2021 Page 7 of 10 C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Malicious: false Reputation: low Preview: TH02...... SM01,...... G...... IPM.Activity...... h..\n...... h...... xn.enH..h...... h...... YnH..h...... h....0...h$.....h...... MWn...h...... EMWn...h...@...... h.v.nH...$YWn...0....T...... nd....v.n..2h.|\n...... k{.Y.....c.6...!h...... T..... hR..n....WYWn..#h....8...... $h...... 8....."h...... '[email protected]...... 1h....<...... 0h..xn4...... /h....h...... H..h..xnp...... -h...... +h...... g.n...... F7...... FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDes cription...... F.k...... 1122110020000000....Microsoft...This form is used to create journal entries...... kf...... &...... (...... (...... @...... fffffffff...... wwwwwwww.p....pp...... p...... pw...... pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EC29D520-8742-4CAE-B9CB-021E247FBE0D Process: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 136903 Entropy (8bit): 5.362214933237467 Encrypted: false SSDEEP: 1536:qcQIKNveBfA3gBwbnQ9DQW+z2Y34ZliKWXboOidXuE6LWME9:pCQ9DQW+zaXr1 MD5: FAF016E23D9ACEB477D67E57AE6EF2C6 SHA1: 4427CE4B830A0AFA1792F3C0CB2423C02AE302B3 SHA-256: 59C39959738B3BB425E8BC27C656EA7C51F997965FC657C1514FF3D2F09D0DD6 SHA-512: FE85D4FB57AF6ED9C88E85E65E93DC4D4CA5E5C14034457D44734F169C2F73F30DE4FA163F95F68499FE7F6520DFB87C508E2BB024CEBBA4921C3836C15110E0 Malicious: false Reputation: low Preview: .... .. Build: 16.0.14423.30525-->.. .. .. .. .. https://rr.office.microsoft.com/research/query.asmx.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://ocsa.office.microsoft.com/client/15/help/template.. ..

C:\Users\user\AppData\Local\Temp\outlook logging\firstrun.log Process: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE File Type: diff output, ASCII text, with CRLF line terminators Category: dropped Size (bytes): 82 Entropy (8bit): 4.90267121259189 Encrypted: false SSDEEP: 3:YD2FjWWCoSuX3DfIN1QyJ/RgAO:YD5SSuHDxyJeR MD5: DE1F50F25C30EA8F881383B408A3B5BB SHA1: 1B39FBA67F48406EC216FAD7A3BEE33F9E1709A1 SHA-256: CBC04636CF34D80D578840BCDE9C641EEFE4DCE480CFE67638EDDF977A32A276 SHA-512: 8CB92FD993B29205BF9CEBD8714A64232D4F1D2AF0391ED6909DAF2EFAF6310C0954149A9C6A0C80346A50C151D65CC4B5E1B7BC92B6A0C3AE0D71DC85EC51 86 Malicious: false Reputation: low Preview: *** Starting First Run (08-30-2021 03:26:54) ***.....HrPreSplashFirstRun called...

Static File Info

General File type: folder (>=2003) Entropy (8bit): 0.4547567974245742 TrID: Microsoft OutLook Personal Folder (Unicode) (4007/3) 50.01% Microsoft OutLook Personal Folder (ANSI) (4006/2) 49.99% File name: 212699455.pst File size: 271360 MD5: 69f6d48ea099d9d1662a86d1f7f6f9af SHA1: 94d2b83de1bdac72c12baaa0b9ca6455b6e76286 SHA256: db6138d3de2f5d6e6c43498d372ac7be678ca4eac3867d ae594fb0dd3244b90e

Copyright Joe Security LLC 2021 Page 8 of 10 General SHA512: 736c1a215ef6026f4290641a81e97717b21fe8cf0e4dc2b a87ee4c3f28ad88499ba2c7e8a13102430eec938e30eec c632d0982e03067df1545cdec40c1ab6c56 SSDEEP: 192:k6cl8pDMRf0lr0w7Rc9htZU8OX8e8AK3rCG/Pt7Id G/4S:RDaf0iwOg8Fpbt4 File Content Preview: !BDN.M..SM...... K...... @...... $...... D...... G...... r...... J......

File Icon

Icon Hash: 74fcd0d2d6d6d0cc

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

System Behavior

Analysis Process: OUTLOOK.EXE PID: 3252 Parent PID: 3012

General

Start time: 03:26:48 Start date: 30/08/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE' /pst 'C:\Users\user\Desktop \212699455.pst' Imagebase: 0x2e0000 File size: 23291112 bytes MD5 hash: 7DD935BA9B57D9D7EFF63C67653E70B5 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities Show Windows behavior

Copyright Joe Security LLC 2021 Page 9 of 10 Registry Activities Show Windows behavior

Key Created

Disassembly

Copyright Joe Security LLC Joe Sandbox Cloud Basic 33.0.0 White Diamond

Copyright Joe Security LLC 2021 Page 10 of 10