| File name: | phish_alert_iocp_v1.10.14 (2).eml |
| Full analysis: | https://app.any.run/tasks/69623a22-54c0-40bb-99cf-acdb73ff5653 |
| Verdict: | Malicious activity |
| Analysis date: | October 15, 2024, 13:37:05 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | message/rfc822 |
| File info: | RFC 822 mail, Unicode text, UTF-8 text, with very long lines (4647), with CRLF line terminators |
| MD5: | 9FE53125C1BE477199DC93057039B5D7 |
| SHA1: | 433E5FD117943AEE530F17CE6C31AB0DD643D594 |
| SHA256: | FBD62B327D5A154002724D93453637413651D5B4360FC474B1A10ACE17ABF7D3 |
| SSDEEP: | 1536:Ot3HVoMN7a4XdN0iAcUyzZ07BmOTcxOTVJ4iA7TT6cFnbJexVyrTMQTQ:OLoiiBP |
MALICIOUS
Registers / Runs the DLL via REGSVR32.EXE
- Dropbox.exe (PID: 8732)
SUSPICIOUS
Executes as Windows Service
- DropboxUpdate.exe (PID: 8204)
- DbxSvc.exe (PID: 2708)
Application launched itself
- DropboxUpdate.exe (PID: 5956)
- DropboxUpdate.exe (PID: 9192)
Starts itself from another location
- DropboxUpdate.exe (PID: 7612)
Executable content was dropped or overwritten
- DropboxInstaller.exe (PID: 6244)
- DropboxUpdate.exe (PID: 7612)
- DropboxClient_209.4.3661.x64.exe (PID: 8960)
- Dropbox.exe (PID: 8732)
- powershell.exe (PID: 8432)
Potential Corporate Privacy Violation
- DropboxUpdate.exe (PID: 7536)
- DropboxClient_209.4.3661.x64.exe (PID: 8960)
- DropboxUpdate.exe (PID: 9060)
Malware-specific behavior (creating "System.dll" in Temp)
- DropboxClient_209.4.3661.x64.exe (PID: 8960)
Process drops python dynamic module
- DropboxClient_209.4.3661.x64.exe (PID: 8960)
- Dropbox.exe (PID: 8732)
Process drops legitimate windows executable
- DropboxClient_209.4.3661.x64.exe (PID: 8960)
- Dropbox.exe (PID: 8732)
- powershell.exe (PID: 8432)
Drops a system driver (possible attempt to evade defenses)
- DropboxClient_209.4.3661.x64.exe (PID: 8960)
- Dropbox.exe (PID: 8732)
The process drops C-runtime libraries
- DropboxClient_209.4.3661.x64.exe (PID: 8960)
- Dropbox.exe (PID: 8732)
The process executes via Task Scheduler
- DropboxUpdate.exe (PID: 9060)
- DropboxUpdate.exe (PID: 9192)
Uses NETSH.EXE to add a firewall rule or allowed programs
- Dropbox.exe (PID: 8732)
Starts SC.EXE for service management
- Dropbox.exe (PID: 8732)
Starts POWERSHELL.EXE for commands execution
- Dropbox.exe (PID: 8732)
Starts a Microsoft application from unusual location
- DismHost.exe (PID: 6000)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- Dropbox.exe (PID: 8732)
INFO
The process uses the downloaded file
- OUTLOOK.EXE (PID: 920)
Executable content was dropped or overwritten
- msedge.exe (PID: 6720)
- msedge.exe (PID: 2928)
- msiexec.exe (PID: 7480)
- msedge.exe (PID: 9012)
Email came from third-party service (Amazon SES)
- OUTLOOK.EXE (PID: 920)
Application launched itself
- msedge.exe (PID: 2928)
The executable file from the user directory is run by the Powershell process
- DismHost.exe (PID: 6000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .eml | | | E-Mail message (Var. 5) (100) |
|---|
Total processes
244
Monitored processes
101
Malicious processes
5
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 784 | /S "C:\Program Files (x86)\Dropbox\Client\209.4.3661\DropboxOfficeAddin64.14.dll" | C:\Windows\System32\regsvr32.exe | — | regsvr32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 920 | "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\phish_alert_iocp_v1.10.14 (2).eml" | C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 1008 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3880 --field-trial-handle=2384,i,1198875812267635894,13499711885186474117,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1196 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2068 | C:\WINDOWS\system32\regsvr32.exe /S "C:\Program Files (x86)\Dropbox\Client\209.4.3661\DropboxOfficeAddin.14.dll" | C:\Windows\System32\regsvr32.exe | — | Dropbox.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2088 | /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.76.0.dll" | C:\Windows\System32\regsvr32.exe | — | regsvr32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2224 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4108 --field-trial-handle=2384,i,1198875812267635894,13499711885186474117,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2576 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4276 --field-trial-handle=2384,i,1198875812267635894,13499711885186474117,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2708 | C:\WINDOWS\system32\DbxSvc.exe | C:\Windows\System32\DbxSvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Dropbox, Inc. Integrity Level: SYSTEM Description: Dropbox Service Version: 1.0.24.0 Modules
| |||||||||||||||
| 2844 | "C:\Program Files (x86)\Dropbox\Client\209.4.3661\DropboxUpdateClient.exe" --install-elevation-service --appid={CC46080E-4C33-4981-859A-BBA2F780F31E} --enable-logging --vmodule=*/dropbox/update_client/*=2 | C:\Program Files (x86)\Dropbox\Client\209.4.3661\DropboxUpdateClient.exe | — | Dropbox.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
55 438
Read events
54 568
Write events
706
Delete events
164
Modification events
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 6 |
Value: 01941A000000001000B24E9A3E06000000000000000600000000000000 | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\920 |
| Operation: | write | Name: | 0 |
Value: 0B0E10353FDF8F8F94DA4782685AA4AEB1DAE8230046CAC3CBD1F5E0C7ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5119807D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300 | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics |
| Operation: | delete value | Name: | BootCommand |
Value: | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics |
| Operation: | delete value | Name: | BootFailureCount |
Value: | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | write | Name: | CantBootResolution |
Value: BootSuccess | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | write | Name: | ProfileBeingOpened |
Value: Outlook | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | write | Name: | SessionId |
Value: C3D8E96E-C1AF-4750-8D52-F4E28119C131 | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession |
| Operation: | write | Name: | BootDiagnosticsLogFile |
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl | |||
| (PID) Process: | (920) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics |
| Operation: | delete value | Name: | ProfileBeingOpened |
Value: | |||
Executable files
478
Suspicious files
573
Text files
1 900
Unknown types
152
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 920 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook1.pst | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF8f94d.TMP | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF8f94d.TMP | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF8f94d.TMP | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF8f95d.TMP | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2928 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF8f96c.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
126
DNS requests
106
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6944 | svchost.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.48.23.147:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4360 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
2928 | msedge.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | — | — | whitelisted |
2928 | msedge.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAOKSkxNqmqtTGS8Y78ILE0%3D | unknown | — | — | whitelisted |
8004 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
2928 | msedge.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | — | — | whitelisted |
5232 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
8708 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
8204 | DropboxUpdate.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHWlVhJ1rvbwVVZSZDShpE%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5488 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4292 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
920 | OUTLOOK.EXE | 52.113.194.132:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6944 | svchost.exe | 23.48.23.147:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 69.192.161.161:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
920 | OUTLOOK.EXE | 23.48.23.30:443 | omex.cdn.office.net | Akamai International B.V. | DE | whitelisted |
920 | OUTLOOK.EXE | 52.111.243.12:443 | messaging.lifecycle.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
ecs.office.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
messaging.lifecycle.office.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
nam11.safelinks.protection.outlook.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7536 | DropboxUpdate.exe | Potential Corporate Privacy Violation | ET POLICY Dropbox.com Offsite File Backup in Use |
8960 | DropboxClient_209.4.3661.x64.exe | Potential Corporate Privacy Violation | ET POLICY Dropbox.com Offsite File Backup in Use |
9060 | DropboxUpdate.exe | Potential Corporate Privacy Violation | ET POLICY Dropbox.com Offsite File Backup in Use |
Process | Message |
|---|---|
powershell.exe | PID=8432 TID=4584 DismApi.dll: - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 DismApi.dll: - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 DismApi.dll: Parent process command line: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online" - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 Enter DismInitializeInternal - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 Initialized GlobalConfig - DismInitializeInternal
|
powershell.exe | PID=8432 TID=4584 Initialized SessionTable - DismInitializeInternal
|