Analysis Report Arrivalnotice2020pdf.exe

Overview

General Information

Sample Name:	Arrivalnotice2020pdf.exe
Analysis ID:	323773
MD5:	ed6f9a5ace6367f4e532dd4ec40762ac
SHA1:	5ed4fd1e8a4e7dbed31928c2b7dd2ca1043cb68e
SHA256:	df107977e92465958c206bf42e33ce394e8573da3c4035b69bfa0d0eaf367914
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Yara detected AgentTesla

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: MSBuild.exe.2540.3.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "zSmwx", "URL: ": "https://dBHeYNWtul3f.net", "To: ": "akannwater@gmail.com", "ByHost: ": "webmail.hapkidocollege.com.au:587", "Password: ": "pXS5n2E1Xj", "From: ": "train@hapkidocollege.com.au"}

Multi AV Scanner detection for submitted file

Source: Arrivalnotice2020pdf.exe

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for sample

Source: Arrivalnotice2020pdf.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.MSBuild.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 103.9.171.52:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 174.129.214.20 174.129.214.20
Source: Joe Sandbox View	IP Address: 174.129.214.20 174.129.214.20

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 103.9.171.52:587

Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220
Source: unknown	TCP traffic detected without corresponding DNS query: 92.122.145.220

Source: unknown

DNS traffic detected: queries for: webmail.hapkidocollege.com.au

Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: http://ZLVZGU.com
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/(
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgx&
Source: Arrivalnotice2020pdf.exe, 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: MSBuild.exe, 00000003.00000002.479039341.000000000364E000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.479119119.0000000003668000.00000004.00000001.sdmp, MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://dBHeYNWtul3f.net
Source: MSBuild.exe, 00000003.00000003.409109256.000000000791A000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: Arrivalnotice2020pdf.exe, MSBuild.exe, 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168B0BA NtQuerySystemInformation,		3_2_0168B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168B089 NtQuerySystemInformation,		3_2_0168B089

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C583D	0_2_000C583D
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C6835	0_2_000C6835
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C50C1	0_2_000C50C1
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D80D5	0_2_000D80D5
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BA194	0_2_000BA194
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8273	0_2_000B8273
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C4B51	0_2_000C4B51
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8B7F	0_2_000B8B7F
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BE3A9	0_2_000BE3A9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B93E9	0_2_000B93E9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000C45E1	0_2_000C45E1
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B7F50	0_2_000B7F50
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8767	0_2_000B8767
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B8FB4	0_2_000B8FB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_055892E8	3_2_055892E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB4ED0	3_2_0ADB4ED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB2EE8	3_2_0ADB2EE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB7AE0	3_2_0ADB7AE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB6EB8	3_2_0ADB6EB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB0070	3_2_0ADB0070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB2E89	3_2_0ADB2E89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADB6EA8	3_2_0ADB6EA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADED9D0	3_2_0ADED9D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADEAEB8	3_2_0ADEAEB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADEBDAC	3_2_0ADEBDAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADED578	3_2_0ADED578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADE0070	3_2_0ADE0070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADE5930	3_2_0ADE5930
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0ADE0007	3_2_0ADE0007

Source: Arrivalnotice2020pdf.exe	Binary or memory string: OriginalFilename vs Arrivalnotice2020pdf.exe
Source: Arrivalnotice2020pdf.exe, 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenamefobWaEQAeVYNzsIgHQxKLyzadmXNXRmrUHO.exe4 vs Arrivalnotice2020pdf.exe
Source: Arrivalnotice2020pdf.exe, 00000000.00000003.210597797.0000000002FB6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrivalnotice2020pdf.exe

Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.MSBuild.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168AF3E AdjustTokenPrivileges,		3_2_0168AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_0168AF07 AdjustTokenPrivileges,		3_2_0168AF07

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe 'C:\Users\user\Desktop\Arrivalnotice2020pdf.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: Arrivalnotice2020pdf.exe, 00000000.00000003.210004019.0000000002FF0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Arrivalnotice2020pdf.exe, 00000000.00000003.210004019.0000000002FF0000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 00000003.00000002.482322603.00000000075A0000.00000002.00000001.sdmp

Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Arrivalnotice2020pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D0554 push eax; ret	0_2_000D05B9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D0608 push eax; ret	0_2_000D05B9
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B5655 push ecx; ret	0_2_000B5668
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BAF85 push ecx; ret	0_2_000BAF98

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -3270000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -149450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -269019s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -89721s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -328966s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -686757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -298600s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -59718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -60048s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -30141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -40062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -38844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -59686s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -39562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 1724	Thread sleep time: -39312s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed

Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000003.00000002.482772481.00000000078D0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000003.00000002.481167503.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B1970 mov eax, dword ptr fs:[00000030h]	0_2_000B1970
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000B1970 mov eax, dword ptr fs:[00000030h]	0_2_000B1970
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D1CC2 mov eax, dword ptr fs:[00000030h]	0_2_000D1CC2
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D2688 mov eax, dword ptr fs:[00000030h]	0_2_000D2688
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D26C5 mov eax, dword ptr fs:[00000030h]	0_2_000D26C5
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000D2728 mov eax, dword ptr fs:[00000030h]	0_2_000D2728

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BF458 SetUnhandledExceptionFilter,		0_2_000BF458
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: 0_2_000BF47B SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000BF47B

Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000003.00000002.476151015.0000000001AD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Analysis Report Arrivalnotice2020pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_000B4887
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_000BB34D
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_000C0B91
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_000C24BA
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: EnumSystemLocalesEx,	0_2_000BF53A
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: GetLocaleInfoEx,	0_2_000BF550
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_000C159E
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry,__invoke_watson,__invoke_watson,	0_2_000C275E
Source: C:\Users\user\Desktop\Arrivalnotice2020pdf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_000C0F9A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: Yara match	File source: 00000000.00000002.211934436.00000000000D3000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.474831985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrivalnotice2020pdf.exe PID: 5492, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2540, type: MEMORY
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrivalnotice2020pdf.exe.b0000.0.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000003.00000002.477291193.0000000003401000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2540, type: MEMORY

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.9.171.52	unknown	Australia		45638	SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	true
174.129.214.20	unknown	United States		14618	AMAZON-AESUS	false

Name	IP	Active
elb097307-934924932.us-east-1.elb.amazonaws.com	174.129.214.20	true
webmail.hapkidocollege.com.au	103.9.171.52	true
api.ipify.org	unknown	unknown

ID:	323773
Product:	CloudBasic
Start time:	14:24:11
Start date:	27.11.2020
Sample:	Arrivalnotice2020pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ed6f9a5ace6367f4e532dd4ec40762ac
SHA1:	5ed4fd1e8a4e7dbed31928c2b7dd2ca1043cb68e
SHA256:	df107977e92465958c206bf42e33ce394e8573da3c4035b69bfa0d0eaf367914
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%