Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-d76arscabr
Target c0c944c8a43bdd1f51bda0c74724c4958a396f13c02fda923c38ed292fb0c7e6
SHA256 c0c944c8a43bdd1f51bda0c74724c4958a396f13c02fda923c38ed292fb0c7e6
Tags
masslogger collection evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0c944c8a43bdd1f51bda0c74724c4958a396f13c02fda923c38ed292fb0c7e6

Threat Level: Known bad

The file c0c944c8a43bdd1f51bda0c74724c4958a396f13c02fda923c38ed292fb0c7e6 was found to be: Known bad.

Malicious Activity Summary

masslogger collection evasion ransomware spyware stealer

MassLogger

MassLogger log file

MassLogger Main Payload

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks computer location settings

Checks BIOS information in registry

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Maps connected drives based on registry

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_office_path

Suspicious use of SetWindowsHookEx

outlook_win_path

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:39

Reported

2022-05-21 05:25

Platform

win7-20220414-en

Max time kernel

152s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 1756 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EHrUflJwi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA1BC.tmp"

C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp

Files

memory/1756-54-0x0000000000E80000-0x0000000000F48000-memory.dmp

memory/1756-55-0x0000000000200000-0x0000000000212000-memory.dmp

memory/1756-56-0x0000000005440000-0x00000000054E2000-memory.dmp

memory/1756-57-0x00000000753B1000-0x00000000753B3000-memory.dmp

memory/592-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA1BC.tmp

MD5 16d6b049000c2c79f28bce30467a8275
SHA1 398b589c62f68e2370bf55d41fd66daa9f4b087b
SHA256 c42efbebd9da478671d52eea5683a0d610617bddd6c4bb6b9dda1af27c0c9e5a
SHA512 9ba0bfc2ebfbc5b0ef04d81e4d680693089b7e738daa5c8c62358f6e2e7007825e063f57125f9c602a69ecdbab18054d628d100c4ccc3bdaf9d366f061553948

memory/692-60-0x0000000000400000-0x000000000049A000-memory.dmp

memory/692-61-0x0000000000400000-0x000000000049A000-memory.dmp

memory/692-63-0x0000000000400000-0x000000000049A000-memory.dmp

memory/692-64-0x0000000000400000-0x000000000049A000-memory.dmp

memory/692-65-0x0000000000400000-0x000000000049A000-memory.dmp

memory/692-66-0x00000000004944DE-mapping.dmp

memory/692-68-0x0000000000400000-0x000000000049A000-memory.dmp

memory/692-70-0x0000000000400000-0x000000000049A000-memory.dmp

memory/692-71-0x0000000000250000-0x0000000000294000-memory.dmp

memory/692-73-0x0000000004E35000-0x0000000004E46000-memory.dmp

memory/692-74-0x0000000000860000-0x0000000000874000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:39

Reported

2022-05-21 05:25

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2476 set thread context of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe
PID 2476 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EHrUflJwi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F85.tmp"

C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\parcel_info-pdf.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
US 52.109.8.20:443 tcp
US 52.168.117.170:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/2476-130-0x0000000000110000-0x00000000001D8000-memory.dmp

memory/2476-131-0x0000000004C80000-0x0000000004D12000-memory.dmp

memory/2476-132-0x0000000005300000-0x000000000539C000-memory.dmp

memory/2476-133-0x0000000005A50000-0x0000000005FF4000-memory.dmp

memory/2476-134-0x0000000000930000-0x0000000000996000-memory.dmp

memory/3464-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3F85.tmp

MD5 95aeeaf7e99dfc8dbb80a2bd3b673c4e
SHA1 a4e060f38de3010285d65049a0189b7b1c02cfaa
SHA256 80a6309396c87c80f8559c73ddde9852228a65148f0da719d87a9a7ecfad6843
SHA512 3133c629503dd858e443a202652df716cad3c67ce61b82c1bd32ddbc8f784bc30e8fcc844cada0af297fe53bf0946fa66d80756f0da880a659a28534cd1089bb

memory/3724-137-0x0000000000000000-mapping.dmp

memory/3724-138-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3724-139-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

memory/3724-140-0x00000000081C0000-0x0000000008210000-memory.dmp