Loading ...

Play interactive tourEdit tour

Analysis Report E-Tax Invoice.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:217660
Start date:24.03.2020
Start time:17:39:24
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:E-Tax Invoice.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@10/10@7/1
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 92.4% (good quality ratio 88.4%)
  • Quality average: 71.1%
  • Quality standard deviation: 29.5%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 18
  • Number of non-executed functions: 7
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WerFault.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 40.90.137.125, 40.90.23.154, 40.90.23.208, 20.44.86.43, 8.253.204.121, 67.27.159.126, 8.241.122.254, 8.253.204.249, 8.253.95.249, 8.241.90.254, 67.27.157.126, 8.248.121.254, 8.253.207.120, 23.210.248.85, 8.253.95.121, 8.253.95.120, 67.27.158.254
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ipv4.login.msa.akadns6.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, login.live.com, audownload.windowsupdate.nsatc.net, login.msa.akadns6.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Masquerading11Credential Dumping1Virtualization/Sandbox Evasion3Remote File Copy1Email Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery2Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery31Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingModify Registry1Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion3Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection512Brute ForceSystem Information Discovery23Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: E-Tax Invoice.exeVirustotal: Detection: 49%Perma Link
Source: E-Tax Invoice.exeReversingLabs: Detection: 51%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sampleShow sources
Source: E-Tax Invoice.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.E-Tax Invoice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 4x nop then pop esi2_2_0041470A

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /hx227/?Jxoxsrj8=4V9z3U4/qV5vOkjszL0o2lwRhRlsGogHMZ72jqZtstByVEQbpHxFN06upYOXj5R0LL5k&WFQd=YDHT8tgH1Le81v5 HTTP/1.1Host: www.dpsila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /hx227/?Jxoxsrj8=4V9z3U4/qV5vOkjszL0o2lwRhRlsGogHMZ72jqZtstByVEQbpHxFN06upYOXj5R0LL5k&WFQd=YDHT8tgH1Le81v5 HTTP/1.1Host: www.dpsila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.dpsila.com
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.1158214023.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://ns.microsoftom/photo/1.2/tD
Source: explorer.exe, 00000005.00000000.1157885817.00000000030D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.1177249186.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
.NET source code contains very large array initializationsShow sources
Source: E-Tax Invoice.exe, wtf/nRBHJXhiQDHhxrmbDS.csLarge array initialization: ArrayBytes: array initializer size 71184
Source: 0.0.E-Tax Invoice.exe.520000.0.unpack, wtf/nRBHJXhiQDHhxrmbDS.csLarge array initialization: ArrayBytes: array initializer size 71184
Source: 2.0.E-Tax Invoice.exe.8f0000.0.unpack, wtf/nRBHJXhiQDHhxrmbDS.csLarge array initialization: ArrayBytes: array initializer size 71184
Source: 2.2.E-Tax Invoice.exe.8f0000.1.unpack, wtf/nRBHJXhiQDHhxrmbDS.csLarge array initialization: ArrayBytes: array initializer size 71184
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: E-Tax Invoice.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: E-Tax Invoice.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416BC0 NtCreateFile,2_2_00416BC0
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416C70 NtReadFile,2_2_00416C70
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416CF0 NtClose,2_2_00416CF0
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416DA0 NtAllocateVirtualMemory,2_2_00416DA0
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416BBA NtCreateFile,2_2_00416BBA
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416C12 NtCreateFile,2_2_00416C12
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416CEA NtClose,2_2_00416CEA
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00416D9A NtAllocateVirtualMemory,2_2_00416D9A
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_004078F02_2_004078F0
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_0041A17A2_2_0041A17A
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_0041B1C62_2_0041B1C6
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00419B232_2_00419B23
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00419B262_2_00419B26
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_0041AD962_2_0041AD96
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 1088
Sample file is different than original file name gathered from version infoShow sources
Source: E-Tax Invoice.exe, 00000000.00000000.1049805315.000000000058C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevvvv.exe@ vs E-Tax Invoice.exe
Source: E-Tax Invoice.exe, 00000002.00000002.1201869472.00000000015AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs E-Tax Invoice.exe
Source: E-Tax Invoice.exe, 00000002.00000000.1101523139.000000000095C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevvvv.exe@ vs E-Tax Invoice.exe
Source: E-Tax Invoice.exe, 00000002.00000002.1200736385.0000000001068000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs E-Tax Invoice.exe
Source: E-Tax Invoice.exeBinary or memory string: OriginalFilenamevvvv.exe@ vs E-Tax Invoice.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\systray.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/10@7/1
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Users\user\AppData\Local\DBGJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3476
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\QbvsddxJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: E-Tax Invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: E-Tax Invoice.exeVirustotal: Detection: 49%
Source: E-Tax Invoice.exeReversingLabs: Detection: 51%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\E-Tax Invoice.exe 'C:\Users\user\Desktop\E-Tax Invoice.exe'
Source: unknownProcess created: C:\Users\user\Desktop\E-Tax Invoice.exe C:\Users\user\Desktop\E-Tax Invoice.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 1088
Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\E-Tax Invoice.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\E-Tax Invoice.exe'Jump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\systray.exeFile written: C:\Users\user\AppData\Roaming\749ARU9U\749logri.iniJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: E-Tax Invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: E-Tax Invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbolsShow sources
Source: Binary string: systray.pdb source: E-Tax Invoice.exe, 00000002.00000002.1200736385.0000000001068000.00000004.00000020.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.1175710576.000000000AAB0000.00000002.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: E-Tax Invoice.exe, 00000002.00000002.1200736385.0000000001068000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: E-Tax Invoice.exe, 00000002.00000002.1200801316.0000000001300000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: E-Tax Invoice.exe, 00000002.00000002.1200801316.0000000001300000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.1175710576.000000000AAB0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_0041A861 push ebp; iretd 2_2_0041A86A
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00419A35 push eax; ret 2_2_00419A88
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00419AEC push eax; ret 2_2_00419AF2
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00419A82 push eax; ret 2_2_00419A88
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00419A8B push eax; ret 2_2_00419AF2
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00414C30 push 2D7300A2h; retf 2_2_00414C48
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00403432 push esi; iretd 2_2_0040343E
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00414E57 push ds; retf 2_2_00414E73
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_0041AE9F push DBA41603h; ret 2_2_0041AEBF

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\systray.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HFCDWZ9PUDJump to behavior
Source: C:\Windows\SysWOW64\systray.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HFCDWZ9PUDJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E-Tax Invoice.exeRDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000003107244 second address: 000000000310724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000031074AE second address: 00000000031074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_004073E0 rdtsc 2_2_004073E0
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 5760Thread sleep time: -34000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5164Thread sleep time: -35000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000005.00000000.1173432205.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.1173432205.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.1173432205.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.1173432205.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_004073E0 rdtsc 2_2_004073E0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeCode function: 2_2_00408420 LdrLoadDll,2_2_00408420
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 107.180.40.143 80Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeThread register set: target process: 2864Jump to behavior
Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 2864Jump to behavior
Queues an APC in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
Sample uses process hollowing techniqueShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: BF0000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\E-Tax Invoice.exe'Jump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000005.00000000.1151700376.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.1171727944.00000000064E0000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.1151700376.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000005.00000000.1151700376.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeQueries volume information: C:\Users\user\Desktop\E-Tax Invoice.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\E-Tax Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\systray.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\E-Tax Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\logins.jsonJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\key4.dbJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\cert9.dbJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\pkcs11.txtJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

Remote Access Functionality:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.E-Tax Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 217660 Sample: E-Tax Invoice.exe Startdate: 24/03/2020 Architecture: WINDOWS Score: 100 34 www.gayuanxiang.com 2->34 36 www.eyell2.com 2->36 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Sigma detected: Steal Google chrome login data 2->44 46 6 other signatures 2->46 11 E-Tax Invoice.exe 2->11         started        signatures3 process4 process5 13 E-Tax Invoice.exe 11->13         started        16 WerFault.exe 28 8 11->16         started        signatures6 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Maps a DLL or memory area into another process 13->62 64 Sample uses process hollowing technique 13->64 66 Queues an APC in another process (thread injection) 13->66 18 explorer.exe 1 4 13->18 injected process7 dnsIp8 38 www.dpsila.com 107.180.40.143, 49944, 80 unknown United States 18->38 48 System process connects to network (likely due to code injection or exploit) 18->48 22 systray.exe 1 19 18->22         started        signatures9 process10 signatures11 50 Tries to steal Mail credentials (via file access) 22->50 52 Tries to harvest and steal browser information (history, passwords, etc) 22->52 54 Modifies the context of a thread in another process (thread injection) 22->54 56 2 other signatures 22->56 25 cmd.exe 2 22->25         started        28 cmd.exe 1 22->28         started        process12 signatures13 58 Tries to harvest and steal browser information (history, passwords, etc) 25->58 30 conhost.exe 25->30         started        32 conhost.exe 28->32         started        process14

Simulations

Behavior and APIs

TimeTypeDescription
17:40:48API Interceptor1x Sleep call for process: E-Tax Invoice.exe modified
17:41:10API Interceptor1x Sleep call for process: WerFault.exe modified
17:42:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HFCDWZ9PUD C:\Program Files (x86)\Qbvsddx\qnot3jslbx.exe
17:42:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run HFCDWZ9PUD C:\Program Files (x86)\Qbvsddx\qnot3jslbx.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
E-Tax Invoice.exe49%VirustotalBrowse
E-Tax Invoice.exe52%ReversingLabsByteCode-MSIL.Trojan.Kryptik
E-Tax Invoice.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.E-Tax Invoice.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.dpsila.com/hx227/?Jxoxsrj8=4V9z3U4/qV5vOkjszL0o2lwRhRlsGogHMZ72jqZtstByVEQbpHxFN06upYOXj5R0LL5k&WFQd=YDHT8tgH1Le81v50%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe1%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%VirustotalBrowse
http://www.sakkal.com0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://ns.microsoftom/photo/1.2/tD0%Avira URL Cloudsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157b9:$sqlite3step: 68 34 1C 7B E1
    • 0x158cc:$sqlite3step: 68 34 1C 7B E1
    • 0x157e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1590d:$sqlite3text: 68 38 2A 90 C5
    • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.1200255896.0000000000F90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x157b9:$sqlite3step: 68 34 1C 7B E1
      • 0x158cc:$sqlite3step: 68 34 1C 7B E1
      • 0x157e8:$sqlite3text: 68 38 2A 90 C5
      • 0x1590d:$sqlite3text: 68 38 2A 90 C5
      • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
      00000002.00000002.1198532770.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x157b9:$sqlite3step: 68 34 1C 7B E1
        • 0x158cc:$sqlite3step: 68 34 1C 7B E1
        • 0x157e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1590d:$sqlite3text: 68 38 2A 90 C5
        • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
        00000002.00000002.1200407153.0000000000FC0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.E-Tax Invoice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.E-Tax Invoice.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x149b9:$sqlite3step: 68 34 1C 7B E1
          • 0x14acc:$sqlite3step: 68 34 1C 7B E1
          • 0x149e8:$sqlite3text: 68 38 2A 90 C5
          • 0x14b0d:$sqlite3text: 68 38 2A 90 C5
          • 0x149fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x14b23:$sqlite3blob: 68 53 D8 7F 8C
          2.2.E-Tax Invoice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x6448:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x66b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x11d35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x11821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x11e37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x11faf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x722a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x10a9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x7bc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x170a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x180aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.E-Tax Invoice.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            2.2.E-Tax Invoice.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
            • 0x157b9:$sqlite3step: 68 34 1C 7B E1
            • 0x158cc:$sqlite3step: 68 34 1C 7B E1
            • 0x157e8:$sqlite3text: 68 38 2A 90 C5
            • 0x1590d:$sqlite3text: 68 38 2A 90 C5
            • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
            • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
            2.2.E-Tax Invoice.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Steal Google chrome login dataShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\systray.exe, ParentImage: C:\Windows\SysWOW64\systray.exe, ParentProcessId: 4232, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 2700

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            107.180.40.143http://getigrationmailbox.com/Get hashmaliciousBrowse
            • getigrationmailbox.com/cpanel

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            unknownFreeCodecs.exeGet hashmaliciousBrowse
            • 104.27.136.17
            notif-660090.xlsGet hashmaliciousBrowse
            • 8.208.28.247
            http://t.info.samsungusa.com/r/?id=hflx2fd4,77c0c34,339a477f&p1=corona1.blob.core.windows.net%2Fcorona%2FAp3dX.html%3Fsp%3Dr%26st%3D2020-03-23T17%3A05%3A10Z%26se%3D2020-04-10T23%3A05%3A10Z%26spr%3Dhttps%26sv%3D2019-02-02%26sr%3Db%26sig%3DU1xtjKSh0m%252BGp4PSWrglnmAB%252BdV1fFskwSBlrYaO5lk%253D%23SILENTCODERSEMAILGet hashmaliciousBrowse
            • 52.239.145.36
            Fondsftq Audio.htmGet hashmaliciousBrowse
            • 91.198.174.208
            my_presentation_d9p.jsGet hashmaliciousBrowse
            • 47.91.72.221
            info 493.xlsGet hashmaliciousBrowse
            • 8.208.28.247
            194201.jsGet hashmaliciousBrowse
            • 191.232.234.184
            194201.jsGet hashmaliciousBrowse
            • 191.232.234.184
            194201.jsGet hashmaliciousBrowse
            • 191.232.234.184
            http://mksadvertising.com/app.phpGet hashmaliciousBrowse
            • 35.181.91.36
            194201.jsGet hashmaliciousBrowse
            • 191.232.234.184
            Info467200.xlsGet hashmaliciousBrowse
            • 8.208.28.247
            2018-2019.docGet hashmaliciousBrowse
            • 52.114.77.33
            576576.jsGet hashmaliciousBrowse
            • 104.41.36.91
            576576.jsGet hashmaliciousBrowse
            • 104.41.36.91
            439075.jsGet hashmaliciousBrowse
            • 104.41.36.91
            439075.jsGet hashmaliciousBrowse
            • 104.41.36.91
            Eurolease Auto 6427.docGet hashmaliciousBrowse
            • 52.114.132.34
            download software io_83890647.exeGet hashmaliciousBrowse
            • 104.31.66.92
            https://sounding222.z13.web.core.windows.net/#emma.kelly@PlanetPayment.comGet hashmaliciousBrowse
            • 52.239.169.1

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.