Loading ...

Play interactive tourEdit tour

Analysis Report http://gbud.webd.pl/cli/Invo.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:223150
Start date:16.04.2020
Start time:19:41:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://gbud.webd.pl/cli/Invo.exe
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.win@7/14@3/2
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): ielowutil.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 104.118.121.11, 72.247.224.69, 152.199.19.161, 8.248.147.254, 67.27.157.126, 67.27.159.126, 67.26.75.254, 8.248.119.254
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Hidden Files and Directories1Process Injection112Masquerading1Input Capture21Virtualization/Sandbox Evasion2Remote File Copy1Input Capture21Data CompressedCommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface2Port MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionSoftware Packing2Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface2System FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesSecurity Software Discovery111Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion2Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection112Brute ForceSystem Information Discovery12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Invo[1].exeAvira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe.8rkfuyz.partialAvira: detection malicious, Label: TR/Crypt.XDR.Gen
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Invo[1].exeVirustotal: Detection: 36%Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe.8rkfuyz.partialVirustotal: Detection: 36%Perma Link
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invo.exe PID: 2072, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Invo[1].exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe.8rkfuyz.partialJoe Sandbox ML: detected

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior

Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeJump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49751 -> 137.74.80.220:54917
Connects to many ports of the same IP (likely port scanning)Show sources
Source: global trafficTCP traffic: 137.74.80.220 ports 54917,1,4,5,7,9
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: 549177.duckdns.org
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /cli/Invo.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gbud.webd.plConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: gbud.webd.pl
Urls found in memory or binary dataShow sources
Source: RegAsm.exeString found in binary or memory: http://google.com
Source: RegAsm.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Invo.exeBinary or memory string: "<HOOK MODULE='DDRAW.DLL' FUNCTION='DirectDrawCreateEx'/>"
Installs a raw input device (often for capturing keystrokes)Show sources
Source: RegAsm.exeBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invo.exe PID: 2072, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Invo.exe PID: 2072, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Invo.exe PID: 2072, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
Yara signature matchShow sources
Source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Invo.exe PID: 2072, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Invo.exe PID: 2072, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: Invo[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Invo.exe.8rkfuyz.partial.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.win@7/14@3/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7503ba89-37c5-49c8-a0ba-3c086b222a4a}
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2A082777C528F7E1.TMPJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: Invo.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0
Source: Invo.exeString found in binary or memory: "The device has succeeded a query-stop and its resource requirements have changed."
Source: Invo.exeString found in binary or memory: "The components threading model has changed after install into a COM+ Application. Please re-install component."
Source: Invo.exeString found in binary or memory: "The device's co-installer has additional work to perform after installation is complete."
Source: Invo.exeString found in binary or memory: "The device's co-installer is invalid."
Source: Invo.exeString found in binary or memory: "BitLocker Drive Encryption can only be used for limited provisioning or recovery purposes when the computer is running in pre-installation or recovery environments."
Source: RegAsm.exeString found in binary or memory: in-addr.arpa
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1520 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1520 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: "P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb" source: RegAsm.exe
Source: Binary string: "G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb" source: RegAsm.exe
Source: Binary string: "C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb" source: RegAsm.exe
Source: Binary string: "C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb" source: RegAsm.exe
Source: Binary string: "C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb" source: RegAsm.exe
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe
Source: Binary string: tPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.4444687112
Source: initial sampleStatic PE information: section name: .text entropy: 7.4444687112

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe.8rkfuyz.partialJump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Invo[1].exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2249Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7161Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 603Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 820Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe TID: 2288Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2232Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Invo.exeBinary or memory string: "The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported."
Source: Invo.exeBinary or memory string: "A Virtual Machine could not be started because Hyper-V is not installed."
Source: RegAsm.exeBinary or memory string: "Hyper-V RAW"
Source: Invo.exeBinary or memory string: "An unknown internal message was received by the Hyper-V Compute Service."
Source: Invo.exeBinary or memory string: "A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service."
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: RegAsm.exeBinary or memory string: Shell_TrayWnd
Source: RegAsm.exeBinary or memory string: Progman
Source: RegAsm.exeBinary or memory string: "Program Manager"

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invo.exe PID: 2072, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: Invo.exeString found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4280, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Invo.exe PID: 2072, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
19:42:37API Interceptor1248x Sleep call for process: RegAsm.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Invo[1].exe100%AviraTR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe.8rkfuyz.partial100%AviraTR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Invo[1].exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe.8rkfuyz.partial100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Invo[1].exe37%VirustotalBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\Invo.exe.8rkfuyz.partial37%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: RegAsm.exe PID: 4280Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10eb:$x1: NanoCore.ClientPluginHost
  • 0xb726c:$x1: NanoCore.ClientPluginHost
  • 0xc93cb:$x1: NanoCore.ClientPluginHost
  • 0xd0b90:$x1: NanoCore.ClientPluginHost
  • 0xde489:$x1: NanoCore.ClientPluginHost
  • 0xe0819:$x1: NanoCore.ClientPluginHost
  • 0xe5269:$x1: NanoCore.ClientPluginHost
  • 0xe6eec:$x1: NanoCore.ClientPluginHost
  • 0xea6f5:$x1: NanoCore.ClientPluginHost
  • 0xf0812:$x1: NanoCore.ClientPluginHost
  • 0xf4710:$x1: NanoCore.ClientPluginHost
  • 0xfd446:$x1: NanoCore.ClientPluginHost
  • 0x10258c:$x1: NanoCore.ClientPluginHost
  • 0x13deac:$x1: NanoCore.ClientPluginHost
  • 0x14b3f4:$x1: NanoCore.ClientPluginHost
  • 0x158222:$x1: NanoCore.ClientPluginHost
  • 0x17af69:$x1: NanoCore.ClientPluginHost
  • 0x18586c:$x1: NanoCore.ClientPluginHost
  • 0x18df5e:$x1: NanoCore.ClientPluginHost
  • 0x192b81:$x1: NanoCore.ClientPluginHost
  • 0x19ccdb:$x1: NanoCore.ClientPluginHost
Process Memory Space: RegAsm.exe PID: 4280JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Process Memory Space: RegAsm.exe PID: 4280NanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xb93:$a: NanoCore
    • 0xbb9:$a: NanoCore
    • 0x101f:$a: NanoCore
    • 0x105b:$a: NanoCore
    • 0x10eb:$a: NanoCore
    • 0x66762:$a: NanoCore
    • 0x6e6f5:$a: NanoCore
    • 0x721fc:$a: NanoCore
    • 0x75c4a:$a: NanoCore
    • 0x7b98b:$a: NanoCore
    • 0x7baf7:$a: NanoCore
    • 0x7bff6:$a: NanoCore
    • 0x7c230:$a: NanoCore
    • 0x84c57:$a: NanoCore
    • 0x84cc6:$a: NanoCore
    • 0x84d8b:$a: NanoCore
    • 0xb710e:$a: NanoCore
    • 0xb71df:$a: NanoCore
    • 0xb726c:$a: NanoCore
    • 0xb735d:$a: NanoCore
    • 0xc937e:$a: NanoCore
    Process Memory Space: Invo.exe PID: 2072Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x42020:$x1: NanoCore.ClientPluginHost
    • 0xe4420:$x1: NanoCore.ClientPluginHost
    • 0xfdf54:$x1: NanoCore.ClientPluginHost
    • 0x42099:$x2: IClientNetworkHost
    • 0xe4499:$x2: IClientNetworkHost
    • 0xfdfcd:$x2: IClientNetworkHost
    • 0x48567:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xea9c4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x1044f8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: Invo.exe PID: 2072JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Process Memory Space: Invo.exe PID: 2072NanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x41ac8:$a: NanoCore
      • 0x41aee:$a: NanoCore
      • 0x41f54:$a: NanoCore
      • 0x41f90:$a: NanoCore
      • 0x42020:$a: NanoCore
      • 0xe3ec8:$a: NanoCore
      • 0xe3eee:$a: NanoCore
      • 0xe4354:$a: NanoCore
      • 0xe4390:$a: NanoCore
      • 0xe4420:$a: NanoCore
      • 0xfd9fc:$a: NanoCore
      • 0xfda22:$a: NanoCore
      • 0xfde88:$a: NanoCore
      • 0xfdec4:$a: NanoCore
      • 0xfdf54:$a: NanoCore
      • 0x41ba2:$b: ClientPlugin
      • 0x41f99:$b: ClientPlugin
      • 0x42029:$b: ClientPlugin
      • 0xe3fa2:$b: ClientPlugin
      • 0xe4399:$b: ClientPlugin
      • 0xe4429:$b: ClientPlugin

      Unpacked PEs

      No yara matches

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 4280, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.