Analysis Report INV.exe

Overview

General Information

Sample Name:	INV.exe
Analysis ID:	323458
MD5:	83259cb82642666503278233421c306d
SHA1:	180e81bab341eda0d404b8f5fed93bc3b350cfbd
SHA256:	6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: INV.exe

Avira: detected

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: INV.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 4.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 4.2.INV.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 2.2.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 3.2.INV.exe.1060000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.2.INV.exe.1060000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 4.2.INV.exe.1060000.1.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 3.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7

Source: C:\Users\user\Desktop\INV.exe

Code function: 4_2_00404A29 FindFirstFileExW,

4_2_00404A29

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\INV.exe	Code function: 4x nop then pop ebx		0_2_01099E2B
Source: C:\Users\user\Desktop\INV.exe	Code function: 4x nop then pop ebx		3_2_01099E2B

Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: INV.exe, 00000000.00000002.648809427.00000000012C8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01061BC7	0_2_01061BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0109C16C	0_2_0109C16C
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0109C170	0_2_0109C170
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010950B7	0_2_010950B7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010950C0	0_2_010950C0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106B0E6	0_2_0106B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01093360	0_2_01093360
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01074399	0_2_01074399
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010952E0	0_2_010952E0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01071521	0_2_01071521
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0108A57D	0_2_0108A57D
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106B4FE	0_2_0106B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010727AF	0_2_010727AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106B933	0_2_0106B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010759B4	0_2_010759B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106ABF2	0_2_0106ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01071A93	0_2_01071A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010B0AC0	0_2_010B0AC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01073AD7	0_2_01073AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01069D44	0_2_01069D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106BD68	0_2_0106BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01070FB6	0_2_01070FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01071521	2_2_01071521
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106B933	2_2_0106B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01069D44	2_2_01069D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106BD68	2_2_0106BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010759B4	2_2_010759B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106B0E6	2_2_0106B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106B4FE	2_2_0106B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01074399	2_2_01074399
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010727AF	2_2_010727AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01070FB6	2_2_01070FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01061BC7	2_2_01061BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106ABF2	2_2_0106ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01071A93	2_2_01071A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01073AD7	2_2_01073AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01061BC7	3_2_01061BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0109C16C	3_2_0109C16C
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0109C170	3_2_0109C170
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010950B7	3_2_010950B7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010950C0	3_2_010950C0
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106B0E6	3_2_0106B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01093360	3_2_01093360
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01074399	3_2_01074399
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010952E0	3_2_010952E0
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01071521	3_2_01071521
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0108A57D	3_2_0108A57D
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106B4FE	3_2_0106B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010727AF	3_2_010727AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106B933	3_2_0106B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010759B4	3_2_010759B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106ABF2	3_2_0106ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01071A93	3_2_01071A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010B0AC0	3_2_010B0AC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01073AD7	3_2_01073AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01069D44	3_2_01069D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106BD68	3_2_0106BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01070FB6	3_2_01070FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_0040A2A5	4_2_0040A2A5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010821A8 appears 46 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 01085976 appears 36 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010627F0 appears 90 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010615FE appears 33 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010632A1 appears 81 times

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872

Sample file is different than original file name gathered from version info

Source: INV.exe, 00000000.00000003.647727507.0000000002F0F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
Source: INV.exe, 00000003.00000003.649712453.00000000033FF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INV.exe
Source: INV.exe, 00000004.00000002.728240140.0000000004D90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs INV.exe

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Yara signature match

Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal72.troj.evad.winEXE@9/4@0/0

Source: C:\Users\user\Desktop\INV.exe

Code function: 4_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

4_2_00401489

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2856
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD26.tmp

Jump to behavior

Source: INV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INV.exe 'C:\Users\user\Desktop\INV.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe	Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INV.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb7^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb=^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
Source:	Binary string: oleaut32.pdb]^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb;^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb)^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD26.tmp.dmp.7.dr
Source:	Binary string: mscoree.pdbs^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb[^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdba^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdbk source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbo^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: .pdbEE source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp

Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010821EE push ecx; ret	0_2_01082201
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A05B2 pushfd ; retf	0_2_010A05ED
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010AF402 push eax; ret	0_2_010AF408
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010AF46C push eax; ret	0_2_010AF472
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01062835 push ecx; ret	0_2_01062848
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8864 push edx; retf	0_2_010A8884
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01099B83 push es; ret	0_2_01099B93
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01099A9E push ss; ret	0_2_01099AEC
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0107EDC0 push eax; ret	0_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01096C15 push eax; iretd	0_2_01096C16
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8C60 push ds; retf	0_2_010A8C61
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8F2B push ecx; ret	0_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8F24 push ecx; ret	0_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0107EE70 push eax; ret	0_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01062835 push ecx; ret	2_2_01062848
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010821EE push ecx; ret	3_2_01082201
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A05B2 pushfd ; retf	3_2_010A05ED
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010AF402 push eax; ret	3_2_010AF408
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010AF46C push eax; ret	3_2_010AF472
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01062835 push ecx; ret	3_2_01062848
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8864 push edx; retf	3_2_010A8884
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01099B83 push es; ret	3_2_01099B93
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01099A9E push ss; ret	3_2_01099AEC
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0107EDC0 push eax; ret	3_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01096C15 push eax; iretd	3_2_01096C16
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8C60 push ds; retf	3_2_010A8C61
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8F2B push ecx; ret	3_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8F24 push ecx; ret	3_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0107EE70 push eax; ret	3_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401F16 push ecx; ret	4_2_00401F29

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_01061BC7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_01061BC7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_0109BDC0 rdtsc

0_2_0109BDC0

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\SysWOW64\WerFault.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\INV.exe

Code function: 4_2_00404A29 FindFirstFileExW,

4_2_00404A29

Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000007.00000002.724149212.0000000004BF2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0?
Source: WerFault.exe, 00000007.00000002.724219863.0000000004C50000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WerFault.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\INV.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_0109BDC0 rdtsc

0_2_0109BDC0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_010683A4 IsDebuggerPresent,

0_2_010683A4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_010656BA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_010656BA

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]	0_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]	0_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010802BD mov eax, dword ptr fs:[00000030h]	0_2_010802BD
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010838C9 mov eax, dword ptr fs:[00000030h]	0_2_010838C9
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01077A20 mov eax, dword ptr fs:[00000030h]	0_2_01077A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01080D23 mov eax, dword ptr fs:[00000030h]	0_2_01080D23
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01080C83 mov eax, dword ptr fs:[00000030h]	0_2_01080C83
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01080CC0 mov eax, dword ptr fs:[00000030h]	0_2_01080CC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]	2_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]	2_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01077A20 mov eax, dword ptr fs:[00000030h]	2_2_01077A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]	3_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]	3_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010802BD mov eax, dword ptr fs:[00000030h]	3_2_010802BD
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010838C9 mov eax, dword ptr fs:[00000030h]	3_2_010838C9
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01077A20 mov eax, dword ptr fs:[00000030h]	3_2_01077A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01080D23 mov eax, dword ptr fs:[00000030h]	3_2_01080D23
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01080C83 mov eax, dword ptr fs:[00000030h]	3_2_01080C83
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01080CC0 mov eax, dword ptr fs:[00000030h]	3_2_01080CC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_004035F1 mov eax, dword ptr fs:[00000030h]	4_2_004035F1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_01061DB2 GetProcessHeap,

0_2_01061DB2

Enables debug privileges

Source: C:\Windows\SysWOW64\WerFault.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010630B6 SetUnhandledExceptionFilter,	0_2_010630B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_010630E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010630B6 SetUnhandledExceptionFilter,	2_2_010630B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_010630E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010630B6 SetUnhandledExceptionFilter,	3_2_010630B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_010630E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401E1D SetUnhandledExceptionFilter,	4_2_00401E1D
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0040446F
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00401C88
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00401F30

Source: C:\Users\user\Desktop\INV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INV.exe

Section loaded: unknown target: C:\Users\user\Desktop\INV.exe protection: execute and read and write

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe			Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe			Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_01082365 cpuid

0_2_01082365

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	0_2_0106E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_010660C8
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	0_2_0106E3D3
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_0106E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0106755A
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	0_2_0106458E
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0106E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0106E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	0_2_0106771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_0106E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_0106A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	0_2_010677A3
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_010666CA
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_0106E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0106E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_0106E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_01065C88
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_0106E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	2_2_0106E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0106755A
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	2_2_0106458E
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_0106E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0106E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0106E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_01065C88
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0106E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_010660C8
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0106E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	2_2_0106771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_0106E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0106A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	2_2_010677A3
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	2_2_0106E3D3
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_010666CA
Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	3_2_0106E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	3_2_010660C8
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	3_2_0106E3D3
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_0106E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_0106755A
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	3_2_0106458E
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_0106E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_0106E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	3_2_0106771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_0106E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	3_2_0106A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	3_2_010677A3
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_010666CA
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	3_2_0106E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0106E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_0106E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	3_2_01065C88

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_01062679 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01062679

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: INV.exe

Avira: detected

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: INV.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 4.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 4.2.INV.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 2.2.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 3.2.INV.exe.1060000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.2.INV.exe.1060000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 4.2.INV.exe.1060000.1.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 3.0.INV.exe.1060000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7

Source: C:\Users\user\Desktop\INV.exe

Code function: 4_2_00404A29 FindFirstFileExW,

4_2_00404A29

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\INV.exe	Code function: 4x nop then pop ebx		0_2_01099E2B
Source: C:\Users\user\Desktop\INV.exe	Code function: 4x nop then pop ebx		3_2_01099E2B

Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: INV.exe, 00000000.00000002.648809427.00000000012C8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01061BC7	0_2_01061BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0109C16C	0_2_0109C16C
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0109C170	0_2_0109C170
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010950B7	0_2_010950B7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010950C0	0_2_010950C0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106B0E6	0_2_0106B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01093360	0_2_01093360
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01074399	0_2_01074399
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010952E0	0_2_010952E0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01071521	0_2_01071521
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0108A57D	0_2_0108A57D
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106B4FE	0_2_0106B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010727AF	0_2_010727AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106B933	0_2_0106B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010759B4	0_2_010759B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106ABF2	0_2_0106ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01071A93	0_2_01071A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010B0AC0	0_2_010B0AC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01073AD7	0_2_01073AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01069D44	0_2_01069D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0106BD68	0_2_0106BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01070FB6	0_2_01070FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01071521	2_2_01071521
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106B933	2_2_0106B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01069D44	2_2_01069D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106BD68	2_2_0106BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010759B4	2_2_010759B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106B0E6	2_2_0106B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106B4FE	2_2_0106B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01074399	2_2_01074399
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010727AF	2_2_010727AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01070FB6	2_2_01070FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01061BC7	2_2_01061BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0106ABF2	2_2_0106ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01071A93	2_2_01071A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01073AD7	2_2_01073AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01061BC7	3_2_01061BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0109C16C	3_2_0109C16C
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0109C170	3_2_0109C170
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010950B7	3_2_010950B7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010950C0	3_2_010950C0
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106B0E6	3_2_0106B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01093360	3_2_01093360
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01074399	3_2_01074399
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010952E0	3_2_010952E0
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01071521	3_2_01071521
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0108A57D	3_2_0108A57D
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106B4FE	3_2_0106B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010727AF	3_2_010727AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106B933	3_2_0106B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010759B4	3_2_010759B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106ABF2	3_2_0106ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01071A93	3_2_01071A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010B0AC0	3_2_010B0AC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01073AD7	3_2_01073AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01069D44	3_2_01069D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0106BD68	3_2_0106BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01070FB6	3_2_01070FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_0040A2A5	4_2_0040A2A5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010821A8 appears 46 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 01085976 appears 36 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010627F0 appears 90 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010615FE appears 33 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 010632A1 appears 81 times

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872

Sample file is different than original file name gathered from version info

Source: INV.exe, 00000000.00000003.647727507.0000000002F0F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
Source: INV.exe, 00000003.00000003.649712453.00000000033FF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INV.exe
Source: INV.exe, 00000004.00000002.728240140.0000000004D90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs INV.exe

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Yara signature match

Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal72.troj.evad.winEXE@9/4@0/0

Source: C:\Users\user\Desktop\INV.exe

Code function: 4_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

4_2_00401489

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2856
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD26.tmp

Jump to behavior

Source: INV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INV.exe 'C:\Users\user\Desktop\INV.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe	Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INV.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb7^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb=^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
Source:	Binary string: oleaut32.pdb]^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb;^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb)^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD26.tmp.dmp.7.dr
Source:	Binary string: mscoree.pdbs^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb[^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdba^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdbk source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbo^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
Source:	Binary string: .pdbEE source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp

Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010821EE push ecx; ret	0_2_01082201
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A05B2 pushfd ; retf	0_2_010A05ED
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010AF402 push eax; ret	0_2_010AF408
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010AF46C push eax; ret	0_2_010AF472
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01062835 push ecx; ret	0_2_01062848
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8864 push edx; retf	0_2_010A8884
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01099B83 push es; ret	0_2_01099B93
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01099A9E push ss; ret	0_2_01099AEC
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0107EDC0 push eax; ret	0_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01096C15 push eax; iretd	0_2_01096C16
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8C60 push ds; retf	0_2_010A8C61
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8F2B push ecx; ret	0_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010A8F24 push ecx; ret	0_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0107EE70 push eax; ret	0_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01062835 push ecx; ret	2_2_01062848
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010821EE push ecx; ret	3_2_01082201
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A05B2 pushfd ; retf	3_2_010A05ED
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010AF402 push eax; ret	3_2_010AF408
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010AF46C push eax; ret	3_2_010AF472
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01062835 push ecx; ret	3_2_01062848
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8864 push edx; retf	3_2_010A8884
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01099B83 push es; ret	3_2_01099B93
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01099A9E push ss; ret	3_2_01099AEC
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0107EDC0 push eax; ret	3_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01096C15 push eax; iretd	3_2_01096C16
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8C60 push ds; retf	3_2_010A8C61
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8F2B push ecx; ret	3_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010A8F24 push ecx; ret	3_2_010A8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_0107EE70 push eax; ret	3_2_0107EE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401F16 push ecx; ret	4_2_00401F29

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\INV.exe

0_2_01061BC7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_0109BDC0 rdtsc

0_2_0109BDC0

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\SysWOW64\WerFault.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\INV.exe

Code function: 4_2_00404A29 FindFirstFileExW,

4_2_00404A29

Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000007.00000002.724149212.0000000004BF2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0?
Source: WerFault.exe, 00000007.00000002.724219863.0000000004C50000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WerFault.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\INV.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_0109BDC0 rdtsc

0_2_0109BDC0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_010683A4 IsDebuggerPresent,

0_2_010683A4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\INV.exe

0_2_010656BA

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]	0_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]	0_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010802BD mov eax, dword ptr fs:[00000030h]	0_2_010802BD
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010838C9 mov eax, dword ptr fs:[00000030h]	0_2_010838C9
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01077A20 mov eax, dword ptr fs:[00000030h]	0_2_01077A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01080D23 mov eax, dword ptr fs:[00000030h]	0_2_01080D23
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01080C83 mov eax, dword ptr fs:[00000030h]	0_2_01080C83
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_01080CC0 mov eax, dword ptr fs:[00000030h]	0_2_01080CC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]	2_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]	2_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_01077A20 mov eax, dword ptr fs:[00000030h]	2_2_01077A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]	3_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]	3_2_01077800
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010802BD mov eax, dword ptr fs:[00000030h]	3_2_010802BD
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010838C9 mov eax, dword ptr fs:[00000030h]	3_2_010838C9
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01077A20 mov eax, dword ptr fs:[00000030h]	3_2_01077A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01080D23 mov eax, dword ptr fs:[00000030h]	3_2_01080D23
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01080C83 mov eax, dword ptr fs:[00000030h]	3_2_01080C83
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_01080CC0 mov eax, dword ptr fs:[00000030h]	3_2_01080CC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_004035F1 mov eax, dword ptr fs:[00000030h]	4_2_004035F1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_01061DB2 GetProcessHeap,

0_2_01061DB2

Enables debug privileges

Source: C:\Windows\SysWOW64\WerFault.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010630B6 SetUnhandledExceptionFilter,	0_2_010630B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_010630E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010630B6 SetUnhandledExceptionFilter,	2_2_010630B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_010630E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010630B6 SetUnhandledExceptionFilter,	3_2_010630B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 3_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_010630E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401E1D SetUnhandledExceptionFilter,	4_2_00401E1D
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0040446F
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00401C88
Source: C:\Users\user\Desktop\INV.exe	Code function: 4_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00401F30

Source: C:\Users\user\Desktop\INV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INV.exe

Section loaded: unknown target: C:\Users\user\Desktop\INV.exe protection: execute and read and write

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe			Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe			Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_01082365 cpuid

0_2_01082365

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	0_2_0106E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_010660C8
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	0_2_0106E3D3
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_0106E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0106755A
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	0_2_0106458E
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0106E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0106E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	0_2_0106771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_0106E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_0106A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	0_2_010677A3
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_010666CA
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_0106E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0106E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_0106E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_01065C88
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_0106E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	2_2_0106E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0106755A
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	2_2_0106458E
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_0106E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0106E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0106E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_01065C88
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0106E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_010660C8
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0106E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	2_2_0106771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_0106E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0106A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	2_2_010677A3
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	2_2_0106E3D3
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_010666CA
Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	3_2_0106E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	3_2_010660C8
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	3_2_0106E3D3
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_0106E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_0106755A
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	3_2_0106458E
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_0106E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_0106E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	3_2_0106771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_0106E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	3_2_0106A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	3_2_010677A3
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_010666CA
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	3_2_0106E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0106E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_0106E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	3_2_01065C88

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_01062679 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01062679

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

ID:	323458
Product:	CloudBasic
Start time:	02:05:12
Start date:	27.11.2020
Sample:	INV.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	83259cb82642666503278233421c306d
SHA1:	180e81bab341eda0d404b8f5fed93bc3b350cfbd
SHA256:	6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INV.exe_7fa5c1fc50c97be82372a0bb1297551a3548ed7_49edae5c_07187e10\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	EFA8B9C67840D9F908C18F2FB070DFCF	3288B62685CE903BF575D1DC2D3783EC89D8F70D	677F52CAAB368AEA97203A9B5FC83985BFF81B90CBD0CC051E05A9478559DFDA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER12D4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	0445C4911E8BD6F8CCDECD7ECE1F0EED	F9F94B93692A1F1447E80FE4B50E39D9783B51AD	2FBBA0C8E59A8B1D6C2DF616B250CD1796EA0C8291352FD71180DAE0773C0D75
C:\ProgramData\Microsoft\Windows\WER\Temp\WER14C9.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	94519179BDCB8BA568890471088FD3B5	FBBE4BB0B25E7F99245025CC7673A4019A1A7353	D9FB01E02CCD6D6A42DFB73A2FA94171952F440E6CD9553357F01A244CA6262E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD26.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Nov 27 01:06:07 2020, 0x1205a4 type	D14107A7F95EFA4361734C6926E9AA10	1D25716F92DCCD4330427C663874EE013F9AC6D2	10C702BE8D1F96B759604E675FE55DBCD0DF5CC6D5A13FDC8F917024AD6B9168

Analysis Report INV.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map