Analysis Report INV.exe

Overview

General Information

Sample Name: INV.exe
Analysis ID: 323458
MD5: 83259cb82642666503278233421c306d
SHA1: 180e81bab341eda0d404b8f5fed93bc3b350cfbd
SHA256: 6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
Tags: exe

Most interesting Screenshot:

Detection

FormBook
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: INV.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: INV.exe Virustotal: Detection: 36% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: INV.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.INV.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.INV.exe.90000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 2.0.INV.exe.90000.0.unpack Avira: Label: ADWARE/MultiPlug.Gen7
Source: 0.0.INV.exe.90000.0.unpack Avira: Label: ADWARE/MultiPlug.Gen7
Source: 2.2.INV.exe.90000.0.unpack Avira: Label: ADWARE/MultiPlug.Gen7
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00404A29 FindFirstFileExW, 2_2_00404A29

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\INV.exe Code function: 4x nop then pop ebx 0_2_000C9E2B
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Detected potential crypto function
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_00091BC7 0_2_00091BC7
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000C50B7 0_2_000C50B7
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000C50C0 0_2_000C50C0
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_0009B0E6 0_2_0009B0E6
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000CC16C 0_2_000CC16C
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000CC170 0_2_000CC170
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000C52E0 0_2_000C52E0
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000C3360 0_2_000C3360
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A4399 0_2_000A4399
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_0009B4FE 0_2_0009B4FE
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A1521 0_2_000A1521
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000BA57D 0_2_000BA57D
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A27AF 0_2_000A27AF
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_0009B933 0_2_0009B933
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A59B4 0_2_000A59B4
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A1A93 0_2_000A1A93
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000E0AC0 0_2_000E0AC0
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A3AD7 0_2_000A3AD7
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_0009ABF2 0_2_0009ABF2
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_00099D44 0_2_00099D44
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_0009BD68 0_2_0009BD68
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A0FB6 0_2_000A0FB6
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_0009B0E6 2_2_0009B0E6
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_0009B4FE 2_2_0009B4FE
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A1521 2_2_000A1521
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_0009B933 2_2_0009B933
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00099D44 2_2_00099D44
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_0009BD68 2_2_0009BD68
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A59B4 2_2_000A59B4
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A1A93 2_2_000A1A93
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A3AD7 2_2_000A3AD7
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A4399 2_2_000A4399
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A27AF 2_2_000A27AF
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A0FB6 2_2_000A0FB6
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00091BC7 2_2_00091BC7
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_0009ABF2 2_2_0009ABF2
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_0040A2A5 2_2_0040A2A5
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\INV.exe Code function: String function: 000932A1 appears 54 times
Source: C:\Users\user\Desktop\INV.exe Code function: String function: 000927F0 appears 60 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 872
Sample file is different than original file name gathered from version info
Source: INV.exe, 00000000.00000003.644161326.0000000002526000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
Source: INV.exe, 00000002.00000002.668878228.0000000004D50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs INV.exe
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INV.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Yara signature match
Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal80.troj.evad.winEXE@5/4@0/0
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 2_2_00401489
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER54C8.tmp Jump to behavior
Source: INV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INV.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: INV.exe Virustotal: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\INV.exe 'C:\Users\user\Desktop\INV.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 872
Source: C:\Users\user\Desktop\INV.exe Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe Jump to behavior
Source: C:\Users\user\Desktop\INV.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: INV.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wintrust.pdbJ source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.650985591.00000000046CD000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000003.653962430.0000000004CA0000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: INV.exe, 00000000.00000003.644532557.0000000002410000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 00000005.00000003.654329781.00000000049C2000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp, WER54C8.tmp.dmp.5.dr
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: INV.exe, 00000000.00000003.644532557.0000000002410000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER54C8.tmp.dmp.5.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000003.653962430.0000000004CA0000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.653962430.0000000004CA0000.00000004.00000001.sdmp, WER54C8.tmp.dmp.5.dr
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.654362368.0000000004B94000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdbk source: WerFault.exe, 00000005.00000003.654362368.0000000004B94000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source: Binary string: .pdbEE source: WerFault.exe, 00000005.00000003.654329781.00000000049C2000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source: INV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000B21EE push ecx; ret 0_2_000B2201
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000DF402 push eax; ret 0_2_000DF408
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000DF46C push eax; ret 0_2_000DF472
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000D05B2 pushfd ; retf 0_2_000D05ED
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_00092835 push ecx; ret 0_2_00092848
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000D8864 push edx; retf 0_2_000D8884
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000C9A9E push ss; ret 0_2_000C9AEC
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000C9B83 push es; ret 0_2_000C9B93
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000C6C15 push eax; iretd 0_2_000C6C16
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000D8C60 push ds; retf 0_2_000D8C61
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000AEDC0 push eax; ret 0_2_000AEE21
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000AEE70 push eax; ret 0_2_000AEE21
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000D8F2B push ecx; ret 0_2_000D8F33
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000D8F24 push ecx; ret 0_2_000D8F33
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00092835 push ecx; ret 2_2_00092848
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00401F16 push ecx; ret 2_2_00401F29

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_00091BC7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00091BC7
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WerFault.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000CBC10 rdtsc 0_2_000CBC10
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\SysWOW64\WerFault.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00404A29 FindFirstFileExW, 2_2_00404A29
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000002.664993671.0000000004633000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.664975958.0000000004620000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`|c
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WerFault.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\INV.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000CBC10 rdtsc 0_2_000CBC10
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000983A4 IsDebuggerPresent, 0_2_000983A4
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000956BA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_000956BA
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A7800 mov eax, dword ptr fs:[00000030h] 0_2_000A7800
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A7800 mov eax, dword ptr fs:[00000030h] 0_2_000A7800
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000B02BD mov eax, dword ptr fs:[00000030h] 0_2_000B02BD
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000B38C9 mov eax, dword ptr fs:[00000030h] 0_2_000B38C9
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000A7A20 mov eax, dword ptr fs:[00000030h] 0_2_000A7A20
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000B0C83 mov eax, dword ptr fs:[00000030h] 0_2_000B0C83
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000B0CC0 mov eax, dword ptr fs:[00000030h] 0_2_000B0CC0
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000B0D23 mov eax, dword ptr fs:[00000030h] 0_2_000B0D23
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A7800 mov eax, dword ptr fs:[00000030h] 2_2_000A7800
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A7800 mov eax, dword ptr fs:[00000030h] 2_2_000A7800
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000A7A20 mov eax, dword ptr fs:[00000030h] 2_2_000A7A20
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h] 2_2_004035F1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_00091DB2 GetProcessHeap, 0_2_00091DB2
Enables debug privileges
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000930B6 SetUnhandledExceptionFilter, 0_2_000930B6
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000930E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000930E7
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000930B6 SetUnhandledExceptionFilter, 2_2_000930B6
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_000930E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_000930E7
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00401E1D SetUnhandledExceptionFilter, 2_2_00401E1D
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040446F
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00401C88
Source: C:\Users\user\Desktop\INV.exe Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00401F30
Source: C:\Users\user\Desktop\INV.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\INV.exe Section loaded: unknown target: C:\Users\user\Desktop\INV.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INV.exe Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_000B2365 cpuid 0_2_000B2365
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\INV.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 0_2_000960C8
Source: C:\Users\user\Desktop\INV.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW, 0_2_0009E15F
Source: C:\Users\user\Desktop\INV.exe Code function: EnumSystemLocalesW, 0_2_0009E3D3
Source: C:\Users\user\Desktop\INV.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_0009E42F
Source: C:\Users\user\Desktop\INV.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_0009E4AC
Source: C:\Users\user\Desktop\INV.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_0009E52F
Source: C:\Users\user\Desktop\INV.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_0009755A
Source: C:\Users\user\Desktop\INV.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 0_2_0009458E
Source: C:\Users\user\Desktop\INV.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_000966CA
Source: C:\Users\user\Desktop\INV.exe Code function: EnumSystemLocalesW, 0_2_0009771D
Source: C:\Users\user\Desktop\INV.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_0009E724
Source: C:\Users\user\Desktop\INV.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_0009A73D
Source: C:\Users\user\Desktop\INV.exe Code function: GetLocaleInfoW, 0_2_000977A3
Source: C:\Users\user\Desktop\INV.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0009E84E
Source: C:\Users\user\Desktop\INV.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_0009E8FB
Source: C:\Users\user\Desktop\INV.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 0_2_0009E9CF
Source: C:\Users\user\Desktop\INV.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 0_2_00095C88
Source: C:\Users\user\Desktop\INV.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 2_2_0009E42F
Source: C:\Users\user\Desktop\INV.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0009E84E
Source: C:\Users\user\Desktop\INV.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 2_2_00095C88
Source: C:\Users\user\Desktop\INV.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 2_2_0009E4AC
Source: C:\Users\user\Desktop\INV.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 2_2_000960C8
Source: C:\Users\user\Desktop\INV.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 2_2_0009E8FB
Source: C:\Users\user\Desktop\INV.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 2_2_0009E52F
Source: C:\Users\user\Desktop\INV.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_0009755A
Source: C:\Users\user\Desktop\INV.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW, 2_2_0009E15F
Source: C:\Users\user\Desktop\INV.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 2_2_0009458E
Source: C:\Users\user\Desktop\INV.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 2_2_0009E9CF
Source: C:\Users\user\Desktop\INV.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_000966CA
Source: C:\Users\user\Desktop\INV.exe Code function: EnumSystemLocalesW, 2_2_0009771D
Source: C:\Users\user\Desktop\INV.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 2_2_0009E724
Source: C:\Users\user\Desktop\INV.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 2_2_0009A73D
Source: C:\Users\user\Desktop\INV.exe Code function: GetLocaleInfoW, 2_2_000977A3
Source: C:\Users\user\Desktop\INV.exe Code function: EnumSystemLocalesW, 2_2_0009E3D3
Source: C:\Users\user\Desktop\INV.exe Code function: 0_2_00092679 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00092679

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323458 Sample: INV.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 80 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 2 other signatures 2->25 7 INV.exe 1 2->7         started        process3 signatures4 27 Maps a DLL or memory area into another process 7->27 10 INV.exe 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 WerFault.exe 23 9 10->14         started        file7 17 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->17 dropped
No contacted IP infos