Analysis Report Invoice 6500TH21Y5674.exe

Overview

General Information

Sample Name:	Invoice 6500TH21Y5674.exe
Analysis ID:	356249
MD5:	dc22d7783144cfe4dcbb4734ed6a3656
SHA1:	65d3e4f4df34bb25f7b621dd0457c641f98029cb
SHA256:	c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
Tags:	exe
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	Virustotal: Detection: 33%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	ReversingLabs: Detection: 28%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Invoice 6500TH21Y5674.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Invoice 6500TH21Y5674.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Invoice 6500TH21Y5674.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: ntmarta.pdb, source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb2 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdbp source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbx source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb\| source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbD source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbN source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbJ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbB source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdbn source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdbV source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbf source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: msls31.pdbb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdbv source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb7 source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbX source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb> source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdbd source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb* source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdbL source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbz source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Networking:

Source: Invoice 6500TH21Y5674.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Invoice 6500TH21Y5674.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405339

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Source: Invoice 6500TH21Y5674.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice 6500TH21Y5674.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403325

Detected potential crypto function

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC41A98

0_2_6FC41A98

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740

Sample file is different than original file name gathered from version info

Source: Invoice 6500TH21Y5674.exe, 00000000.00000002.682097774.0000000002540000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs Invoice 6500TH21Y5674.exe

Uses 32bit PE files

Source: Invoice 6500TH21Y5674.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal64.winEXE@2/7@0/1

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00403325

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004045EA

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7052

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File created: C:\Users\user\AppData\Local\Temp\nsmED28.tmp

Jump to behavior

Source: Invoice 6500TH21Y5674.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File read: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Invoice 6500TH21Y5674.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ntmarta.pdb, source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb2 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdbp source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbx source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb\| source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbD source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbN source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbJ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbB source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdbn source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdbV source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbf source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: msls31.pdbb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdbv source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb7 source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbX source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb> source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdbd source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb* source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdbL source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbz source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC41A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC41A98

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC42F60 push eax; ret

0_2_6FC42F8E

Source: initial sample

Static PE information: section name: .data entropy: 7.27709924336

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	File created: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	File created: C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000003.678214551.00000000048BA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000005.00000002.679779745.000000000488A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_10003111 LdrInitializeThunk,

0_2_10003111

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC41A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC41A98

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_1000410A mov eax, dword ptr fs:[00000030h]		0_2_1000410A
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_10003F0F mov eax, dword ptr fs:[00000030h]		0_2_10003F0F

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00403325

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	Virustotal: Detection: 33%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	ReversingLabs: Detection: 28%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Invoice 6500TH21Y5674.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Invoice 6500TH21Y5674.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Invoice 6500TH21Y5674.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: ntmarta.pdb, source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb2 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdbp source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbx source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb\| source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbD source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbN source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbJ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbB source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdbn source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdbV source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbf source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: msls31.pdbb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdbv source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb7 source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbX source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb> source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdbd source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb* source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdbL source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbz source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Networking:

Source: Invoice 6500TH21Y5674.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Invoice 6500TH21Y5674.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00405339

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Source: Invoice 6500TH21Y5674.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice 6500TH21Y5674.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00403325

Detected potential crypto function

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC41A98

0_2_6FC41A98

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740

Sample file is different than original file name gathered from version info

Source: Invoice 6500TH21Y5674.exe, 00000000.00000002.682097774.0000000002540000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs Invoice 6500TH21Y5674.exe

Uses 32bit PE files

Source: Invoice 6500TH21Y5674.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal64.winEXE@2/7@0/1

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00403325

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004045EA

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7052

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File created: C:\Users\user\AppData\Local\Temp\nsmED28.tmp

Jump to behavior

Source: Invoice 6500TH21Y5674.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File read: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Invoice 6500TH21Y5674.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ntmarta.pdb, source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb2 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdbp source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbx source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb\| source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbD source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbN source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbJ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbB source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdbn source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: shfolder.pdbV source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbf source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source:	Binary string: msls31.pdbb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: usp10.pdbv source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb7 source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbX source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb> source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: mscms.pdbd source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: version.pdb* source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: riched20.pdbL source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbz source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC41A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC41A98

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC42F60 push eax; ret

0_2_6FC42F8E

Source: initial sample

Static PE information: section name: .data entropy: 7.27709924336

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	File created: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	File created: C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000003.678214551.00000000048BA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000005.00000002.679779745.000000000488A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_10003111 LdrInitializeThunk,

0_2_10003111

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

Code function: 0_2_6FC41A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6FC41A98

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_1000410A mov eax, dword ptr fs:[00000030h]		0_2_1000410A
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe	Code function: 0_2_10003F0F mov eax, dword ptr fs:[00000030h]		0_2_10003F0F

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe

0_2_00403325

ID:	356249
Product:	CloudBasic
Start time:	20:12:24
Start date:	22.02.2021
Sample:	Invoice 6500TH21Y5674.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dc22d7783144cfe4dcbb4734ed6a3656
SHA1:	65d3e4f4df34bb25f7b621dd0457c641f98029cb
SHA256:	c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Invoice 6500TH21_a95a9cdbd3868a56584b72cabf593f6f9eaa3187_00d3adf0_05661bd9\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	B2A9FF4DD6892C2890DBF8E45AB88485	AE62CC1D9906E6551FA100EEFE60CA707B8D2091	E105583F6C4CA31C0D3884D7FE2F99C628F13B8595E78A0CF4690C2F3E830DB0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	541615E3CF2661403307AEEE0CA852BC	E79D147C52E6A112639D2BB0A17B4165EAC69B2F	63B424AD7CB406D35F481A902A4DBB8573096050392DF751B1C94A58BEEFE6D4
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB12.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0B4DAE1146BC4C6A596446CEEBB2EDAB	D26B2B8C74DBE4B3853260F82AF6F7DA1915750D	9FD8606D6D972D12DBB295F49C527C5C91DF75C38A190690CC8C1B4AEA5DAF78
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB9F.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Feb 22 19:13:21 2021, 0x1205a4 type	C7B0D98301EDFA9EF17D07978828CED2	2A245600875BF190BF70026E71F4D23241572B86	6C2C49E5548E9F64A1329C11717C88FBA8A904FE384A47FF7091E5456A019A29
C:\Users\user\AppData\Local\Temp\csnalztt.zl	data	56F7AC02D44E2C397DD1290AA89650A8	790FD108F1870FA972269CB1F8B2DEB71EB7CACA	6A2E176536A074D8B73F52CA163CD414685662FF9372E964D075DA84E3F9A3EC
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	27352D6A2DA80C7A04C0A589E7F025BD	500B490B02EE59DEEE00FEB4C59A9F0308464E5C	427AB077A32D2844F5E82A1D0C52B9FA73BB58298DC70B3D3A55BA05552DD840
C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FCCFF8CB7A1067E23FD2E2B63971A8E1	30E2A9E137C1223A78A0F7B0BF96A1C361976D91	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E

Analysis Report Invoice 6500TH21Y5674.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private