Analysis Report factura.exe

Overview

General Information

Sample Name: factura.exe
Analysis ID: 384277
MD5: 5950cbe94b3b5dedbf7b75fa1b95ac84
SHA1: 797bb1231483bb11279f6e63fbb5d675bda58f2a
SHA256: 73f2aa87dad06704e8bbd41fb7449a987dc089160a12ba5e13d7d7f6f4196a4f
Infos:

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: factura.exe Metadefender: Detection: 27% Perma Link
Source: factura.exe ReversingLabs: Detection: 45%

Compliance:

barindex
Uses 32bit PE files
Source: factura.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D036A8 InternetReadFile, 27_2_00D036A8
Source: RegAsm.exe, 0000001B.00000002.747456441.0000000000CFA000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EK

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\factura.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_0040169C 1_2_0040169C
PE file contains strange resources
Source: factura.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: factura.exe, 00000001.00000002.649560165.00000000021D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs factura.exe
Source: factura.exe, 00000001.00000002.649247945.000000000040E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsCollutions vs factura.exe
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions5>@ vs factura.exe
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsd?3 vs factura.exe
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsW8 vs factura.exe
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions vs factura.exe
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions(: vs factura.exe
Source: factura.exe, 00000001.00000002.650059978.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsJ$ vs factura.exe
Source: factura.exe Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: factura.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal76.rans.evad.winEXE@4/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:68:120:WilError_01
Source: factura.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\factura.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\factura.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: factura.exe Metadefender: Detection: 27%
Source: factura.exe ReversingLabs: Detection: 45%
Source: unknown Process created: C:\Users\user\Desktop\factura.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_00403542 push ebx; ret 1_2_00403557
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_0040657D push FFFFFFC2h; iretd 1_2_004065A9
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_004065AB push FFFFFFC2h; iretd 1_2_004065A9
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_00403E6A pushad ; ret 1_2_00403E6B
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_00401E38 push esp; retf 0040h 1_2_00401E39
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_00403ED0 push esp; retf 1_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_00403E90 push esp; retf 1_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe Code function: 1_2_00403F18 push esp; retf 1_2_00403EDA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D01E0F push es; iretd 27_2_00D01E31
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D0062C push 00000039h; retn 1F0Eh 27_2_00D008FB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D02FE2 push cs; iretd 27_2_00D02FFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D01082 push ecx; ret 27_2_00D01083
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D009B2 push D01F0600h; ret 27_2_00D009B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D030B3 push ebx; ret 27_2_00D0310B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D02174 push esp; retf 27_2_00D02177
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D01266 push ecx; ret 27_2_00D01267
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D02F00 push ebx; ret 27_2_00D02F07
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 27_2_00D03032 push ebx; ret 27_2_00D03037
Source: C:\Users\user\Desktop\factura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\factura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\factura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\factura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\factura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\factura.exe RDTSC instruction interceptor: First address: 0000000000551A41 second address: 0000000000551A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE76CA6A8B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FE76CA6A8A1h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007FE76CA6A8C9h 0x0000002e call 00007FE76CA6A8C8h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Tries to detect Any.run
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\factura.exe RDTSC instruction interceptor: First address: 0000000000552C6A second address: 0000000000552C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007FE76CA6A884h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Users\user\Desktop\factura.exe RDTSC instruction interceptor: First address: 0000000000552B18 second address: 0000000000552A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\factura.exe RDTSC instruction interceptor: First address: 0000000000551A41 second address: 0000000000551A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE76CA6A8B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FE76CA6A8A1h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007FE76CA6A8C9h 0x0000002e call 00007FE76CA6A8C8h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\factura.exe RDTSC instruction interceptor: First address: 0000000000551B03 second address: 0000000000551B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FE76CB8BDFAh 0x0000001d popad 0x0000001e call 00007FE76CB8AB5Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\factura.exe RDTSC instruction interceptor: First address: 0000000000552BA9 second address: 0000000000552BA9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [eax+ecx] 0x0000000e pop dword ptr [ebx+ecx] 0x00000011 cmp bx, ax 0x00000014 test cx, 1B46h 0x00000019 inc ecx 0x0000001a inc ecx 0x0000001b inc ecx 0x0000001c inc ecx 0x0000001d cmp dl, bl 0x0000001f cmp ecx, 18h 0x00000022 jne 00007FE76CA6A888h 0x00000024 cmp edx, edx 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D02C6A second address: 0000000000D02C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007FE76CB8AB14h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D02B18 second address: 0000000000D02A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000D01B03 second address: 0000000000D01B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FE76CB8BDFAh 0x0000001d popad 0x0000001e call 00007FE76CB8AB5Bh 0x00000023 lfence 0x00000026 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3260 Thread sleep time: -3490000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process Stats: CPU usage > 90% for more than 60s
Hides threads from debuggers
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000001B.00000002.749330639.0000000001600000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384277 Sample: factura.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 76 17 Potential malicious icon found 2->17 19 Multi AV Scanner detection for submitted file 2->19 7 factura.exe 2->7         started        process3 signatures4 21 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->21 23 Tries to detect virtualization through RDTSC time measurements 7->23 10 RegAsm.exe 13 7->10         started        13 RegAsm.exe 7->13         started        process5 signatures6 25 Tries to detect Any.run 10->25 27 Hides threads from debuggers 10->27 15 conhost.exe 10->15         started        29 Found potential dummy code loops (likely to delay analysis) 13->29 31 Tries to detect virtualization through RDTSC time measurements 13->31 process7
No contacted IP infos