Windows Analysis Report important invoice presentation nov 2021.pif

Overview

General Information

Sample Name: important invoice presentation nov 2021.pif (renamed file extension from pif to exe)
Analysis ID: 523630
MD5: 1364844e0bfb349272c5050fb0e677e3
SHA1: ffc57ad66c9a3764a88a2b2c3ec1f0f19042c77a
SHA256: 004f011b37e4446fa04b76aae537cc00f6588c0705839152ae2d8a837ef2b730
Infos:

Most interesting Screenshot:

Detection

NetWire
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 46
Range: 0 - 100

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected NetWire RAT
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Initial sample is a PE file and has a suspicious name
Found evasive API chain (may stop execution after checking mutex)
Writes to foreign memory regions
Contains functionality to log keystrokes
Found stalling execution ending in API Sleep call
Sigma detected: Xwizard DLL Sideloading
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Found evasive API chain (may stop execution after accessing registry keys)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp Malware Configuration Extractor: NetWire {"C2 list": ["calibare5454.pro:3360"], "Password": "Password", "Host ID": "HostId-%Rand%", "Mutex": "wAnRkHLX", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}
Antivirus or Machine Learning detection for unpacked file
Source: 30.2.xwizard.exe.400000.0.unpack Avira: Label: TR/Spy.Gen
Source: 14.2.xwizard.exe.400000.0.unpack Avira: Label: TR/Spy.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 14_2_0040C4B7
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040E511 CryptUnprotectData,LocalFree, 14_2_0040E511
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp, 14_2_0040EDD6
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 14_2_0040D290
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 30_2_0040C4B7
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040E511 CryptUnprotectData,LocalFree, 30_2_0040E511
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp, 30_2_0040EDD6
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 30_2_0040D290

Compliance:

barindex
Uses 32bit PE files
Source: important invoice presentation nov 2021.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE / OLE file has a valid certificate
Source: important invoice presentation nov 2021.exe Static PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: important invoice presentation nov 2021.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BD655F __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen, 13_2_00BD655F
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 14_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, 14_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, 14_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 14_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 14_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, 14_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, 14_2_00406390
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 30_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, 30_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, 30_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 30_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 30_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, 30_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, 30_2_00406390
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 14_2_00406084

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: calibare5454.pro:3360
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 51.195.57.233 51.195.57.233
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49777 -> 51.195.57.233:3360
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: important invoice presentation nov 2021.exe String found in binary or memory: http://www.xnview.com
Source: xwizard.exe String found in binary or memory: http://www.yandex.com
Source: important invoice presentation nov 2021.exe, 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp, important invoice presentation nov 2021.exe, 0000000D.00000002.683551594.000000001CF00000.00000040.00000001.sdmp, xwizard.exe, 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp, xwizard.exe, 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp String found in binary or memory: http://www.yandex.comsocks=
Source: important invoice presentation nov 2021.exe String found in binary or memory: https://sectigo.com/CPS0
Source: important invoice presentation nov 2021.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: unknown DNS traffic detected: queries for: calibare5454.pro
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00405FBE recv,WSAGetLastError, 14_2_00405FBE

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, 14_2_00409953
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, 30_2_00409953
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00411D8C GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,free, 14_2_00411D8C
Potential key logger detected (key state polling based)
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BBA38E GetKeyState,GetKeyState,GetKeyState,SendMessageA, 13_2_00BBA38E
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, 14_2_00409953
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, 30_2_00409953
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BF8181 __EH_prolog3,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 13_2_00BF8181

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 30.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: xwizard.exe PID: 2040, type: MEMORYSTR Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: important invoice presentation nov 2021.exe
Uses 32bit PE files
Source: important invoice presentation nov 2021.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 30.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, type: MEMORY Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: xwizard.exe PID: 2040, type: MEMORYSTR Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00B9E230 13_2_00B9E230
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BBAA7C 13_2_00BBAA7C
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BE106A 13_2_00BE106A
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00403047 14_2_00403047
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0041D049 14_2_0041D049
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00419463 14_2_00419463
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00415079 14_2_00415079
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00420420 14_2_00420420
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_004208C0 14_2_004208C0
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_004034D3 14_2_004034D3
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00414976 14_2_00414976
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00402E68 14_2_00402E68
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00416619 14_2_00416619
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040AEC6 14_2_0040AEC6
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00402AFC 14_2_00402AFC
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00415ABF 14_2_00415ABF
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00420F40 14_2_00420F40
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0041FF50 14_2_0041FF50
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040A728 14_2_0040A728
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00403047 30_2_00403047
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0041D049 30_2_0041D049
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00419463 30_2_00419463
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00415079 30_2_00415079
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00420420 30_2_00420420
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_004208C0 30_2_004208C0
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_004034D3 30_2_004034D3
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00414976 30_2_00414976
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00402E68 30_2_00402E68
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00416619 30_2_00416619
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040AEC6 30_2_0040AEC6
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00402AFC 30_2_00402AFC
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00415ABF 30_2_00415ABF
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00420F40 30_2_00420F40
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0041FF50 30_2_0041FF50
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040A728 30_2_0040A728
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: String function: 00D59920 appears 36 times
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: String function: 00D597E9 appears 54 times
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: String function: 00B9F800 appears 31 times
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: String function: 00D597B6 appears 167 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00CC161A LocalAlloc,GetSystemInfo,NtQueryVirtualMemory,LocalFree, 14_2_00CC161A
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00CC161A LocalAlloc,GetSystemInfo,NtQueryVirtualMemory, 30_2_00CC161A
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process Stats: CPU usage > 98%
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: important invoice presentation nov 2021.exe, 00000001.00000000.336774909.000000000150B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamexnviewmp.exeL vs important invoice presentation nov 2021.exe
Source: important invoice presentation nov 2021.exe, 0000000D.00000002.682952195.0000000000E4B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamexnviewmp.exeL vs important invoice presentation nov 2021.exe
Source: important invoice presentation nov 2021.exe Binary or memory string: OriginalFilenamexnviewmp.exeL vs important invoice presentation nov 2021.exe
PE file contains strange resources
Source: important invoice presentation nov 2021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: important invoice presentation nov 2021.exe.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: important invoice presentation nov 2021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\important invoice presentation nov 2021.exe "C:\Users\user\Desktop\important invoice presentation nov 2021.exe"
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f
Source: unknown Process created: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "%ProgramFiles%\Security\" /y /i /c /q Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\important invoice presentation nov 2021.exe" /it /f Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f Jump to behavior
Source: classification engine Classification label: mal84.troj.spyw.evad.winEXE@26/2@1/1
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00C00C4D CoInitialize,CoCreateInstance, 13_2_00C00C4D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 14_2_00406084
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00402570 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 14_2_00402570
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_01
Source: C:\Windows\SysWOW64\xwizard.exe Mutant created: \Sessions\1\BaseNamedObjects\wAnRkHLX
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BAC0F7 __EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 13_2_00BAC0F7
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Program Files (x86)\Security Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: important invoice presentation nov 2021.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: important invoice presentation nov 2021.exe Static file information: File size 3391296 > 1048576
Source: important invoice presentation nov 2021.exe Static PE information: certificate valid
Source: important invoice presentation nov 2021.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x22cc00
Source: important invoice presentation nov 2021.exe Static PE information: More than 200 imports for USER32.dll
Source: important invoice presentation nov 2021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: important invoice presentation nov 2021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: important invoice presentation nov 2021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: important invoice presentation nov 2021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: important invoice presentation nov 2021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: important invoice presentation nov 2021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: important invoice presentation nov 2021.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: important invoice presentation nov 2021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: important invoice presentation nov 2021.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: important invoice presentation nov 2021.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: important invoice presentation nov 2021.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: important invoice presentation nov 2021.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: important invoice presentation nov 2021.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D5A1ED push ecx; ret 13_2_00D5A20E
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BB061B push 8B00DBECh; retf 13_2_00BB0620
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BB0607 push 8B00DBECh; retf 13_2_00BB060C
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BB0739 push 8B00DBECh; iretd 13_2_00BB073E
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BB0702 push 8B00DBECh; iretd 13_2_00BB0707
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h 14_2_0040DD9F
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah 14_2_0040DDD9
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h 14_2_0040DDF7
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040DCE9 push edx; mov dword ptr [esp], esi 14_2_0040E394
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040A4BC push esi; mov dword ptr [esp], 00423347h 14_2_0040A543
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00409953 push edi; mov dword ptr [esp], 00000091h 14_2_00409980
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00409953 push ebp; mov dword ptr [esp], 00000090h 14_2_0040998D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00411D8C push edx; mov dword ptr [esp], edi 14_2_00412058
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00409E61 push eax; mov dword ptr [esp], ebx 14_2_00409FDE
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406E04 push ecx; mov dword ptr [esp], ebx 14_2_00406E69
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040262F push edx; mov dword ptr [esp], edi 14_2_004027C8
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040262F push edx; mov dword ptr [esp], edi 14_2_00402815
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040262F push edx; mov dword ptr [esp], edi 14_2_004029B2
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_004146E1 push eax; mov dword ptr [esp], ebx 14_2_0041470B
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h 14_2_004097B9
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h 30_2_0040DD9F
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah 30_2_0040DDD9
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h 30_2_0040DDF7
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040DCE9 push edx; mov dword ptr [esp], esi 30_2_0040E394
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040A4BC push esi; mov dword ptr [esp], 00423347h 30_2_0040A543
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00409953 push edi; mov dword ptr [esp], 00000091h 30_2_00409980
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00409953 push ebp; mov dword ptr [esp], 00000090h 30_2_0040998D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00411D8C push edx; mov dword ptr [esp], edi 30_2_00412058
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00409E61 push eax; mov dword ptr [esp], ebx 30_2_00409FDE
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00406E04 push ecx; mov dword ptr [esp], ebx 30_2_00406E69
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040262F push edx; mov dword ptr [esp], edi 30_2_004027C8
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc, 14_2_00408417

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Memory written: PID: 5612 base: CC13DB value: E9 4D 10 74 FF Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Memory written: PID: 5612 base: 11E4EF0 value: E9 43 B8 AD FF Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Memory written: PID: 2040 base: CC13DB value: E9 4D 10 74 FF Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Memory written: PID: 2040 base: 11E4EF0 value: E9 43 B8 AD FF Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BE6783 IsWindowVisible,IsIconic, 13_2_00BE6783
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\xwizard.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\xwizard.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Windows\SysWOW64\xwizard.exe Stalling execution: Execution stalls by calling Sleep
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\SysWOW64\xwizard.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\xwizard.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\SysWOW64\xwizard.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\xwizard.exe API coverage: 7.6 %
Source: C:\Windows\SysWOW64\xwizard.exe API coverage: 3.1 %
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D7216B VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 13_2_00D7216B
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BD655F __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen, 13_2_00BD655F
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 14_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, 14_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, 14_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 14_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 14_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, 14_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, 14_2_00406390
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 30_2_00406453
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, 30_2_0040680D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, 30_2_0040753D
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, 30_2_00413A85
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, 30_2_0040DB1C
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, 30_2_00406F83
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 30_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, 30_2_00406390
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, 14_2_00406084
Source: C:\Windows\SysWOW64\xwizard.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\xwizard.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\xwizard.exe API call chain: ExitProcess graph end node
Source: xwizard.exe, 0000001E.00000002.688604583.00000000010A8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: xwizard.exe, 0000000E.00000002.864002557.0000000000F38000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D680C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00D680C8
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D7216B VirtualProtect ?,-00000001,00000104,?,?,?,00000000 13_2_00D7216B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BAACF6 OutputDebugStringA,GetLastError, 13_2_00BAACF6
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc, 14_2_00408417
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BC23F6 GetProcessHeap, 13_2_00BC23F6
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D9085C mov eax, dword ptr fs:[00000030h] 13_2_00D9085C
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D680C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00D680C8
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D5A5D4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00D5A5D4

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Section loaded: unknown target: C:\Windows\SysWOW64\xwizard.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Section loaded: unknown target: C:\Windows\SysWOW64\xwizard.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: B4B008 Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC0000 Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC13DB Jump to behavior
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: 11E4EF0 Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: BBD008 Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC0000 Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: CC13DB Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Memory written: C:\Windows\SysWOW64\xwizard.exe base: 11E4EF0 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Memory allocated: C:\Windows\SysWOW64\xwizard.exe base: CC0000 protect: page execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Memory allocated: C:\Windows\SysWOW64\xwizard.exe base: CC0000 protect: page execute and read and write Jump to behavior
Contains functionality to simulate keystroke presses
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_004121C0 keybd_event, 14_2_004121C0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Users\user\Desktop\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f Jump to behavior
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Process created: C:\Windows\SysWOW64\xwizard.exe C:\Windows\System32\xwizard.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" "C:\Program Files (x86)\Security\" /y /i /c /q Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe" /it /f Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_004121EF SetCursorPos,mouse_event, 14_2_004121EF
Source: xwizard.exe, 0000000E.00000002.863923152.0000000000C94000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp Binary or memory string: Progman
Source: xwizard.exe, 0000000E.00000002.863923152.0000000000C94000.00000004.00000001.sdmp Binary or memory string: Program Manager"
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: xwizard.exe, 0000000E.00000002.864740086.0000000003980000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D5A3F4 cpuid 13_2_00D5A3F4
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00D5A7D1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 13_2_00D5A7D1
Source: C:\Program Files (x86)\Security\important invoice presentation nov 2021.exe Code function: 13_2_00BE3003 __EH_prolog3_GS,GetVersionExA,__cftof,_strlen,CoInitializeEx,CoCreateInstance, 13_2_00BE3003
Source: C:\Windows\SysWOW64\xwizard.exe Code function: 14_2_004130E8 GetUserNameW,WideCharToMultiByte, 14_2_004130E8

Remote Access Functionality:

barindex
Yara detected NetWire RAT
Source: Yara match File source: 1.2.important invoice presentation nov 2021.exe.1c8f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.important invoice presentation nov 2021.exe.1cf00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.xwizard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001E.00000002.688394318.0000000000422000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.507835553.000000001C8F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.863773731.0000000000422000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.683551594.000000001CF00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: important invoice presentation nov 2021.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: important invoice presentation nov 2021.exe PID: 2872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xwizard.exe PID: 5612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xwizard.exe PID: 2040, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 523630 Sample: important invoice presentat... Startdate: 17/11/2021 Architecture: WINDOWS Score: 84 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Yara detected NetWire RAT 2->53 55 4 other signatures 2->55 7 important invoice presentation nov 2021.exe 2->7         started        10 important invoice presentation nov 2021.exe 2->10         started        process3 signatures4 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->57 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 12 xwizard.exe 2 7->12         started        16 cmd.exe 1 7->16         started        18 cmd.exe 1 7->18         started        63 Maps a DLL or memory area into another process 10->63 20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        24 xwizard.exe 10->24         started        process5 dnsIp6 47 calibare5454.pro 51.195.57.233, 3360, 49777 OVHFR France 12->47 65 Contains functionality to log keystrokes 12->65 67 Found evasive API chain (may stop execution after checking mutex) 12->67 69 Found stalling execution ending in API Sleep call 12->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 16->71 26 xcopy.exe 4 16->26         started        29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 schtasks.exe 1 18->33         started        35 conhost.exe 20->35         started        37 xcopy.exe 1 20->37         started        39 conhost.exe 22->39         started        41 schtasks.exe 1 22->41         started        signatures7 process8 file9 43 important invoice ...tation nov 2021.exe, PE32 26->43 dropped 45 important invoice ...exe:Zone.Identifier, ASCII 26->45 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.195.57.233
 calibare5454.pro France
16276 OVHFR true

Contacted Domains

Name IP Active
calibare5454.pro 51.195.57.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
calibare5454.pro:3360 true
  • Avira URL Cloud: safe
 unknown