Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://downloads.de...

windows10-2004-x64

8

Analysis

  • max time kernel
    63s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2023, 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://downloads.dell.com/FOLDER10192118M/1/InvColPC_11.0.3.0.exe

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://downloads.dell.com/FOLDER10192118M/1/InvColPC_11.0.3.0.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4956 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3568
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\InvColPC_11.0.3.0.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\InvColPC_11.0.3.0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\invcol.exe
        C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\.\invcol.exe -bdir="C:\Users\Admin\Desktop"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3928
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 700
          4⤵
          • Program crash
          PID:3976
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3928 -ip 3928
    1⤵
      PID:3240

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0ZI760GS\InvColPC_11.0.3.0[1].exe
      Filesize

      11.5MB

      MD5

      33317adb46ee3a45b65bce5821f1f7b9

      SHA1

      72f4a67c325d3147f54d344d88171cb21869b75b

      SHA256

      73ef899432e5895c5c044c1cdbd9054759008ffd4b1d80cdb2391fdc4c859858

      SHA512

      c6bb7e02b468b97227fa10e8811c1bc3b4932c61ef7ef175c7a694695df7ca8af9101be25d1360bec6f7fccdf8d66310cc0e5331a4c003ab9c36836ff5437c59

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\InvColPC_11.0.3.0.exe
      Filesize

      11.5MB

      MD5

      33317adb46ee3a45b65bce5821f1f7b9

      SHA1

      72f4a67c325d3147f54d344d88171cb21869b75b

      SHA256

      73ef899432e5895c5c044c1cdbd9054759008ffd4b1d80cdb2391fdc4c859858

      SHA512

      c6bb7e02b468b97227fa10e8811c1bc3b4932c61ef7ef175c7a694695df7ca8af9101be25d1360bec6f7fccdf8d66310cc0e5331a4c003ab9c36836ff5437c59

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\InvColPC_11.0.3.0.exe.6q1ketb.partial
      Filesize

      11.5MB

      MD5

      33317adb46ee3a45b65bce5821f1f7b9

      SHA1

      72f4a67c325d3147f54d344d88171cb21869b75b

      SHA256

      73ef899432e5895c5c044c1cdbd9054759008ffd4b1d80cdb2391fdc4c859858

      SHA512

      c6bb7e02b468b97227fa10e8811c1bc3b4932c61ef7ef175c7a694695df7ca8af9101be25d1360bec6f7fccdf8d66310cc0e5331a4c003ab9c36836ff5437c59

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\DrvAppIE_MSI\PIEInfo.txt
      Filesize

      69B

      MD5

      309382d03a5668b46a6a99ef235c8380

      SHA1

      9c74fbfb082a2e8e9fd663e2523b26b6b73fe529

      SHA256

      0fb9216ed2d3331177a4353f45a553b27b590ea86f16affde510b4d9955f0ca9

      SHA512

      06c631748216eec90f87a1bc3878c3097f4cf0384ef7c6b34c970b3c22c7050905e22fa2a03c0426edefeffca7110bc9a4101d0360f134ab2ddf9f5d60d3c52e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\ICConfig_user.xml
      Filesize

      5KB

      MD5

      43b8b7358adedb0c648341e3793525f2

      SHA1

      66f1a7c386834d9b2d541e49f293a9982dd4e837

      SHA256

      5c80c1ee6233cdffd0ba077d124162ca2ddb8524d0fb7891ac7ef099c082ea3b

      SHA512

      22a1bc5f845132814a7b0e57b93d8e00832ad455475c5adb484a27d0b6c67ac30ef57bf3b427cd38bdaf86a6ddf273140bc9e0301a3145dcfca086b362b64f85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\IMAGE\DrvCfg32.ini
      Filesize

      499B

      MD5

      4228bbca64f8930e731f86a04c315a97

      SHA1

      832e5c640c186f23097012a05029435d9e334bc7

      SHA256

      1bc14f6aae8579e18446fad5fca50568dc2ebbbda16f7bc9fee78e6f85d5eb71

      SHA512

      ea2646c663c84bf8c30d8b215e991991cc2033a3cc117bac343275b59525b3f222c4b1471606f74affa00d59d633c659f62778e2d41a8cdf6b48941e6e64703f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\IMAGE\PIEConfig.xml
      Filesize

      1KB

      MD5

      e5d2eaf60bc56b14989f57a58f5a0829

      SHA1

      d53d62084936dfd5a8081b84d8fe0412b66109ac

      SHA256

      da569fdf18a6d18ceec6c1fa850ff702bb947a1559a2671817e2955e37481938

      SHA512

      29d19a8a5dd1ddedf12e25a93c0903e57babd7822669d839765583dd9834fe5d817e05da52c2543faf9bc8977d7446b4e391056f3fdf0677bcf23995f165cb35

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\MSVCP140.dll
      Filesize

      436KB

      MD5

      37dcbba718886e5c24703b1268ce10b9

      SHA1

      441738a1ea802c266cb0a84789ace62e40010335

      SHA256

      968bbd2a36b04cc5795c6fc99afe85e4d294ff9c28032ce0e870463827181799

      SHA512

      00ab4cfe4b5bb989f2931cc8928982819a99df027b118c731957fc84c58cc8d636687ff39cf90dac313e3fe7c7738a4899fba98ebab5b6ed4cbfa372b0eb2561

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\OSINV\PIEConfig.xml
      Filesize

      130B

      MD5

      dd9f9c913dc476d6a64449e4842de944

      SHA1

      42fff2606077cee64232101df710a653d2357f4c

      SHA256

      93d3534ede6a89da26a22cca4856c007c7804f0f90337970fe7a2e9e9f3c0c8d

      SHA512

      63971868f96d350d8988e25ceb656769bddcdbeb586aa0ed7a3571c4c84edcee70753cc98fba469b76c891b2a20a7b9a68d5b7c4e8261edf25db704112446fbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\PnP_Devices\PIEConfig.xml
      Filesize

      2KB

      MD5

      99f748c247b79478f7652133ebb12cb2

      SHA1

      3324f5df4edd293beb03490196b26a0f36674944

      SHA256

      a1e59eb0cda090faf87b83da67afa11e44b2ab6f81c815fc5286c93397f9ba04

      SHA512

      ede81ef11ffcd6404300bba3f05ac97d6c6ded6f71065576ec916db0abae8dbfd74e914c9f03779fdc835c1fee359ce13bdfe00fbc2af182b88052569d150e06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\Thunderbolt_Reg\Executables\DRVUpdate.exe
      Filesize

      375KB

      MD5

      e0e2408478a1466a33186205f7d3d6dd

      SHA1

      50062188947b371469460464aedb8a2ebface3f4

      SHA256

      964b4819b91c7577ce5c07356f7ebae3825d37c86e259c2cdcaa50be710ff8c9

      SHA512

      016160d1a8b3a0fbafea1a2315824e3525a952d30de09fe4e7eb699d4294ec69327ae0cf54e90db5a0751279b9f6069a7902844aa050dfa9d31c58049c531e7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\Thunderbolt_Reg\RLtek_Ethernate\RegForceInventory.xml
      Filesize

      128KB

      MD5

      30aa7e953010b6b40f5cb83f6aff782e

      SHA1

      5ec0f4e8c60db66567983c858bd9b2780158b881

      SHA256

      95fdc46b7b1f57f0546304f9816894a6caf5fb767b7dd0aff2889cdc79f97ee0

      SHA512

      f58676f8f517da6aba2b02da014fd4b5c6e66d646c9635783e7f4af9d65e9c37e3ce7f86e87f11bef53c8d03a5938c732f3b777b7109f7177062049e1b0e8c9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\Thunderbolt_Reg\RLtek_USB_Driver_WOW\DrvCfg32.ini
      Filesize

      1KB

      MD5

      9512cb4a8245bea4322f8bc680ac0dc3

      SHA1

      7ed23dc741ca0328562629f782e6456372f1c04b

      SHA256

      9141964056b46365da57f704104eea7d222741b3438d567c7f1b7569e0c0534c

      SHA512

      aae4d6e8c6edb14b774e348fec4e5fa3a3790e747c8526fc313efe34d7c2607779ff81785aca2640a60a7e308ec398a3035adac6488d66946b3e06fdaeddbdf4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\TouchPad_X8\PIEConfig.xml
      Filesize

      2KB

      MD5

      54bfe695f971a7fea12f6c03fcc252a8

      SHA1

      f833610b2b4d71af25284dcd1f5d6656d18f2732

      SHA256

      f5e71f263f0cffe305fa085fa27030ed4e652e8a363e8beaf04673a6d19a3215

      SHA512

      5f0132086647cd317a0130ee6dac12afe975ad00bd6eeed7e7f216215667815dc1a9487bed23a848d6853498e74731112175270c49ea9690251f949bb5a42015

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\VCRUNTIME140.dll
      Filesize

      88KB

      MD5

      81b11024a8ed0c9adfd5fbf6916b133c

      SHA1

      c87f446d9655ba2f6fddd33014c75dc783941c33

      SHA256

      eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

      SHA512

      e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\dsupt32.dll
      Filesize

      701KB

      MD5

      a43f77d8dd56898bb162f5635d49d1ac

      SHA1

      cb2d297ddbd14524bffa448bf4ab1dcdd7ae9b0f

      SHA256

      ecb0049859e8200072e86e9b6e204bfd5b9477f63205e9693d9caa45f7fca136

      SHA512

      b6b0e3e69f5165f4d6f42fd7a4c952a3079f01db7b1b5e6707fb4c7c58dcb12ce558a5902b59cafe0120148b7cd3d7cec23e0281ef4c509e230337dc09b2a15d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\dsupt32.dll
      Filesize

      701KB

      MD5

      a43f77d8dd56898bb162f5635d49d1ac

      SHA1

      cb2d297ddbd14524bffa448bf4ab1dcdd7ae9b0f

      SHA256

      ecb0049859e8200072e86e9b6e204bfd5b9477f63205e9693d9caa45f7fca136

      SHA512

      b6b0e3e69f5165f4d6f42fd7a4c952a3079f01db7b1b5e6707fb4c7c58dcb12ce558a5902b59cafe0120148b7cd3d7cec23e0281ef4c509e230337dc09b2a15d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\icsvc32.dll
      Filesize

      1.1MB

      MD5

      0aa4f4528cba2001b8e4c98f1fe74bdb

      SHA1

      8529373454de4190802fcd0211c6c1b71f80ff45

      SHA256

      3d2febe2fdd92f07253f1537ee964c40f56d77ac85711aa358681c7cd01aa02a

      SHA512

      8c2039864865da1ef68be681e056f7bccd36ca4d605c705203ece64dc8c204410cff7ec81c747eeb6ff67285818d17fc104e46eabb91e3e751b5c3d1a51e3527

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\icsvc32.dll
      Filesize

      1.1MB

      MD5

      0aa4f4528cba2001b8e4c98f1fe74bdb

      SHA1

      8529373454de4190802fcd0211c6c1b71f80ff45

      SHA256

      3d2febe2fdd92f07253f1537ee964c40f56d77ac85711aa358681c7cd01aa02a

      SHA512

      8c2039864865da1ef68be681e056f7bccd36ca4d605c705203ece64dc8c204410cff7ec81c747eeb6ff67285818d17fc104e46eabb91e3e751b5c3d1a51e3527

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\icsvc32.dll
      Filesize

      1.1MB

      MD5

      0aa4f4528cba2001b8e4c98f1fe74bdb

      SHA1

      8529373454de4190802fcd0211c6c1b71f80ff45

      SHA256

      3d2febe2fdd92f07253f1537ee964c40f56d77ac85711aa358681c7cd01aa02a

      SHA512

      8c2039864865da1ef68be681e056f7bccd36ca4d605c705203ece64dc8c204410cff7ec81c747eeb6ff67285818d17fc104e46eabb91e3e751b5c3d1a51e3527

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\invcol.exe
      Filesize

      40KB

      MD5

      73fb3504f2a9f114453260759848e872

      SHA1

      94a7ff3f93f5468e0f1308ff07b82cb1cabae64b

      SHA256

      ec1e24fc3d95204c4044707bc4171acb5241c4dad17ae758e044ad0a0a2a6b31

      SHA512

      1008f76184f7d1a51651c3c68709abe4b5b271dfce3fe78484a231a64b00f616789d08efc2254e2a69542a1d7da20b33552033b1090d024e4d6568313d4fa89a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\invcol.exe
      Filesize

      40KB

      MD5

      73fb3504f2a9f114453260759848e872

      SHA1

      94a7ff3f93f5468e0f1308ff07b82cb1cabae64b

      SHA256

      ec1e24fc3d95204c4044707bc4171acb5241c4dad17ae758e044ad0a0a2a6b31

      SHA512

      1008f76184f7d1a51651c3c68709abe4b5b271dfce3fe78484a231a64b00f616789d08efc2254e2a69542a1d7da20b33552033b1090d024e4d6568313d4fa89a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\msvcp140.dll
      Filesize

      436KB

      MD5

      37dcbba718886e5c24703b1268ce10b9

      SHA1

      441738a1ea802c266cb0a84789ace62e40010335

      SHA256

      968bbd2a36b04cc5795c6fc99afe85e4d294ff9c28032ce0e870463827181799

      SHA512

      00ab4cfe4b5bb989f2931cc8928982819a99df027b118c731957fc84c58cc8d636687ff39cf90dac313e3fe7c7738a4899fba98ebab5b6ed4cbfa372b0eb2561

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\vcruntime140.dll
      Filesize

      88KB

      MD5

      81b11024a8ed0c9adfd5fbf6916b133c

      SHA1

      c87f446d9655ba2f6fddd33014c75dc783941c33

      SHA256

      eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

      SHA512

      e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invCBFF_tmp\vcruntime140.dll
      Filesize

      88KB

      MD5

      81b11024a8ed0c9adfd5fbf6916b133c

      SHA1

      c87f446d9655ba2f6fddd33014c75dc783941c33

      SHA256

      eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

      SHA512

      e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

      Download Submit

    • memory/3928-470-0x00000000009B0000-0x0000000000ACD000-memory.dmp

      Filesize

      1.1MB

      Download