| File name: | InvColPC_12.2.1.2.exe |
| Full analysis: | https://app.any.run/tasks/92a1744c-e530-4180-8f3e-ecaef50a7c92 |
| Verdict: | Malicious activity |
| Analysis date: | June 12, 2024, 19:49:30 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | D6961E162243E9266CE864A105D4FB82 |
| SHA1: | 0793F656562443957D9D568FB36B49F7EC24B3F7 |
| SHA256: | B48D7BDF12E0B3079248E1B39CAD0BCB7F09FC303C0964DA73F615BE767BBEA8 |
| SSDEEP: | 98304:KQWdGvoBc1p/aSmfhus2CnCXIsmPT1OMy1y7cgGCWKmnRFXJnvzSDunn4NjTGpU9:IyKNLL7pavnusauC |
MALICIOUS
Drops the executable file immediately after the start
- runas.exe (PID: 3964)
- InvColPC_12.2.1.2.exe (PID: 2504)
SUSPICIOUS
Process drops legitimate windows executable
- InvColPC_12.2.1.2.exe (PID: 2504)
Executable content was dropped or overwritten
- InvColPC_12.2.1.2.exe (PID: 2504)
The process drops C-runtime libraries
- InvColPC_12.2.1.2.exe (PID: 2504)
INFO
Checks supported languages
- InvColPC_12.2.1.2.exe (PID: 2504)
- invcol.exe (PID: 2680)
Reads the computer name
- InvColPC_12.2.1.2.exe (PID: 2504)
- invcol.exe (PID: 2680)
Creates files in the program directory
- InvColPC_12.2.1.2.exe (PID: 2504)
Manual execution by a user
- explorer.exe (PID: 1640)
- notepad++.exe (PID: 3020)
Reads the machine GUID from the registry
- invcol.exe (PID: 2680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:05:10 14:19:44+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.34 |
| CodeSize: | 188928 |
| InitializedDataSize: | 74752 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc22f |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 12.2.1.2 |
| ProductVersionNumber: | 12.2.1.2 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Dell Inc. |
| FileDescription: | Dell Inventory Utility (x86) |
| FileVersion: | 12.2.0 |
| InternalName: | InvCol.exe |
| LegalCopyright: | Copyright (C) 2012 - 2024 Dell Inc. or its subsidiaries. All rights reserved. |
| OriginalFileName: | InvCol.exe |
| ProductName: | Inventory Collector |
| ProductVersion: | 12.2.1.2 |
Total processes
51
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1640 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2504 | C:\Users\admin\Downloads\InvColPC_12.2.1.2.exe | C:\Users\admin\Downloads\InvColPC_12.2.1.2.exe | runas.exe | ||||||||||||
User: Administrator Company: Dell Inc. Integrity Level: HIGH Description: Dell Inventory Utility (x86) Exit code: 3221225477 Version: 12.2.0 Modules
| |||||||||||||||
| 2680 | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\.\invcol.exe -bdir="C:\Windows\system32" | C:\Users\Administrator\AppData\Local\Temp\inv62BE_tmp\invcol.exe | InvColPC_12.2.1.2.exe | ||||||||||||
User: Administrator Company: Dell Inc. Integrity Level: HIGH Description: Inventory Collector Tool (x86) Exit code: 3221225477 Version: 12.2.0 Modules
| |||||||||||||||
| 3020 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\RGIA8E5.tmp" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO don.h@free.fr Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
| 3964 | "C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Downloads\InvColPC_12.2.1.2.exe | C:\Windows\System32\runas.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Run As Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
492
Read events
478
Write events
14
Delete events
0
Modification events
| (PID) Process: | (3020) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
29
Suspicious files
31
Text files
26
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\APPXInventory.exe | executable | |
MD5:92C00506A0FBE46164FB83AFD2404768 | SHA256:B416CC84746A86F546F1DDA585A8C54C44E058814CE101A494C8438040363549 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\FirmwareTPM.exe | executable | |
MD5:45ADFAA616C3A77BEB5759D86F0B55D7 | SHA256:0DA87AE354D8E385A247D8A03020FD055AA33B42EE86598EC5C3866D4A3A2644 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\EXTDRVRInv.exe | executable | |
MD5:D6667C7C78F4A2047E7560D7AA117E63 | SHA256:BB7B6A22FD714FA63605AC0A909B526CCB891A1EF9063C97BCFF65B667B95E1E | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\BSODDriverRemediation.exe | executable | |
MD5:371679B029BBD3F06316DCFD90B33097 | SHA256:0109EED1CD9A99FE35046E3F5A6B965F5355A2B9970074C93930FBF9E2F50ACC | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\AppUpdate.exe | executable | |
MD5:DDCD8446E0A9A1F5EFADFF2A0404A75F | SHA256:C13FEC3F139238C052CB22326A77887B2F1296A235E64EF7643B8D4B7BC9E97C | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\vcruntime140.dll | executable | |
MD5:A0DF29AF5F6135B735DEE359C0871ECF | SHA256:35AFADBACC9A30341C1A5EE2117E69583E5044CEA0BFAB636DCCBDCC281A8786 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\Reg-MSI_Inventory.exe | executable | |
MD5:9B1A02797B838917362F3AFCA2C23D6F | SHA256:6357D8E1F2A531D0C137D6D5E7687E677FA5E5122D7BF6990D6DE2AD87F16A37 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\vccorlib140.dll | executable | |
MD5:AE13E4F8338173A979135141E0DFB02F | SHA256:7E3211BFCD4698140CE90E6664E044F7C7C8100C5B7BF1CEC161DF32FC412056 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\SCSIUpdate.exe | executable | |
MD5:D0AD0BD9763E8450F030914B0636EBAB | SHA256:76E0F2A31AA68C50BB10C639567B2D588F3A7BD0910AADC9983DD8F617B2C043 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\SalomanDock.exe | executable | |
MD5:6E620C7E8B3D2F57572C8CF782D54122 | SHA256:0009AFE77D3875C112D7B052AD8B228567842D4D422D1C3F574FC1E7A9D1154F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|