| File name: | InvColPC_12.2.1.2.exe |
| Full analysis: | https://app.any.run/tasks/92a1744c-e530-4180-8f3e-ecaef50a7c92 |
| Verdict: | Malicious activity |
| Analysis date: | June 12, 2024, 19:49:30 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | D6961E162243E9266CE864A105D4FB82 |
| SHA1: | 0793F656562443957D9D568FB36B49F7EC24B3F7 |
| SHA256: | B48D7BDF12E0B3079248E1B39CAD0BCB7F09FC303C0964DA73F615BE767BBEA8 |
| SSDEEP: | 98304:KQWdGvoBc1p/aSmfhus2CnCXIsmPT1OMy1y7cgGCWKmnRFXJnvzSDunn4NjTGpU9:IyKNLL7pavnusauC |
MALICIOUS
Drops the executable file immediately after the start
- InvColPC_12.2.1.2.exe (PID: 2504)
- runas.exe (PID: 3964)
SUSPICIOUS
Process drops legitimate windows executable
- InvColPC_12.2.1.2.exe (PID: 2504)
Executable content was dropped or overwritten
- InvColPC_12.2.1.2.exe (PID: 2504)
The process drops C-runtime libraries
- InvColPC_12.2.1.2.exe (PID: 2504)
INFO
Reads the computer name
- InvColPC_12.2.1.2.exe (PID: 2504)
- invcol.exe (PID: 2680)
Checks supported languages
- InvColPC_12.2.1.2.exe (PID: 2504)
- invcol.exe (PID: 2680)
Creates files in the program directory
- InvColPC_12.2.1.2.exe (PID: 2504)
Manual execution by a user
- explorer.exe (PID: 1640)
- notepad++.exe (PID: 3020)
Reads the machine GUID from the registry
- invcol.exe (PID: 2680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:05:10 14:19:44+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.34 |
| CodeSize: | 188928 |
| InitializedDataSize: | 74752 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc22f |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 12.2.1.2 |
| ProductVersionNumber: | 12.2.1.2 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Dell Inc. |
| FileDescription: | Dell Inventory Utility (x86) |
| FileVersion: | 12.2.0 |
| InternalName: | InvCol.exe |
| LegalCopyright: | Copyright (C) 2012 - 2024 Dell Inc. or its subsidiaries. All rights reserved. |
| OriginalFileName: | InvCol.exe |
| ProductName: | Inventory Collector |
| ProductVersion: | 12.2.1.2 |
Total processes
51
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1640 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2504 | C:\Users\admin\Downloads\InvColPC_12.2.1.2.exe | C:\Users\admin\Downloads\InvColPC_12.2.1.2.exe | runas.exe | ||||||||||||
User: Administrator Company: Dell Inc. Integrity Level: HIGH Description: Dell Inventory Utility (x86) Exit code: 3221225477 Version: 12.2.0 Modules
| |||||||||||||||
| 2680 | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\.\invcol.exe -bdir="C:\Windows\system32" | C:\Users\Administrator\AppData\Local\Temp\inv62BE_tmp\invcol.exe | InvColPC_12.2.1.2.exe | ||||||||||||
User: Administrator Company: Dell Inc. Integrity Level: HIGH Description: Inventory Collector Tool (x86) Exit code: 3221225477 Version: 12.2.0 Modules
| |||||||||||||||
| 3020 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\RGIA8E5.tmp" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO don.h@free.fr Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
| 3964 | "C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Downloads\InvColPC_12.2.1.2.exe | C:\Windows\System32\runas.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Run As Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
492
Read events
478
Write events
14
Delete events
0
Modification events
| (PID) Process: | (3020) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
29
Suspicious files
31
Text files
26
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\EXTDRVRInv.exe | executable | |
MD5:D6667C7C78F4A2047E7560D7AA117E63 | SHA256:BB7B6A22FD714FA63605AC0A909B526CCB891A1EF9063C97BCFF65B667B95E1E | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\msvcp140.dll | executable | |
MD5:ADDC83E063DDC88422A4FE7AADE7CFCD | SHA256:557D76338488E28C7761DFE5EE4FA722F65F0C945563002E86DE09C95F02B2AA | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\GetDockVer32W.exe | executable | |
MD5:21ABBCA5767E0D6CB72AA2D29C52615C | SHA256:29F5E4EAA1498A4C9EC4A8F3F2DBB323EEEE9E14779ED2F2B4098D445CBEFEC7 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\PeripheralFRMWInv.exe | executable | |
MD5:5481AF157D674A80FFD5C6F0DF30513A | SHA256:CCD717FE4A080310E1506348D7B9D93AF1D67EFBB25B67F799BE5E7EDB1F37D4 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\SCSIUpdate.exe | executable | |
MD5:D0AD0BD9763E8450F030914B0636EBAB | SHA256:76E0F2A31AA68C50BB10C639567B2D588F3A7BD0910AADC9983DD8F617B2C043 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\SalomanDock.exe | executable | |
MD5:6E620C7E8B3D2F57572C8CF782D54122 | SHA256:0009AFE77D3875C112D7B052AD8B228567842D4D422D1C3F574FC1E7A9D1154F | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\Reg-MSI_Inventory.exe | executable | |
MD5:9B1A02797B838917362F3AFCA2C23D6F | SHA256:6357D8E1F2A531D0C137D6D5E7687E677FA5E5122D7BF6990D6DE2AD87F16A37 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\PNPUpdate.exe | executable | |
MD5:88E3A2753021F83D9235F6009E3D5C3E | SHA256:D08A9541D1C3957F91A6CFBAA4FA8D0DBA382CF91D509BD9F87A8F9D255377A7 | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\BSODDriverRemediation.exe | executable | |
MD5:371679B029BBD3F06316DCFD90B33097 | SHA256:0109EED1CD9A99FE35046E3F5A6B965F5355A2B9970074C93930FBF9E2F50ACC | |||
| 2504 | InvColPC_12.2.1.2.exe | C:\Users\ADMINI~1\AppData\Local\Temp\inv62BE_tmp\bin\SOFTWARECOMPONENTInv.exe | executable | |
MD5:BD5BE9B06EFD061A07A8431DFF42F8EF | SHA256:050C507925079920AE9056B5CF716D9CB2F3B3A3F519CC23C88BDA98BD231C68 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|