248c48ac7b4b0c17d6200aa842a5e5c7d095d8573745472d7542ff3c4291c68a

General

Target

INV_2020.EXE
Size

160KB
MD5

f5a55070ea8c80fab69335db6e299fc4
SHA1

ec55507009dd23da40716b957e1b1f5cb9e526b9
SHA256

248c48ac7b4b0c17d6200aa842a5e5c7d095d8573745472d7542ff3c4291c68a
SHA512

3339720f6c1d2a1399e4c53108d9af0bfbb6d80cef65385f25f4d107154fff0363781474149b2a7d9a802f9c1ede4e4690e80bb4703daf5eef29c9c90208732a

Score

5^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

INV_2020.EXEINV_2020.EXE

description	pid	process	target process
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	schtasks.exe
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	schtasks.exe
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	schtasks.exe
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	schtasks.exe
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	INV_2020.EXE
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	dw20.exe
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	dw20.exe
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	dw20.exe
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	dw20.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

INV_2020.EXE

description pid process target process

PID 1684 set thread context of 1884 1684 INV_2020.EXE INV_2020.EXE
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1836 schtasks.exe

description	pid	process	target process
PID 1684 set thread context of 1884	1684	INV_2020.EXE	INV_2020.EXE

pid	process
1836	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE
"C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RUFQcxsjseXBNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB0D.tmp"
2⤵
- Creates scheduled task(s)
PID:1836

C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 380
3⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB0D.tmp

Download Submit
memory/1836-0-0x0000000000000000-mapping.dmp

Download
memory/1884-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-3-0x000000000040D0BE-mapping.dmp

Download
memory/1884-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-6-0x0000000000000000-mapping.dmp

Download
memory/1932-7-0x0000000001FE0000-0x0000000001FF1000-memory.dmp

Filesize
68KB

Download
memory/1932-8-0x0000000002360000-0x0000000002371000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads