248c48ac7b4b0c17d6200aa842a5e5c7d095d8573745472d7542ff3c4291c68a

General

Target

INV_2020.EXE
Size

160KB
MD5

f5a55070ea8c80fab69335db6e299fc4
SHA1

ec55507009dd23da40716b957e1b1f5cb9e526b9
SHA256

248c48ac7b4b0c17d6200aa842a5e5c7d095d8573745472d7542ff3c4291c68a
SHA512

3339720f6c1d2a1399e4c53108d9af0bfbb6d80cef65385f25f4d107154fff0363781474149b2a7d9a802f9c1ede4e4690e80bb4703daf5eef29c9c90208732a

Score

5^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	24
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	24
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	24
PID 1684 wrote to memory of 1836	1684	INV_2020.EXE	24
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1684 wrote to memory of 1884	1684	INV_2020.EXE	26
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	27
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	27
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	27
PID 1884 wrote to memory of 1932	1884	INV_2020.EXE	27

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 1884	1684	INV_2020.EXE	26

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1836	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE
"C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RUFQcxsjseXBNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB0D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 380
    3⤵
    PID:1932

Network

No results found

239.255.255.250:1900

966 B
6
239.255.255.250:1900

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1884-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1884-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1932-7-0x0000000001FE0000-0x0000000001FF1000-memory.dmp

Filesize
68KB

Download
memory/1932-8-0x0000000002360000-0x0000000002371000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.