Analysis
-
max time kernel
55s -
max time network
67s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 05:25
Static task
static1
Behavioral task
behavioral1
Sample
INV_2020.EXE
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV_2020.EXE
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
INV_2020.EXE
-
Size
160KB
-
MD5
f5a55070ea8c80fab69335db6e299fc4
-
SHA1
ec55507009dd23da40716b957e1b1f5cb9e526b9
-
SHA256
248c48ac7b4b0c17d6200aa842a5e5c7d095d8573745472d7542ff3c4291c68a
-
SHA512
3339720f6c1d2a1399e4c53108d9af0bfbb6d80cef65385f25f4d107154fff0363781474149b2a7d9a802f9c1ede4e4690e80bb4703daf5eef29c9c90208732a
Score
5/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
INV_2020.EXEINV_2020.EXEdescription pid process target process PID 1684 wrote to memory of 1836 1684 INV_2020.EXE schtasks.exe PID 1684 wrote to memory of 1836 1684 INV_2020.EXE schtasks.exe PID 1684 wrote to memory of 1836 1684 INV_2020.EXE schtasks.exe PID 1684 wrote to memory of 1836 1684 INV_2020.EXE schtasks.exe PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1684 wrote to memory of 1884 1684 INV_2020.EXE INV_2020.EXE PID 1884 wrote to memory of 1932 1884 INV_2020.EXE dw20.exe PID 1884 wrote to memory of 1932 1884 INV_2020.EXE dw20.exe PID 1884 wrote to memory of 1932 1884 INV_2020.EXE dw20.exe PID 1884 wrote to memory of 1932 1884 INV_2020.EXE dw20.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV_2020.EXEdescription pid process target process PID 1684 set thread context of 1884 1684 INV_2020.EXE INV_2020.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RUFQcxsjseXBNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB0D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3803⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAB0D.tmp
-
memory/1836-0-0x0000000000000000-mapping.dmp
-
memory/1884-2-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1884-3-0x000000000040D0BE-mapping.dmp
-
memory/1884-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1884-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1932-6-0x0000000000000000-mapping.dmp
-
memory/1932-7-0x0000000001FE0000-0x0000000001FF1000-memory.dmpFilesize
68KB
-
memory/1932-8-0x0000000002360000-0x0000000002371000-memory.dmpFilesize
68KB