Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13/07/2020, 05:25
Static task
static1
Behavioral task
behavioral1
Sample
INV_2020.EXE
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV_2020.EXE
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
INV_2020.EXE
-
Size
160KB
-
MD5
f5a55070ea8c80fab69335db6e299fc4
-
SHA1
ec55507009dd23da40716b957e1b1f5cb9e526b9
-
SHA256
248c48ac7b4b0c17d6200aa842a5e5c7d095d8573745472d7542ff3c4291c68a
-
SHA512
3339720f6c1d2a1399e4c53108d9af0bfbb6d80cef65385f25f4d107154fff0363781474149b2a7d9a802f9c1ede4e4690e80bb4703daf5eef29c9c90208732a
Score
5/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2116 wrote to memory of 980 2116 INV_2020.EXE 69 PID 2116 wrote to memory of 980 2116 INV_2020.EXE 69 PID 2116 wrote to memory of 980 2116 INV_2020.EXE 69 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 2116 wrote to memory of 3952 2116 INV_2020.EXE 71 PID 3952 wrote to memory of 3300 3952 INV_2020.EXE 72 PID 3952 wrote to memory of 3300 3952 INV_2020.EXE 72 PID 3952 wrote to memory of 3300 3952 INV_2020.EXE 72 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2116 set thread context of 3952 2116 INV_2020.EXE 71 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 3300 dw20.exe Token: SeBackupPrivilege 3300 dw20.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3300 dw20.exe 3300 dw20.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 980 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2116 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RUFQcxsjseXBNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE073.tmp"2⤵
- Creates scheduled task(s)
PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"{path}"2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6883⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
-
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:2480