Analysis
-
max time kernel
109s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 05:25
Static task
static1
Behavioral task
behavioral1
Sample
INV_2020.EXE
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV_2020.EXE
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
INV_2020.EXE
-
Size
160KB
-
MD5
f5a55070ea8c80fab69335db6e299fc4
-
SHA1
ec55507009dd23da40716b957e1b1f5cb9e526b9
-
SHA256
248c48ac7b4b0c17d6200aa842a5e5c7d095d8573745472d7542ff3c4291c68a
-
SHA512
3339720f6c1d2a1399e4c53108d9af0bfbb6d80cef65385f25f4d107154fff0363781474149b2a7d9a802f9c1ede4e4690e80bb4703daf5eef29c9c90208732a
Score
5/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
INV_2020.EXEINV_2020.EXEdescription pid process target process PID 2116 wrote to memory of 980 2116 INV_2020.EXE schtasks.exe PID 2116 wrote to memory of 980 2116 INV_2020.EXE schtasks.exe PID 2116 wrote to memory of 980 2116 INV_2020.EXE schtasks.exe PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 2116 wrote to memory of 3952 2116 INV_2020.EXE INV_2020.EXE PID 3952 wrote to memory of 3300 3952 INV_2020.EXE dw20.exe PID 3952 wrote to memory of 3300 3952 INV_2020.EXE dw20.exe PID 3952 wrote to memory of 3300 3952 INV_2020.EXE dw20.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV_2020.EXEdescription pid process target process PID 2116 set thread context of 3952 2116 INV_2020.EXE INV_2020.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 3300 dw20.exe Token: SeBackupPrivilege 3300 dw20.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dw20.exepid process 3300 dw20.exe 3300 dw20.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RUFQcxsjseXBNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE073.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.EXE"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6883⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\INV_2020.EXE.log
-
C:\Users\Admin\AppData\Local\Temp\tmpE073.tmp
-
memory/980-0-0x0000000000000000-mapping.dmp
-
memory/3300-7-0x00000000029D0000-0x00000000029D1000-memory.dmpFilesize
4KB
-
memory/3300-13-0x0000000002E60000-0x0000000002E61000-memory.dmpFilesize
4KB
-
memory/3300-5-0x0000000000000000-mapping.dmp
-
memory/3300-6-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/3952-3-0x000000000040D0BE-mapping.dmp
-
memory/3952-8-0x000000000040D0BE-mapping.dmp
-
memory/3952-9-0x000000000040D0BE-mapping.dmp
-
memory/3952-10-0x000000000040D0BE-mapping.dmp
-
memory/3952-11-0x000000000040D0BE-mapping.dmp
-
memory/3952-12-0x000000000040D0BE-mapping.dmp
-
memory/3952-2-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB