Analysis
-
max time kernel
144s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
Offer.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Offer.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Offer.exe
-
Size
1.5MB
-
MD5
584fec93c4d3af107c1b364f5090de14
-
SHA1
e8635b77f7a7d2c0b8358d534ac4aaa069d7cef7
-
SHA256
df75e05fcf2ca53ab96a989a800b33574bff0c9d4e8171e2baaaad9358a914bf
-
SHA512
b03531d91ecdefbe85ba6abfd48edcbcf9dff4791d4383dd6e0898e992afa7ae95f47af52dfcbcdfdaaf90a597dd08938429f1a483a0f418a764f2d2825240e8
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Offer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhosts = "C:\\Users\\Admin\\AppData\\Roaming\\scvhosts\\scvhosts.exe" Offer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Offer.exedescription pid process target process PID 2004 set thread context of 1908 2004 Offer.exe Offer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Offer.exepid process 1908 Offer.exe 1908 Offer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Offer.exedescription pid process Token: SeDebugPrivilege 1908 Offer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Offer.exedescription pid process target process PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe PID 2004 wrote to memory of 1908 2004 Offer.exe Offer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Offer.exe"C:\Users\Admin\AppData\Local\Temp\Offer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Offer.exe"C:\Users\Admin\AppData\Local\Temp\Offer.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1908-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1908-9-0x00000000004376EE-mapping.dmp
-
memory/1908-10-0x0000000074BA0000-0x000000007528E000-memory.dmpFilesize
6.9MB
-
memory/1908-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1908-13-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/2004-2-0x0000000074BA0000-0x000000007528E000-memory.dmpFilesize
6.9MB
-
memory/2004-3-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/2004-5-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/2004-6-0x00000000004F0000-0x0000000000503000-memory.dmpFilesize
76KB
-
memory/2004-7-0x0000000004BE0000-0x0000000004C95000-memory.dmpFilesize
724KB