Analysis
-
max time kernel
145s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
Offer.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Offer.exe
Resource
win10v20201028
General
-
Target
Offer.exe
-
Size
1.5MB
-
MD5
584fec93c4d3af107c1b364f5090de14
-
SHA1
e8635b77f7a7d2c0b8358d534ac4aaa069d7cef7
-
SHA256
df75e05fcf2ca53ab96a989a800b33574bff0c9d4e8171e2baaaad9358a914bf
-
SHA512
b03531d91ecdefbe85ba6abfd48edcbcf9dff4791d4383dd6e0898e992afa7ae95f47af52dfcbcdfdaaf90a597dd08938429f1a483a0f418a764f2d2825240e8
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Offer.exedescription pid process target process PID 4052 set thread context of 2868 4052 Offer.exe Offer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Offer.exeOffer.exepid process 4052 Offer.exe 4052 Offer.exe 2868 Offer.exe 2868 Offer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Offer.exeOffer.exedescription pid process Token: SeDebugPrivilege 4052 Offer.exe Token: SeDebugPrivilege 2868 Offer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Offer.exedescription pid process target process PID 4052 wrote to memory of 1892 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 1892 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 1892 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe PID 4052 wrote to memory of 2868 4052 Offer.exe Offer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Offer.exe"C:\Users\Admin\AppData\Local\Temp\Offer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Offer.exe"C:\Users\Admin\AppData\Local\Temp\Offer.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Offer.exe"C:\Users\Admin\AppData\Local\Temp\Offer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Offer.exe.logMD5
65f1f0c7993639f9f9e1d524224a2c93
SHA15b51a6a56f3041dbc2d3f510252bbe68ffbbc59c
SHA256e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93
SHA5123e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23
-
memory/2868-14-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2868-22-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/2868-17-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/2868-15-0x00000000004376EE-mapping.dmp
-
memory/4052-7-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/4052-9-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/4052-10-0x0000000008090000-0x0000000008091000-memory.dmpFilesize
4KB
-
memory/4052-11-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/4052-12-0x0000000004B20000-0x0000000004B33000-memory.dmpFilesize
76KB
-
memory/4052-13-0x0000000000D20000-0x0000000000DD5000-memory.dmpFilesize
724KB
-
memory/4052-8-0x00000000076A0000-0x00000000076A1000-memory.dmpFilesize
4KB
-
memory/4052-2-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/4052-6-0x0000000007B90000-0x0000000007B91000-memory.dmpFilesize
4KB
-
memory/4052-5-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/4052-3-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB