ba9056d8017e211407a8915ae3d0132a18c7af6a380c7dd53f6521c5f8bb5af1

General

Target

New Offer.exe
Size

827KB
MD5

c5eda9db6db46c98570bc8bcaed6f3a6
SHA1

8bbefc64626568c0a73b095d874f1b00633f7eb1
SHA256

6d501548a8060835c3a3d65281d905a189d6ebb7f2c79e0ae76d59872c1cc0b3
SHA512

060001790d3e9991ad4a47ae18386048d98fb47350958e03e66e85ded94208145e0e68477d2cfe91ef63879faf71d1cad70465531fb5635f7e97503caaf4cf85

Score

9^/10

Malware Config

Signatures

CoreCCC Packer 1 IoCs

Detects CoreCCC packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/1940-130-0x00000000003A0000-0x0000000000476000-memory.dmp	coreccc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Offer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New Offer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

New Offer.exe

description pid process target process

PID 1940 set thread context of 1012 1940 New Offer.exe New Offer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4288 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

New Offer.exe

pid process

1940 New Offer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New Offer.exeNew Offer.exe

description pid process

Token: SeDebugPrivilege 1940 New Offer.exe
Token: SeDebugPrivilege 1012 New Offer.exe

description	pid	process	target process
PID 1940 set thread context of 1012	1940	New Offer.exe	New Offer.exe

pid	process
4288	schtasks.exe

pid	process
1940	New Offer.exe

description	pid	process
Token: SeDebugPrivilege	1940	New Offer.exe
Token: SeDebugPrivilege	1012	New Offer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

New Offer.exe

description	pid	process	target process
PID 1940 wrote to memory of 4288	1940	New Offer.exe	schtasks.exe
PID 1940 wrote to memory of 4288	1940	New Offer.exe	schtasks.exe
PID 1940 wrote to memory of 4288	1940	New Offer.exe	schtasks.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe
PID 1940 wrote to memory of 1012	1940	New Offer.exe	New Offer.exe

C:\Users\Admin\AppData\Local\Temp\New Offer.exe
"C:\Users\Admin\AppData\Local\Temp\New Offer.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DwoNkS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D9C.tmp"
2⤵
- Creates scheduled task(s)
PID:4288

C:\Users\Admin\AppData\Local\Temp\New Offer.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9D9C.tmp
Filesize
1KB

MD5
3e2e369f9dd0740b146f6c5cb09bf1f8

SHA1
f3b92610eea2a832e55469c2e8008c410f7c8ab3

SHA256
996ee9ffc6f06f8ecf34e42adf8ec09b77682f2f48f69d5cc1176b31968b210d

SHA512
29a33bdf1fb5a593618eaa1b9b92ed830fa5a9a0cc8101d109cb24ae34fea648ed851d0fa9bcf8f2419e8500f6aa40e011416c603f33a8aac17fb6ef034696b8

Download Submit
memory/1012-162-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-190-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-200-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-160-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-196-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-194-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-137-0x0000000000000000-mapping.dmp

Download
memory/1012-138-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-140-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-142-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-144-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-146-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-148-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-164-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-152-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-154-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-156-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-158-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-198-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-192-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-150-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-166-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-168-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-170-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-172-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-174-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-176-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-178-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-180-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-182-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-184-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-186-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1012-188-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1940-130-0x00000000003A0000-0x0000000000476000-memory.dmp

Filesize
856KB

Download
memory/1940-132-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/1940-131-0x00000000054B0000-0x0000000005A54000-memory.dmp

Filesize
5.6MB

Download
memory/1940-134-0x00000000085D0000-0x000000000866C000-memory.dmp

Filesize
624KB

Download
memory/1940-133-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/4288-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads