Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2022 06:07
Static task
static1
Behavioral task
behavioral1
Sample
Re.offer.exe
Resource
win7-20220901-en
General
-
Target
Re.offer.exe
-
Size
955KB
-
MD5
ec7499d16283df35c151934692cf0719
-
SHA1
82a9a351185b4c6e16886099391f2fd95ad76bee
-
SHA256
c0f5e01dded221a720c2173447e936c1e1148928016187fa4e8ac8e3a087b4ee
-
SHA512
3088706e05661ae9251610eeb0101accd8475b1b4221f999c9309fd4a19fb16ca5b1ccd508b08774f9ee76e071eee787d8e3e900554cdad64bb247903cf50bba
-
SSDEEP
12288:TX2iNahLuyAHmKMvYAssnMmTDCS9Mc0phHZ+5nFYRgW7sZ8zk1tKNds/:TX1MhLuyybMvYA/n7CSg5+4R7Dzkv
Malware Config
Extracted
formbook
4.1
ng04
tevimaq.com
easterspecialtystore.com
smartlever.tech
10312.uk
tanjawiharbi.co.uk
471338.com
horusventure.com
empress-care.com
sinrian.com
465951.com
aemsti.com
nxcourier.com
stargatefarms.com
lalyquainvestment.com
dailysportsadvice.com
justlistmoore.com
stoneonroll.online
tatianakolomiets.com
barcodebbm.com
protectorship.world
datingventure.info
aurora-body.com
sohomusicclub.com
postapudding.co.uk
mps-24.store
fengjianghu.com
fenostoreshop.site
julietterosebarney.com
1a-datenschutz.com
yejinxia.com
firstmortgagedebt.com
greengood.store
skynet-one.net
allianthrs.com
centralflfc.com
46caminosobrante.com
informatique07.com
keebu.net
gamebe.store
nicestartech.top
smbxd.com
dyadent.store
xiangmeihao.com
exac7.com
vesiensuojelu.com
youhaometal.com
jiewo.top
xmfaucet.com
avocadotaco.com
nicelove.online
beautytimelashesnails.com
domainand.site
tlqf.net
mentionevery.online
jeuxjetx.fr
device-track.co
re364t6.top
teamlepleiadi.com
againsubpackaddr.com
blemchi.xyz
yxzhcpa.com
cycle-xchange.store
medimattress.info
cosme-mochi.net
wekurd.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2388-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2036-149-0x0000000000E90000-0x0000000000EBF000-memory.dmp formbook behavioral2/memory/2036-155-0x0000000000E90000-0x0000000000EBF000-memory.dmp formbook -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C27B5D9B-90AB-4454-A30A-551562397A05}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CB0FAAC2-3AB2-4635-B77D-2685DBAEB6BC}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Re.offer.exeRe.offer.exesvchost.exedescription pid process target process PID 2980 set thread context of 2388 2980 Re.offer.exe Re.offer.exe PID 2388 set thread context of 3004 2388 Re.offer.exe Explorer.EXE PID 2036 set thread context of 3004 2036 svchost.exe Explorer.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
Re.offer.exeRe.offer.exesvchost.exepid process 2980 Re.offer.exe 2980 Re.offer.exe 2980 Re.offer.exe 2980 Re.offer.exe 2388 Re.offer.exe 2388 Re.offer.exe 2388 Re.offer.exe 2388 Re.offer.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Re.offer.exesvchost.exepid process 2388 Re.offer.exe 2388 Re.offer.exe 2388 Re.offer.exe 2036 svchost.exe 2036 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Re.offer.exeRe.offer.exesvchost.exedescription pid process Token: SeDebugPrivilege 2980 Re.offer.exe Token: SeDebugPrivilege 2388 Re.offer.exe Token: SeDebugPrivilege 2036 svchost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Re.offer.exeExplorer.EXEsvchost.exedescription pid process target process PID 2980 wrote to memory of 3020 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 3020 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 3020 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 768 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 768 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 768 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 2388 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 2388 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 2388 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 2388 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 2388 2980 Re.offer.exe Re.offer.exe PID 2980 wrote to memory of 2388 2980 Re.offer.exe Re.offer.exe PID 3004 wrote to memory of 2036 3004 Explorer.EXE svchost.exe PID 3004 wrote to memory of 2036 3004 Explorer.EXE svchost.exe PID 3004 wrote to memory of 2036 3004 Explorer.EXE svchost.exe PID 2036 wrote to memory of 4384 2036 svchost.exe cmd.exe PID 2036 wrote to memory of 4384 2036 svchost.exe cmd.exe PID 2036 wrote to memory of 4384 2036 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/768-139-0x0000000000000000-mapping.dmp
-
memory/2036-155-0x0000000000E90000-0x0000000000EBF000-memory.dmpFilesize
188KB
-
memory/2036-153-0x0000000001800000-0x0000000001894000-memory.dmpFilesize
592KB
-
memory/2036-151-0x0000000001900000-0x0000000001C4A000-memory.dmpFilesize
3.3MB
-
memory/2036-148-0x0000000000570000-0x000000000057E000-memory.dmpFilesize
56KB
-
memory/2036-149-0x0000000000E90000-0x0000000000EBF000-memory.dmpFilesize
188KB
-
memory/2036-147-0x0000000000000000-mapping.dmp
-
memory/2388-145-0x0000000001AC0000-0x0000000001AD5000-memory.dmpFilesize
84KB
-
memory/2388-140-0x0000000000000000-mapping.dmp
-
memory/2388-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2388-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2388-144-0x00000000015C0000-0x000000000190A000-memory.dmpFilesize
3.3MB
-
memory/2980-136-0x000000000AFB0000-0x000000000B04C000-memory.dmpFilesize
624KB
-
memory/2980-137-0x000000000B150000-0x000000000B1B6000-memory.dmpFilesize
408KB
-
memory/2980-132-0x0000000000620000-0x0000000000716000-memory.dmpFilesize
984KB
-
memory/2980-135-0x00000000050A0000-0x00000000050AA000-memory.dmpFilesize
40KB
-
memory/2980-134-0x0000000005130000-0x00000000051C2000-memory.dmpFilesize
584KB
-
memory/2980-133-0x0000000005640000-0x0000000005BE4000-memory.dmpFilesize
5.6MB
-
memory/3004-146-0x00000000036A0000-0x000000000380C000-memory.dmpFilesize
1.4MB
-
memory/3004-152-0x00000000036A0000-0x000000000380C000-memory.dmpFilesize
1.4MB
-
memory/3004-154-0x00000000034F0000-0x000000000358F000-memory.dmpFilesize
636KB
-
memory/3004-156-0x00000000034F0000-0x000000000358F000-memory.dmpFilesize
636KB
-
memory/3020-138-0x0000000000000000-mapping.dmp
-
memory/4384-150-0x0000000000000000-mapping.dmp