96fddf8ed5ba87a03b03c5e0387ab1f3ef44df00ce11d0761a108d6407472c86

General

Target

shipment document pdf.exe
Size

825KB
MD5

58d90785308067dbb5b317014a3d3b41
SHA1

11ce185684c80f65946c9f36029725fa48b56058
SHA256

96fddf8ed5ba87a03b03c5e0387ab1f3ef44df00ce11d0761a108d6407472c86
SHA512

cf1662deb92f5e6cbd87ba395931eab5c9d12ba2bda0a6ce3564dec5c63307a22bfbdbf689b8b8562d05381e7f9bfa865141bc98a87f99885d3731ab33ff87bd

Score

10^/10

coreentity rezer0

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/644-3-0x00000000004F0000-0x00000000004F2000-memory.dmp	coreentity

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/644-4-0x0000000005F40000-0x0000000005FE9000-memory.dmp	rezer0

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1220 schtasks.exe

pid	process
1220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

shipment document pdf.exe

pid	process
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe
644	shipment document pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

shipment document pdf.exe

description pid process

Token: SeDebugPrivilege 644 shipment document pdf.exe

description	pid	process
Token: SeDebugPrivilege	644	shipment document pdf.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

shipment document pdf.exe

description	pid	process	target process
PID 644 wrote to memory of 1220	644	shipment document pdf.exe	schtasks.exe
PID 644 wrote to memory of 1220	644	shipment document pdf.exe	schtasks.exe
PID 644 wrote to memory of 1220	644	shipment document pdf.exe	schtasks.exe
PID 644 wrote to memory of 1220	644	shipment document pdf.exe	schtasks.exe
PID 644 wrote to memory of 1768	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1768	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1768	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1768	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1364	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1364	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1364	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1364	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1200	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1200	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1200	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1200	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1224	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1224	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1224	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1224	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1292	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1292	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1292	644	shipment document pdf.exe	shipment document pdf.exe
PID 644 wrote to memory of 1292	644	shipment document pdf.exe	shipment document pdf.exe

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SHxDJYNQYtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B83.tmp"
2⤵
- Creates scheduled task(s)
PID:1220

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
"{path}"
2⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
"{path}"
2⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
"{path}"
2⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
"{path}"
2⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\shipment document pdf.exe
"{path}"
2⤵
PID:1292

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2B83.tmp
MD5
e6eea85f8c7464bdb2304b3da99344f7

SHA1
b728dd857c54ad951d1617a1423bd5cd695092a3

SHA256
917155dbe298117f7da331b79716204447b31e77638e9f364b507e44e94da7af

SHA512
9182371c13c97e73fc957ea6c5cbc6811b18ef22f2c93406bc3b1179640ac0f14375a6540aec8e8b172675baa0c68063fe119601f2ac81f0186a6b39b85f501a

Download Submit
memory/644-0-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/644-1-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/644-4-0x0000000005F40000-0x0000000005FE9000-memory.dmp

Filesize
676KB

Download
memory/1220-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads