Overview

overview

10

Static

static

HCtR5cTfBBvX0Tt.exe

windows7_x64

10

HCtR5cTfBBvX0Tt.exe

windows10_x64

10

Analysis

  • max time kernel
    45s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HCtR5cTfBBvX0Tt.exe

  • Size

    956KB

  • MD5

    946617f29b6f4d728a590d6eaae36126

  • SHA1

    d06818f1f24d85e26d7159845076f346564253a0

  • SHA256

    45ef1e51df38e6778aaf2cd726748b55459b4aa54a2c8c2fea445cab0885f7bc

  • SHA512

    7204f1163662f391fe09c2637ca9c2e07e08bc1c047fab4e1594c49a37fb222093d86298c267cec9ee27f842f538f480c2bb8078ffea59c501f4777ff50a7d2f

Score
10/10
coreentityrezer0

Malware Config

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
    "C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AvKneptmDajjT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBD27.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1720
    • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
      "{path}"
      2⤵
        PID:392
      • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
        "{path}"
        2⤵
          PID:1112
        • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
          "{path}"
          2⤵
            PID:940
          • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
            "{path}"
            2⤵
              PID:1608
            • C:\Users\Admin\AppData\Local\Temp\HCtR5cTfBBvX0Tt.exe
              "{path}"
              2⤵
                PID:832

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpBD27.tmp
              MD5

              2491d7781a66eb43254b6d9cf075164c

              SHA1

              ab9b35250344945d6ca192a361c00e59207fc9a1

              SHA256

              f18483d46fb152f4cc6e5bf89cda2762c93293892e6dacebde1949d7e3ba2f00

              SHA512

              47da39dc34df24844e3c6c302e3254c3d4ca94162692f8387fffa0785ca576a62068dfc93538511bb7cbd9ef5a1969765e0e055ab09527bc359a41215e5845a0

              Download Submit
            • memory/1720-9-0x0000000000000000-mapping.dmp
              Download
            • memory/1912-0-0x0000000074320000-0x0000000074A0E000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1912-1-0x0000000000370000-0x0000000000371000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1912-3-0x00000000080F0000-0x00000000081B5000-memory.dmp
              Filesize

              788KB

              Download
            • memory/1912-4-0x0000000000680000-0x0000000000691000-memory.dmp
              Filesize

              68KB

              Download
            • memory/1912-6-0x0000000000270000-0x0000000000272000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1912-7-0x0000000005EA0000-0x0000000005F52000-memory.dmp
              Filesize

              712KB

              Download