29ee428b001089c4cb3447b6aeb0534d1fe595ce9246f5c0b52da0996f55b77e

General

Target

Quotation.doc.scr
Size

560KB
MD5

8d09d7e0a4fe465fcc5d52594fc007f9
SHA1

d1d99b13dadcb5212b70f5ebef876a22528bbe29
SHA256

29ee428b001089c4cb3447b6aeb0534d1fe595ce9246f5c0b52da0996f55b77e
SHA512

c5bfbd0d1329a12de1213e7e089fbd2d406cdfeeb376a2fbf55715623acdc436a6e78059d1c973f530e7506282c328371eee9bba19890a11c935b8d9be66c7f1

Score

9^/10

rezer0

Malware Config

Signatures

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1688-4-0x00000000046F0000-0x0000000004740000-memory.dmp	rezer0

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation.doc.scr

description pid process target process

PID 1688 set thread context of 1816 1688 Quotation.doc.scr Quotation.doc.scr
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1728 schtasks.exe
1088 schtasks.exe
1756 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Quotation.doc.scrQuotation.doc.scr

description pid process

Token: SeDebugPrivilege 1688 Quotation.doc.scr
Token: SeDebugPrivilege 1816 Quotation.doc.scr
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Quotation.doc.scrQuotation.doc.scr

pid process

1688 Quotation.doc.scr
1816 Quotation.doc.scr

flow	ioc
4	ip-api.com

description	pid	process	target process
PID 1688 set thread context of 1816	1688	Quotation.doc.scr	Quotation.doc.scr

pid	process
1728	schtasks.exe
1088	schtasks.exe
1756	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1688	Quotation.doc.scr
Token: SeDebugPrivilege	1816	Quotation.doc.scr

pid	process
1688	Quotation.doc.scr
1816	Quotation.doc.scr

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Quotation.doc.scrQuotation.doc.scr

description	pid	process	target process
PID 1688 wrote to memory of 1728	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1728	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1728	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1728	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1088	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1088	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1088	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1088	1688	Quotation.doc.scr	schtasks.exe
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1688 wrote to memory of 1816	1688	Quotation.doc.scr	Quotation.doc.scr
PID 1816 wrote to memory of 1756	1816	Quotation.doc.scr	schtasks.exe
PID 1816 wrote to memory of 1756	1816	Quotation.doc.scr	schtasks.exe
PID 1816 wrote to memory of 1756	1816	Quotation.doc.scr	schtasks.exe
PID 1816 wrote to memory of 1756	1816	Quotation.doc.scr	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SqqQfuBVQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F0.tmp"
2⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "windows update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1088

C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "windows update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9F0.tmp
MD5
8165eacbc5f9f29993e913d7d5b087fd

SHA1
663da22cb44fcbc802b6659164a705303a375ed2

SHA256
306254c67bc7240c6ef207e6dc622c4e175353318f17a2a9c3b386b649282f83

SHA512
95c637a874f8abe3b9a13cd63db34b4f2079afb434d3e200ed547e7df2990c7c27a812291875c87260bb8e0c71df5f3a03149b0cf30f15a3ea98099c6ec1b5c5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-11-2020
MD5
42d5576753ce4be3bb303d0f57584859

SHA1
ec256a783a07b5c1f2e8bed07e21a829b87c1db0

SHA256
2daf8be79193cad18194c01d76377c68eea0c3dbd654298e633f3b28c6e72f08

SHA512
cab4dcfd0998c40dacad529efc859d51af90085b8a4d97bed70c5fd9d6539f9907128fa29ade089858a58f5fd9d5cae65a4b29e4912c71b5805bf8807e96471d

Download Submit
memory/1088-8-0x0000000000000000-mapping.dmp

Download
memory/1688-7-0x0000000004DF0000-0x0000000004E39000-memory.dmp

Filesize
292KB

Download
memory/1688-4-0x00000000046F0000-0x0000000004740000-memory.dmp

Filesize
320KB

Download
memory/1688-0-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-3-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/1688-1-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1728-5-0x0000000000000000-mapping.dmp

Download
memory/1756-16-0x0000000000000000-mapping.dmp

Download
memory/1816-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1816-10-0x000000000044940E-mapping.dmp

Download
memory/1816-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1816-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1816-13-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads