29ee428b001089c4cb3447b6aeb0534d1fe595ce9246f5c0b52da0996f55b77e

General

Target

Quotation.doc.scr
Size

560KB
MD5

8d09d7e0a4fe465fcc5d52594fc007f9
SHA1

d1d99b13dadcb5212b70f5ebef876a22528bbe29
SHA256

29ee428b001089c4cb3447b6aeb0534d1fe595ce9246f5c0b52da0996f55b77e
SHA512

c5bfbd0d1329a12de1213e7e089fbd2d406cdfeeb376a2fbf55715623acdc436a6e78059d1c973f530e7506282c328371eee9bba19890a11c935b8d9be66c7f1

Score

9^/10

rezer0

Malware Config

Signatures

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4772-6-0x0000000005310000-0x0000000005360000-memory.dmp	rezer0

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

584 schtasks.exe
1180 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation.doc.scr

description pid process

Token: SeDebugPrivilege 4772 Quotation.doc.scr
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Quotation.doc.scr

pid process

4772 Quotation.doc.scr

flow	ioc
16	ip-api.com

pid	process
584	schtasks.exe
1180	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4772	Quotation.doc.scr

pid	process
4772	Quotation.doc.scr

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Quotation.doc.scr

description	pid	process	target process
PID 4772 wrote to memory of 584	4772	Quotation.doc.scr	schtasks.exe
PID 4772 wrote to memory of 584	4772	Quotation.doc.scr	schtasks.exe
PID 4772 wrote to memory of 584	4772	Quotation.doc.scr	schtasks.exe
PID 4772 wrote to memory of 1180	4772	Quotation.doc.scr	schtasks.exe
PID 4772 wrote to memory of 1180	4772	Quotation.doc.scr	schtasks.exe
PID 4772 wrote to memory of 1180	4772	Quotation.doc.scr	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /S
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SqqQfuBVQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC98.tmp"
2⤵
- Creates scheduled task(s)
PID:584

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "windows update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEC98.tmp
MD5
8d7ae8072e3325acfdae0cff121d05b7

SHA1
0b00e60d9c64a04adce0b51f40b9571a8f52b99a

SHA256
a25129ecca4051611a48a52732613e5748affefb4f0ed26f2947c0f75f8de2ec

SHA512
a789f2d21445d04f2b329486744d367b9def167177cc49b97c45bc3ee57bc08e5abe937945c799e34d568794176b10b1abdc388770fd8734f5273b753ea66a25

Download Submit
memory/584-8-0x0000000000000000-mapping.dmp

Download
memory/1180-14-0x0000000000000000-mapping.dmp

Download
memory/4772-7-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/4772-5-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4772-6-0x0000000005310000-0x0000000005360000-memory.dmp

Filesize
320KB

Download
memory/4772-0-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4772-4-0x0000000004BE0000-0x0000000004BEF000-memory.dmp

Filesize
60KB

Download
memory/4772-3-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4772-10-0x00000000055C0000-0x0000000005609000-memory.dmp

Filesize
292KB

Download
memory/4772-11-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/4772-12-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/4772-13-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/4772-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/4772-15-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads