d1b0b995cd714c9eb3f896879019bbea31f78e4ade3193e2222d38984926d267

General

Target

COMPANY PROFILE_pdf.exe
Size

613KB
MD5

b9944266973f87de2c403a192ea512e9
SHA1

dad5d6c849383cd568d409a3898d8a5f6f965838
SHA256

481276a9bb55fca18c31952e4746dd5b480442e079dbf660318f780c22a9cf4d
SHA512

2343b49478474f2d5d0855eee6ecade5b227bf8f77831bcf24cdcb71181bbd5451344e09a0048dc4178cbb9511141c18bf6943b02f00a39efd6488978e1e5622

Score

9^/10

rezer0

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1616-58-0x0000000000550000-0x0000000000588000-memory.dmp	rezer0

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

COMPANY PROFILE_pdf.exe

pid process

1616 COMPANY PROFILE_pdf.exe
1616 COMPANY PROFILE_pdf.exe
1616 COMPANY PROFILE_pdf.exe
1616 COMPANY PROFILE_pdf.exe
1616 COMPANY PROFILE_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

COMPANY PROFILE_pdf.exe

description pid process

Token: SeDebugPrivilege 1616 COMPANY PROFILE_pdf.exe

pid	process
1616	COMPANY PROFILE_pdf.exe
1616	COMPANY PROFILE_pdf.exe
1616	COMPANY PROFILE_pdf.exe
1616	COMPANY PROFILE_pdf.exe
1616	COMPANY PROFILE_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1616	COMPANY PROFILE_pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

COMPANY PROFILE_pdf.exe

description	pid	process	target process
PID 1616 wrote to memory of 1036	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1036	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1036	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1036	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1828	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1828	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1828	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1828	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1776	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1776	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1776	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1776	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1584	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1584	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1584	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1584	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1628	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1628	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1628	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe
PID 1616 wrote to memory of 1628	1616	COMPANY PROFILE_pdf.exe	COMPANY PROFILE_pdf.exe

C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe"
2⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe"
2⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe"
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe"
2⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE_pdf.exe"
2⤵
PID:1628

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-53-0x0000000000370000-0x0000000000410000-memory.dmp

Filesize
640KB

Download
memory/1616-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1616-55-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1616-56-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/1616-57-0x0000000004FC0000-0x0000000005060000-memory.dmp

Filesize
640KB

Download
memory/1616-58-0x0000000000550000-0x0000000000588000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing