bca6c3c07f81609227d409a774879977b2ef095834ca88ccb4c8716269ca854f

General

Target

SPECIFICATIONS.exe
Size

878KB
MD5

33c3551e8b1580ab7e9663b1c3e2c3f4
SHA1

6bd58b98d73b7d34487254354dcf07ec3a7b31e1
SHA256

ca946b7be994d2636254cb8b8cf44f5b7aa57fd705c6e07119aa4e68092daa01
SHA512

ff0eb8d158175c6f7cccb28791a4c090d5e047d9d792bd5bcf1e863d9e8d8adf0d2cbd3d89967d2d67b0de8b6ab496175a680c000fd1cf7a375ac7dd23cf5f72

Score

10^/10

coreentity evasion rezer0

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/336-56-0x00000000004E0000-0x00000000004E8000-memory.dmp	coreentity

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/336-57-0x0000000005CE0000-0x0000000005D8E000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SPECIFICATIONS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SPECIFICATIONS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SPECIFICATIONS.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SPECIFICATIONS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SPECIFICATIONS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SPECIFICATIONS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SPECIFICATIONS.exe

pid process

336 SPECIFICATIONS.exe
336 SPECIFICATIONS.exe
336 SPECIFICATIONS.exe
336 SPECIFICATIONS.exe
336 SPECIFICATIONS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SPECIFICATIONS.exe

description pid process

Token: SeDebugPrivilege 336 SPECIFICATIONS.exe

pid	process
1940	schtasks.exe

pid	process
336	SPECIFICATIONS.exe
336	SPECIFICATIONS.exe
336	SPECIFICATIONS.exe
336	SPECIFICATIONS.exe
336	SPECIFICATIONS.exe

description	pid	process
Token: SeDebugPrivilege	336	SPECIFICATIONS.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SPECIFICATIONS.exe

description	pid	process	target process
PID 336 wrote to memory of 1940	336	SPECIFICATIONS.exe	schtasks.exe
PID 336 wrote to memory of 1940	336	SPECIFICATIONS.exe	schtasks.exe
PID 336 wrote to memory of 1940	336	SPECIFICATIONS.exe	schtasks.exe
PID 336 wrote to memory of 1940	336	SPECIFICATIONS.exe	schtasks.exe
PID 336 wrote to memory of 692	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 692	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 692	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 692	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 676	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 676	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 676	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 676	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1920	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1920	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1920	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1920	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 576	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 576	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 576	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 576	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1740	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1740	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1740	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe
PID 336 wrote to memory of 1740	336	SPECIFICATIONS.exe	SPECIFICATIONS.exe

C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe
"C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lXmVlPI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73F9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe
  "{path}"
  2⤵
  PID:692
- C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe
  "{path}"
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe
  "{path}"
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe
  "{path}"
  2⤵
  PID:576
- C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe
  "{path}"
  2⤵
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp73F9.tmp

Filesize
1KB

MD5
b502c66dda59daefe9485f4eb4018044

SHA1
6fe6ee6b9821206704fb3b521217158b67a394ce

SHA256
1175211b278d1294c6d5e4214bbf53463c40ed82ba382aaff848846864a81033

SHA512
9d0b75afe759250e966ba1ffb27e650f97e7299133b383537dc6a6d82bf737c811e9b695f6387640e751e5708a0725e89eef5e06526f6738651f514b40041aaf

Download Submit
memory/336-54-0x00000000003E0000-0x00000000004C2000-memory.dmp

Filesize
904KB

Download
memory/336-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/336-56-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/336-57-0x0000000005CE0000-0x0000000005D8E000-memory.dmp

Filesize
696KB

Download
memory/1940-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads