5aeb66e91ce472bb51cf7f8b2778e05201de3d0ec40bb528967a417374854ad9

General

Target

REQUEST FOR QUOTATION #13032020_pdf.exe
Size

968KB
MD5

e56ed4558d3474dd31ee6d66909142c6
SHA1

bae2ebb4ee3a257732ef9d5757ed45e57653a30b
SHA256

57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05
SHA512

c6c07e4aef2c1d7c6ad5add41c7a6ac18e7af408f01628f2b3e3658a70b9937c1439c4a890c3d0322d55088ccf23ff6dbe7343c39e0e4aaaa2eea6c1829f6171

Score

9^/10

rezer0

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/1488-58-0x0000000004E10000-0x0000000004EA8000-memory.dmp	rezer0

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	REQUEST FOR QUOTATION #13032020_pdf.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	27
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	27
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	27
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	27
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	29
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	29
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	29
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	29
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	30
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	30
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	30
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	30
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	31
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	31
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	31
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	31
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	32
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	32
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	32
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	32
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	33
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	33
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	33
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	33

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRyDYmLQBojAKd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:980
- C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
  "{path}"
  2⤵
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
  "{path}"
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
  "{path}"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
  "{path}"
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
  "{path}"
  2⤵
  PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A7.tmp

Filesize
1KB

MD5
68185e91b86e043d661543ab5113e709

SHA1
af442eb45586fa20976b0a997c35068369d52bdd

SHA256
a8af82797b667d68ce4a70f4072f96f1c7bfeeb836371b8b8db91e1263679748

SHA512
21863216eed2199bafc42b9cdee58e1026bdd541e075c59208d9377d6798905b4750c01b06f9cd84ffe1a8678ae3b578e4ce80a0f796f7cdc5cbd7013b5b38b6

Download Submit
memory/1488-54-0x00000000003E0000-0x00000000004D8000-memory.dmp

Filesize
992KB

Download
memory/1488-55-0x00000000021D0000-0x0000000002270000-memory.dmp

Filesize
640KB

Download
memory/1488-56-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1488-57-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1488-58-0x0000000004E10000-0x0000000004EA8000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads