5aeb66e91ce472bb51cf7f8b2778e05201de3d0ec40bb528967a417374854ad9

General

Target

REQUEST FOR QUOTATION #13032020_pdf.exe
Size

968KB
MD5

e56ed4558d3474dd31ee6d66909142c6
SHA1

bae2ebb4ee3a257732ef9d5757ed45e57653a30b
SHA256

57f4a2e59ddbdae494c86f258f57973b041c55c4a54ca2631153de0fdf6a0c05
SHA512

c6c07e4aef2c1d7c6ad5add41c7a6ac18e7af408f01628f2b3e3658a70b9937c1439c4a890c3d0322d55088ccf23ff6dbe7343c39e0e4aaaa2eea6c1829f6171

Score

9^/10

rezer0

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1488-58-0x0000000004E10000-0x0000000004EA8000-memory.dmp	rezer0

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

980 schtasks.exe

pid	process
980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

REQUEST FOR QUOTATION #13032020_pdf.exe

pid	process
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe
1488	REQUEST FOR QUOTATION #13032020_pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

REQUEST FOR QUOTATION #13032020_pdf.exe

description pid process

Token: SeDebugPrivilege 1488 REQUEST FOR QUOTATION #13032020_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1488	REQUEST FOR QUOTATION #13032020_pdf.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

REQUEST FOR QUOTATION #13032020_pdf.exe

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRyDYmLQBojAKd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A7.tmp"
2⤵
- Creates scheduled task(s)
PID:980

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
"{path}"
2⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
"{path}"
2⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
"{path}"
2⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
"{path}"
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION #13032020_pdf.exe
"{path}"
2⤵
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A7.tmp

Filesize
1KB

MD5
68185e91b86e043d661543ab5113e709

SHA1
af442eb45586fa20976b0a997c35068369d52bdd

SHA256
a8af82797b667d68ce4a70f4072f96f1c7bfeeb836371b8b8db91e1263679748

SHA512
21863216eed2199bafc42b9cdee58e1026bdd541e075c59208d9377d6798905b4750c01b06f9cd84ffe1a8678ae3b578e4ce80a0f796f7cdc5cbd7013b5b38b6

Download Submit
memory/980-59-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x00000000003E0000-0x00000000004D8000-memory.dmp

Filesize
992KB

Download
memory/1488-55-0x00000000021D0000-0x0000000002270000-memory.dmp

Filesize
640KB

Download
memory/1488-56-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1488-57-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1488-58-0x0000000004E10000-0x0000000004EA8000-memory.dmp

Filesize
608KB

Download

description	pid	process	target process
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	schtasks.exe
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	schtasks.exe
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	schtasks.exe
PID 1488 wrote to memory of 980	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	schtasks.exe
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 2000	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 2004	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1740	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1988	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe
PID 1488 wrote to memory of 1948	1488	REQUEST FOR QUOTATION #13032020_pdf.exe	REQUEST FOR QUOTATION #13032020_pdf.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads