Overview

overview

10

Static

static

purchase o...NT.exe

windows7_x64

10

purchase o...NT.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe

  • Size

    450KB

  • MD5

    3548ba8f5682eb72ba8ba4cace08ef6b

  • SHA1

    9438cc7c86c1dd824e03ef746e91d078c973581a

  • SHA256

    6f429f659ae1a2982550afb10873ba61aabdd7ee26f54db1c3c26f2634568e25

  • SHA512

    1f6f687dd88157461e2c03f9659309bd6ac969892fe03125f15a6517ab522787ca9c7fc4cca2addd1fe3401f6c2526a731614cff63a837c96cfb1518c6e1c1d6

Score
10/10
coreentityrezer0

Malware Config

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe
    "C:\Users\Admin\AppData\Local\Temp\purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Local\Temp\purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe
      "{path}"
      2⤵
        PID:1672
      • C:\Users\Admin\AppData\Local\Temp\purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe
        "{path}"
        2⤵
          PID:1144
        • C:\Users\Admin\AppData\Local\Temp\purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe
          "{path}"
          2⤵
            PID:1208
          • C:\Users\Admin\AppData\Local\Temp\purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe
            "{path}"
            2⤵
              PID:1648
            • C:\Users\Admin\AppData\Local\Temp\purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe
              "{path}"
              2⤵
                PID:620

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1900-54-0x0000000000270000-0x00000000002E6000-memory.dmp
              Filesize

              472KB

              Download
            • memory/1900-55-0x0000000076011000-0x0000000076013000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1900-56-0x00000000002F0000-0x00000000002F8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1900-57-0x0000000004B60000-0x0000000004BB6000-memory.dmp
              Filesize

              344KB

              Download