7ba17d8b3d366f0a2d4c1dd3f95995831375c7433e0aa81c526849e54549182d

General

Target

p0flf49bEs68ze7.exe
Size

736KB
MD5

f86c5e35abb842290ce1773b6a4e7d0f
SHA1

b14fc3de5165c84c5dac9e39e6c0695710fb3549
SHA256

76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4
SHA512

aad5cfbe0de8979deb1800f90467fe7f8426889ff3ad836511c04985d3c1eb51138e94f0c209dcd9663739bb677c0f4e28257d582972df6c0fabb6b4efb6622c

Score

9^/10

rezer0

Malware Config

Signatures

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1016-57-0x0000000005E80000-0x0000000005F16000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

p0flf49bEs68ze7.exe

description pid process target process

PID 1016 set thread context of 584 1016 p0flf49bEs68ze7.exe p0flf49bEs68ze7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1776 schtasks.exe

description	pid	process	target process
PID 1016 set thread context of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe

pid	process
1776	schtasks.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

p0flf49bEs68ze7.exe

description	pid	process	target process
PID 1016 wrote to memory of 1776	1016	p0flf49bEs68ze7.exe	schtasks.exe
PID 1016 wrote to memory of 1776	1016	p0flf49bEs68ze7.exe	schtasks.exe
PID 1016 wrote to memory of 1776	1016	p0flf49bEs68ze7.exe	schtasks.exe
PID 1016 wrote to memory of 1776	1016	p0flf49bEs68ze7.exe	schtasks.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe
PID 1016 wrote to memory of 584	1016	p0flf49bEs68ze7.exe	p0flf49bEs68ze7.exe

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
"C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JYFAGrRGPfsz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50FE.tmp"
2⤵
- Creates scheduled task(s)
PID:1776

C:\Users\Admin\AppData\Local\Temp\p0flf49bEs68ze7.exe
"{path}"
2⤵
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp50FE.tmp
Filesize
1KB

MD5
98ee8df28e311145dc3a4446e04a2571

SHA1
45c943cefa65a0a8525a4d3ec7ee24f16e9a79ea

SHA256
22c6868b92aa3f7be296268d78ec9dd8b77969b7ec287cdb31f150e70684ec55

SHA512
7dce05823df4a55671ac4f9001ad3c8db23e44a64888f7cf3c9b035ac0c0c29b189429b58195f9b596e92b862a779459b586d7b381f2f7e2dae85ebdbfe9b21c

Download Submit
memory/584-64-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/584-66-0x000000000048952E-mapping.dmp

Download
memory/584-71-0x00000000006F0000-0x0000000000734000-memory.dmp

Filesize
272KB

Download
memory/584-70-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/584-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/584-60-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/584-61-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/584-63-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/584-65-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1016-54-0x0000000000820000-0x00000000008DE000-memory.dmp

Filesize
760KB

Download
memory/1016-56-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/1016-55-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1016-57-0x0000000005E80000-0x0000000005F16000-memory.dmp

Filesize
600KB

Download
memory/1776-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads